www.fridu.net

Gateways

The gateways (also called ADSL router, broadband router, home gateway, ...) simply require the capablity to route incoming traffic (from the public internet to the private domain) from a given port to a predefined private address. We will use these gateways as firewall and NAT devices at the local and remote sites.

If your ISP does not provide you with a fixed IP address, then your gateway on the local site (A1) needs to offer a dynamic DNS registration facility.

On the local site (Asterisk server), the connection is done via a DSL interface with a Linksys ADSL router (WAG54G). The wireless function is not required (actually a good idea to get it deactivated) but the unit is easier to find with that function and the price is the same.

On the remote site, The university provides each room with an Ethernet plug where only one device can be connected. The MAC address of the device to be connected must be declared to open the service. A cable modem as the Linksys router (WRT54G) would meet the need. If you do not need the wireless (often the case) just deactivate the function.

A nicity offered by that box, is a facility which allows to fake the MAC address of the declared device at the service opening, enabling you to change the remote configuration without having to declare any change to the university office.

Second level home firewall

The second level firewall is integrated to the home general server. I use a Linux box running a Suse distribution. The firewall is based on the iptable function and blocks any undesired traffic.  As I run the Asterisk software on  that same server, I do not need to configure a second level of NAT port redirection, but it would actually be easy to implement if needed.

Sip phone on the remote site

The SIP phone on the remote site  needs to offer some specific specific functions :

1. SIP signaling port must be configurable and works with UDP (unfortunatly Astrisk does not support SIP on tcp which would be simplier for firewall transit.
2. It must support a SIP Proxy with autentication
   
3. RTP port must be configurable
4. Static IP address support will improve the stability of the configuration.
5. STUN service must be supportted.
6. Support low bandwidth codec compatible with Asterisk (e.g. GSM and/or DECT)
   

I use a Siemens SIP DECT phone (Gigaset 450/460 IP), I have also tested with success the Phone lite  (Windows only). Some other softphone (as SJPhone from SJ Labs) have let me down due to the poor implementation of the Stun Client.

Twinkle, Linphone and SJPhone are available under Linux, please let me know if you have been able to check their proper operation with a Stun configuration.