Connect Phonerlite (or similar) with UCM 6202 behind NAT over the internet

I’ve set up a UCM 6202 behind a Fritzbox (dynamic IP) with several IP phones in a local network. All is working quite perfectly. Because of having a dynamic IP I was forced to find a solution for a public IP - I’ve found it with the MyFritz!-service. This service will give you a cryptic domain like “dsd39dfj39.myfritz.net” which will be resolved as the current public IP. I’ve checked this with public DNS check tools and it works so no further DynDNS-service should be needed.
I’ve entered this url in my UCM 6202 under PBX Settings > SIP Settings - NAT - External Host.

In the Fritzbox I’ve activated port forwarding for the Grandstream UCM port 5070 (and for RTP some more ports. Unfortunately it is not possible to have ports 10000 - 20000 because Fritzbox only allows up to 250 port in one range only):

Next I’ve set up a new extension in the PBX

Then I’ve asked the PBX to send me the credentials for this extension by mail:

I’ve entered those credentials in the Phonerlite config:



and played around a bit with the settings. I’ve tried the local port on 5060 and 5070, I’ve used the “:5070” behind the “Proxy/Registrar” and didn’t use it, I’ve used the word “grandstream” in the field “Domain/Realm” (because it is shown here

But whatever I did - I was not able to connect to the UCM yet.
I’ve then used the local network to check whether the user credentials are 100% correct - they are. As soon as I am local and use the local IP of the PBX followed by the port (192.168.178.5:5070) it works. And it does not make a difference whether I use “grandstream” in “Domain/Realm” or not in this case. The local port is 5060 in the Phonelite settings here.
So the problem is the external connection. I checked the UCMs capture file to check for the IP of the client which shoudl try to connect but I was not able to find this IP in the packet. So my current thought is that the Fritzbox does not forward the client to the UCM at all but I do not know what to do at the moment. Hopefully anybody has an idea which can help?
Thanks in advance!

Hi,

I guess you are from germany,
because of the FritzBox.

If yes,
then it is better to deactivate every NAT option you see.

The myfritz address is not needed in the UCM, also the “1und1 stun server” is not necessary in the phoner client.

If it’s a FritzBox with telephone integration and it’s already doing a SIP registration to your internet-provider’s SIP-Server and your UCM got no SIP-Trunk of a provider configured, then you should try a RTP range over UDP 20000 and a SIP port far away from 5060 UDP… for example 8360

Do the same with other portnumbers for the local SIP and local RTP port of the phoner client

Perhabs “fail to ban” is activated in the UCM and it has blocked the external IP of the phoner client.

Another solution would be to try FritzVPN, if your phoner client already works fine in the network of the UCM.

Remove Fritzbox - place new router that you can manage in its place - I use Mikrotik… thats my tool of choice - so from the router then port forward SIP service to the UCM… Open up from the remote IP to the UCM Dynamic Dns name and you will be able to connect. Fritzbox in middle causes you problems that you may not be able to counter.

Hi Pala! Thanks. Yes, I am from Germany. But the Fritzbox is doing no SIP / Phoneservices at all. It is only the internet router. Everything connected to phone is done by the UCM. First when setting up the UCM I was forced to use port 5070 instead of 5060 because the Fritzbox was doing the SIP services - after switching to the UCM and disabling the phonefeatures on the Fritzbox I kept the 5070 port.
I needed to have the myfritz-address because of not having a static IP and I did not want to have another service like DynDNS registered while having this feature build in the Fritzbox. Without this url as external host the UCM did not work correctly (see https://forums.grandstream.com/t/ucm6202-and-1und1-status-403-not-supported-ip-in-contact-header/41561/19 ).
The fail2ban was an idea as well but the IP is not blocked here - as far as I can see from the packets the IP was not able to reach the UCM at all so this feature wouldn’t be able to block it yet.

Yes this would be a possibility but I need to keep the Fritzbox for other reason so I am hoping to get this running. There have been many issues for which just changing the hardware (incl. the UCM as some people said) would be the easiest way.

Hi Mr. Leonhard,
On your phonerlite config (tab server), you can change proxy/registrar with your ucm server’s ip (192.168.178.5:5070) or you can use this (192.168.178.5:5060). I hope this can solve your problem

Best Regards,

Ray

This only helps in local network. As soon as I am outside the local network this does not work anymore.

I was just thinking about port forwarding. First -as written above- I forwarded ports 10000 - 10500 in the Fritzbox for RTP. Next I changed the RTP-Port-Range in the PBX to 10000 - 10500

to match the forwarding.
Then I stumbled over https://www.3cx.com/docs/ports/ - is there any other port I need to forward? At the moment I will not try to do a TLS connection (next step).
Do I need to forward any TCP ports? At the moment I do only UDP forwarding.

okay, good luck

First of all I recommend static and non-dynamic public IP, second thing not least the NAT exclusively in ACL

Damiano

Hi Mr. Leonhard,
Please don’t change the configuration that I`ve suggested before because your phonerlite will communicate with ucm not with fritbox, except you use mikrotik just like Mr.@scottsip have suggested before. You can add the ip address of your device which phonerlite installed on sip settings (please see picture below):

And please don`t forget to strengthen your ucm’s security. I hope this can solve your problem. If you still have a problem, then I can suggest you do what Mr.@scottsip and Mr.@damiano70 have suggested because they know the best about this

Good Luck Sir

Best regards,

Ray

pala and me have been trying to get the external connection working today but we did not get it yet. But there is a new information which can probably move us a step forward.

Wireshark shows this as an answer to the connecting device “ICMP 590 Destination unreachable (Port unreachable)” (192.168.178.5 is my UCM)
Regarding the myfritz.net-address (which is my “DynDNS”) - it does not make a difference whether I put this address here or my current public IP.

News again and a big step but not the solution yet. But I think it is near to it.
For my setting it is important to activate the “NAT” checkbox in the extensions media section. As soon as this is disabled no connection will be established at all.
I do not need to add the Stunserver not a Domain / Realm in the Phonerlite software. When doing this the extension will be shown available in the UCM but in the Packets there will still be an error message. Even though it is “ICMP 242 Destination unreachable (Port unreachable)” now.
When trying to call another extension with Phonerlite the connection works but no there is no audio at all. Neither on the Phonerlite nor on the called extension (or any external phone). Phonerlite shows this information as soon as the connection is established:

Next I tried something different and opened up all ports in the Fritzbox (“IP4 Exposted Host”) related to the UCM

(“Enable this device completely for Internet access via IPv4 (Exposed Host)”)
Of course - just for testing!
As soon as I call anybody from Phonerlite there is audio both ways and the connection in Phonerlite shows this

(Sometimes instead of G.722 it is A-Law).
As soon as I disable the Exposed Host it will be the old problem again
Interesting as well: When defining port 5060 as local port in Phonerlite the connecting IP will be shown as “MyIPAddress:61518” in the UCM as soon as I change the local port in Phonerlite for example to 6090 the connection in the UCM will be “MyIPAddress:6090” so using a local port which is too close to 5060 etc. will result in a strange port. I do not know whether this matters but I want to tell about it.
So for me this shows that there is a port which needs to be forwarded to the UCM by the Fritzbox. But I do not know which one.
Does anybody have an idea how to figure out which port is missing?
Update: I just tried to get a connection using my smartphone and LTE (so no WLAN). It did not work at all. No connection even though the settings are the same as the ones which worked before in my home network.

It is not a complete solution of the issue but a big step:
I’ve forwarded the UDP (RTP) Ports 10000 to 20000 now in my Fritzbox (which is 40 entries because FB only allows up to 250 ports per entry).
Connecting my Softphone (I am using the GS Wave App for Android) works now. My colleague using iOS did not get a connection yet.
Furtheron I’ve got trouble with the audio from time to time. I cannot give more details yet because of lack of calls but all in all a big step.
I will keep you updated and are looking forward for your ideas.

I’ve got it working in the meantime.

This is how I configured the Fritzbox “Freigaben”. And I think this is the most important part.
Now I can run Grandstream Wave on Android and iOS (the “Wave” port in the picture above is not related to this app - it is related to the browser Wave but I did not get it to work yet because of problems with the SSL certificate https://forums.grandstream.com/t/ssl-certificate-for-ucm-and-remote-access-to-gs-wave-using-dynamic-dns/44658 )
All in all it is no problem at all to get a softphone running. For me the softphone “Dialplate” is best because of different aspects: I can import the phonebook easily using CSV export (see this https://forums.grandstream.com/t/shared-address-book-on-pbx/34302/14 ), the BLF works great with the UCM and the price is a one time price. Lastly the developer of Dialplate is open for feature requests. I testes about 4-5 other softphones but none of them offered the above features.