sundance-communications.com/forum Forums TDM Business Telephone Systems Inter-Tel Telephones & Systems Routing over WAN

We have 5200 nodes in our offices. We recently have need to place some 8622s in some employees' homes. End to end latency is 35-40 ms in these few cases, so bandwidth shouldn't be the issue here. I am testing an endpoint at my home and it works great as long as I have VPN tunnel established, even though the phone is programmed to hit a public IP. If I turn off VPN, the endpoint still sees the extension, time, etc, but two-way audio cannot be established. If I forward ports at home router, I can get inbound audio, but no outbound. At the phone server location, ports 5566 & 5570 TCP and 5004-5070 and 5567 UDP are being forwarded to the phone server.

I'm experienced with networking, but I don't know all the ins and outs of Intertel VoIP. I know I can get VPN routers for these employees and make things work, but I'd really like to be able to set the network routing at our offices so that the endpoints are location-independent. Is this even possible? Or, at least if we could just forward ports at employee's home?

Maybe I'm missing some ports or settings? Any suggestions?

You do not need to do anything on your router at the house; the NAT/port forwarding needs to happen where the 5200 that the phone connected to is. Your UDP port range is correct except for the 5004-5070; change that to be 6004-7039. Also in your 5200 DB set the NAT type under each endpoint to be either automatic or NAT. You will need to verify that your P6xxx has a NAT IP defined int the DB as well.

Thanks for the reply. I figured it had to be a port issue on server end of some kind and I'm glad that everything can be done on the server end.

So to confirm, I need to forward the following ports to the phone server:
TCP - 5566, 5570
UDP - 5567, 6004-7039

Also will check on the NAT settings.

I pulled my previous config from this post : https://www.sundance-communications.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=4;t=000747
I'm now realizing that the port range given is for Axxess.

On my current P6000 settings, NAT IP address was set to 255.255.255.255. I should change that to the box's LAN IP address that is receiving all of the Public IP forwarding, correct?

I changed the endpoint's NAT Address type to NAT. Now, I've noticed in the P6000's settings that the Audio Stream Receive port is 6004, but the endpoint's default ASRP is 5004. Do these need to match?

No they don't need to match. Leave them as is. Change the 255.255.255.255 to whatever IP you have NAT'd to the 5000 private IP. You can also close TCP 5570.

I've played with it for a bit with a few different configurations. So far, without VPN, I'm only able to get at best one way audio from office to home phone, including calls routing through DIDs at the office to the home phone. It would seem like it should work from home to office via port forwarding if anything, and not necessarily the other direction. As soon as I enable VPN (even mid-call), the bi-directional audio picks up immediately and all is well. I watch the connections on the office router and it routes office->home through the WAN and once VPN kicks in, it establishes a second connection for home->office and runs it through the VPN. I'm hoping not to have to rely on VPN though.

I can initiate a call from either side with no trouble (and no VPN), it's just the home->office audio. I'm thinking it's got to be something with the NAT settings, but I did make the NAT changes as Chris recommended. Any ideas guys? I appreciate the help.

Call control is on TCP 5566, which sounds fine. UDP is broken. A packet sniff is looking like a real good idea right now.

A few items to look into:

• Try a different router at the remote site
• Is the remote and local subnet the same? (same subnet numbers)
• On the firewall, does traffic leave on a different IP (firewall native IP) and return on a different IP (the one you've NAT'd)?
• Instead of port forwarding, try a 1:1 static NAT
• Are all phones in the same peer group? Bad idea.

I notice that an "IP Device Status" in DB shows local IP of the endpoints, even if it is routing strictly over WAN. I assume that the endpoint informs the server of its DHCP address at authentication.

The only other thing I can think of right now that might be creating this behavior is the disabled VPN tunnel might be still lingering in the routing table and fouling up the NAT. The behavior I'm seeing though suggests that the 5200 doesn't follow back along the route of the original connection request, even if NAT Address Type of endpoint is set to NAT...it's looking for the endpoint's LAN IP. Am I on the right track?

If you look at a packet capture you'll see the 5000 sending RTP to the outside IP of the remote site.

Yes, the address registered in Device Status is the actual IP of the phone.

If your UDP is not traversing the NAT, your issue is either in your NAT settings in the IT5K or on your FW. Did you reboot the IT5K after changing the NAT setting?