Allstarlink box trunked to Hamshack Hotline

App_rpt-users
1

Hello,

I’m trying to configure an IAX2 trunk from my ASL box (RPi3) to Hamshack Hotline US server. The registration process is working but there’s a problem with the incoming calls, they are always routed to “radio-secure” context in the asterisk dialplan, no matter what I configure as context = xxx int the iax.conf file. Every time I try to call from another HH extension to my trunk number, the astersik CLI shows the following:

NOTICE[605]: chan_iax2.c:9043 socket_process: Rejected connect attempt from 66.42.83.181, request 's@radio-secure' does not exist

Has anyone faced this issue? Any help will be greatly appreciated.
73!

Gustavo - LU7WA

2

Show your iax.conf on the context troubled machine. (blank your passwords)

3

Hi Mike, below you will find my iax.conf (comments removed);

[general]
bindport = 4569
                                
disallow = all

allow = ulaw
allow = adpcm
allow = g722
allow = g726aal2
allow = gsm
allow = ilbc

jitterbuffer = yes
forcejitterbuffer = yes
dropcount = 2
maxjitterbuffer = 4000
maxjitterinterps = 10
resyncthreshold = 1000
maxexcessbuffer = 80
minexcessbuffer = 10
jittershrinkrate = 1
tos = 0x1E
autokill = yes
delayreject = yes

register => 52853:xxxxxx@register.allstarlink.org
register => 11004:xxxxxx@hhus.wizworks.net

; Incoming radio connections

[radio]
type = user
disallow = all
allow = ulaw
allow = adpcm
allow = g722
allow = g726aal2
allow = gsm
allow = ilbc
codecpriority = host
context = radio-secure
transfer = no

[iaxrpt]
type = user
context = iaxrpt
auth = md5
secret = xxx
host = dynamic
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
transfer = no

[11004]
type = peer
context = from-hhus
secret = xxxxx
host = dynamic
encryption = no
insecure = port,invite
requirecalltoken = no
qualify = yes
trunk = yes

[11004]
type = user
context = from-hhus
username = 11004
secret = xxxxx
encryption = no
insecure = port,invite
requirecalltoken = no
trunk = yes
callerid = HamshackHotline

[iaxclient_001]
type = friend
context = iax-client
auth = md5
secret = xxxxx
host = dynamic
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
transfer = no

I’m sure I am missing something because I can’t make asterisk to route the incoming HHUS trunk calls to a different context other than “radio-secure”.
73

Gustavo

4

As I remember it… (akhmmm…)
Your registration strings are in the general as they should be and that makes the default context apply.
I use to do what you are doing many years ago and with my reg pbx server.

As I think my fix was to answer in that context then,
use a predial code to sort and forward to a new context. It’s all about routing.
You can inject the predial code from the other side so it is transparent.

However, there are methods to shift that context after the call is handled initially in that default.
I just don’t remember them…

you might try this from the other side

[outbound]
type=peer
username=username
secret=secret
peercontext=radio-else
host=domainip.com

Let me know if that works… I’m still thinking on it as I know I had a better way.

5

I was looking at your conf again and did not notice first time.
You have 2 stanza with the same header and the same context, one peer and one user

I am sure you were wanting one for inbound and one for outbound and of course those need to be called in the dial string from extentions

But with 2 the same… that is a problem How do you dial out one of them ? it is by name
??? exten => _1700XXXXXX,1,Dial(IAX2/11004/${EXTEN}) ???
Asterisk acts on 1st match everytime. Can’t have 2

[11004]
type = peer
context = from-hhus
secret = xxxxx
host = dynamic
encryption = no
insecure = port,invite <<<<<<<<<<<<<<<< not sure this is valid in our older version “VERY”
requirecalltoken = no
qualify = yes
trunk = yes

[11004]
type = user
context = from-hhus
username = 11004
secret = xxxxx
encryption = no
insecure = port,invite
requirecalltoken = no
trunk = yes
callerid = HamshackHotline

Why not start this over…
Fully describe the trunk IN & OUT

Perhaps this makes sense ?
[out]
type=peer
username=user
secret=xxxx
peercontext=radiosomething <<<<this should forward to the peer context . Be sure to do both ends.
host=100.100.100.100
nat=no
canreinvite=yes
trunk=yes

[in]
type=user
host=200.200.200.200 < qualifying host will be on this ip
notransfer=yes
disallow=all
allow=ulaw
trunk=yes
secret=XXXX
context= radioxxxx

If you do not use IP-based access control for all of your type=user entries, and you expect your asterisk installation to be reasonably secure, your iax.conf file must contain a “guest” entry with no secret specified.
When a remote system connects to yours, it can connect without specifying a username (that is, connect anonymously). If you have a type=user section that does not specify a secret, Asterisk will allow them to connect with any secret specified in the file. This means that if you have a large number of type=user entries but no guest entry in iax.conf, someone only has to guess any one of your secrets to connect to your server as that user.
Add a last entry in iax.conf with no password to force anonymous calls into a specific context that goes nowhere.

your dialstring in ext
exten => _1700XXXXXX,1,Dial(IAX2/out/${EXTEN})

Am I gettn anywhere ? LOL

6

Hi Mike, thanks for taking the time to check my setup. I’m following your comments, back from work I will modify the config and I’ll let you know how is it going.
I’ll apply the “guest” config, didn’t have that in mind.
I have some experience with asterisk but it’s been a few years and I have to catch up again. I understand all your comments clearly.
Thank you.
73!

Gustavo

7

I think some of my notes are in error, but I will wait to see where you are.
Been a while for me as well.

8

Hi Mike, I think I have a point and it’s about user authentication. Your comments about that subject pointed me in the right direction. As soon as I added a guest user (just type=user and context=dummy) I realized that all the incoming calls from HH were caught by that user as unauthenticated. See the next asterisk log:

– Accepting UNAUTHENTICATED call from 66.42.83.181:

requested format = ulaw,
requested prefs = (ulaw|alaw|gsm),
actual format = ulaw,
host prefs = (ulaw|adpcm|g722|g726aal2|gsm|ilbc),
priority = mine
– Executing [s@dummy:1] NoOp(“IAX2/66.42.83.181:4569-7287”, “”) in new stack
== Auto fallthrough, channel ‘IAX2/66.42.83.181:4569-7287’ status is ‘UNKNOWN’
– Hungup ‘IAX2/66.42.83.181:4569-7287’

NoOp is the only operation in the context dummy (exten=>s,1,NoOp)
I was quite lost at first because I didn’t realize that there is a “radio” user defined in iax.conf that has no secret so it was catching all the incoming calls (and that user’s context is radio-secure).
This is my “iax2 show users”:
mybox-ASL-1*CLI> iax2 show users

Username         Secret                Authen           Def.Context      A/C    Codec Pref
guest            -no secret-           000000000000003  dummy            No     Host 
allstar-public   xxxxxxxxxxxxx         000000000000002  allstar-public   No     Host 
allstar-sys      xxxxxxxxxxxxx         000000000000004  allstar-sys      No     Host 
iaxclient_001    xxxxxxxxxxxxx         000000000000002  iax-client       No     Host 
from_hhus        -no secret-           000000000000003  from-hhus        No     Host 
iaxrpt           xxxxxxxxxxxxx         000000000000002  iaxrpt           No     Host 
radio            -no secret-           000000000000003  radio-secure     No     Host

I applied your suggested changes (more or less) but all the incoming calls are still being caught by the new “guest” user. I even tried removing the secret from my hhus user and still no luck.
This is the new iax.conf some lines are commented out because all the tests…(only relevant lines shown):

[to_hhus]
type = peer
username = 11004
secret = xxxxxxxxxxxxx
host = dynamic                  ; register line
auth = md5
insecure = very
qualify = yes
trunk = yes
nat=no
transfer = no

[from_hhus]
type = user
;username = 11004
;secret = xxxxxxxxxxxxx
host = hhus.wizworks.net
;auth = md5
trunk = yes
context = from-hhus
transfer = no
callerid = "HamshackHotline"

[guest]
type=user
context=dummy

I feel that we’re close to the solution! I will keep working on this.
Thank you!

Gustavo

9

Forgot to comment about the peer: I’m including all the user:pass in the Dial string. I know that I might use the peer name as a shortcut but I haven’t done that yet.

10

Well, now it’s working but not as I expected. I removed the “guest” user and the authentication lines from my “from_hhus” (username, secret and host) and now the call is being routed to the desired context.
I’m not happy with this, I’ll keep working.
Thanks!

11

Still looking and thinking.
But I did notice your incoming had no authentication.
It needs something, pass or ip Probably why it worked when you removed to guest trap.
The reason you ended in the default context is you had no auth match.

Note that if you go looking for help online, be careful of some syntax as the app_rpt distro is a older version of asterisk. Was not bad when it was only a version or two behind but it’s much further now.

And I’m sorry for my hap-hazard instruction, but it’s really for ideas/things to check.
Typing faster than my memory LOL

OK…
This is a iax DID (in) I use and I use no reg string for inbound only. Security is in the permit=ip
[mydid1-iax2]
type=user
permit=40.10.200.41
context=from-mydid1
>>> If you specify no other options, the default from the general section apply
Ah Ha…
I found my old config’s… This from the radio box The other side was up 2 versions of CENTOS OS and ? asterisk. As it was last used 5 years ago, notice some commented out.

register=5555:RadioPBXap01 at 192.168.1.206/from-internal

[PBX] ; Setup for outgoing calls - autopatch trunk to pbx3
type=peer
host=192.168.1.206
username=5555
secret=RadioPBXap01
context=radio
;auth=md5
;disallow=all
allow=all
;allow=ulaw
;allow=alaw
;transfer=no

; Incoming phone connections to app_rpt

[radio-control]
type=user
username=5000 <<< the user name was a exten in the other box to keep it straight
secret=djp69
disallow=all
allow=gsm
codecpriority=host
context=radio-control
transfer=no

By design, this was to allow the radio box connection access to the full newer pbx for outbound dialing while allowing the newer box house phones access to the radio control-repeaters.

A ham-rat-nerd saves everything… 8TB worth in 25+ yrs LOL

12

Hi Mike, the permit = statement solved the problem. The fact that the incoming calls are unauthenticated makes things a little more complicated. I thought that the IP match was done by the host = statement, my mistake…
You are right about the online help, you can find a lot of information but sometimes do not match your version or setup, etc… Maybe something I read confused me. I will take some time to do a deeper study about authentication to find out if there’s another possible setup to match this scenario.
Anyways it’s working now and I can still have the “guest” user just in case…
Thank you so much for all your help!
Regards.

Gustavo

13

Glad you are running ok.
Yes, I just put a new sip trunk on one and a did iax, I made a new trap since describing some things gave me some ideas as there was a lot of hack traffic once they seen the port 5060 open.
So I’m capturing and logging them to deal with in iptables later.

here are some extensions I created as tools. I think you will understand them.

exten => _5886,1,Answer ; What context am i ?
exten => _5886,2,Wait(.5)
exten => _5886,3,SayAlpha(${CONTEXT})
exten => _5886,4,Hangup

exten => _5887,1,Answer ; What channel am i ?
exten => _5887,2,Wait(.5)
exten => _5887,3,SayAlpha(${CHANNEL})
exten => _5887,4,Hangup

exten => _5888,1,Answer ; <<< What extension am I ?
exten => _5888,2,Wait(.5)
exten => _5888,3,SayAlpha(${CALLERID(num)})
exten => _5888,4,Hangup

Catch you on the artificial ionosphere !