Join Log in
Score:0
hans2020dieter avatar Server

Routing Issue: Cannot reach target server from local network

my flag
hans2020dieter

1. my setup:

I've got an optical fibre ZTE router from my ISP for internet and telephone.

My old analog phone is connected directly to the router using the dedicated phone port on my router.

(For illustration I draw a network diagram down below.)

2. what I want:

I want to use SIP directly to make calls from my local network, instead of my old analog phone.

For example I want to install the softphone App zoiper on my PC and then make calls using my headset.

3. the problem:

3.1 cannot reach the sip-server

The problem is that the SIP Proxy Server (10.40.0.9 and 10.40.0.41) is not reachable by any device in my LAN. Neither ping nor netcat shows any reachable IP or open port.

Only my analog phone works perfectly.

So I guess this must be a routing issue, because it's obviously a different internal vlan from my ISP, which is not publicly available.

3.2 webgui:

I logged into the routers webgui and found out, that it can perfectly reach the sip proxy server, which is saved in my routers sip config. (I used the webguis ping and traceroute utility)

Traceroute told me that there must be a gateway (10.166.32.1) in between the router and the sip server.

I tried to set some custom static routes, but I had no luck.

3.3 telnet shell:

Then I tried logging into the telnet shell of my router (no ssh available). It's a very crappy old minimalist shell with just a BusyBox v1.01 (which doesn't even have a vi or netcat utility). So its quiet challenging to work with that.

But I found out, that from here I can't ping the sip server.

3.3.1 ping from router doesn't work:

/ # ping 10.40.0.9
PING 10.40.0.9 (10.40.0.9): 56 data bytes
Request timed out.
Request timed out.
Request timed out.
Request timed out.

--- 10.40.0.9 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

This is very strange because from the webgui it works, but from the shell not.

3.3.2 ip r on the router:

/ # ip r
default via 100.104.128.1 dev ppp0 
10.28.192.0/18 dev nbif3  proto kernel  scope link  src 10.28.246.157 
10.166.32.0/19 dev nbif1  proto kernel  scope link  src 10.166.58.255 
10.254.0.0/16 via 10.28.192.1 dev nbif3 
100.104.128.1 dev ppp0  proto kernel  scope link  src 100.104.148.2 
192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.1

3.3.3 ip a on the router:

/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 
    link/sit 0.0.0.0 brd 0.0.0.0
3: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN 
    link/tunnel6 :: brd ::
4: pon0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
5: bcmsw: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noop state UNKNOWN qlen 100
    link/ether 00:10:18:00:00:00 brd ff:ff:ff:ff:ff:ff
6: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
7: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
8: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
10: gpon0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 00:10:18:00:00:01 brd ff:ff:ff:ff:ff:ff
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br0
    inet6 fe80::1/64 scope link 
       valid_lft forever preferred_lft forever
13: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 100
    link/ether 72:3f:bc:f3:19:b7 brd ff:ff:ff:ff:ff:ff
14: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 100
    link/ether 72:3f:bc:f3:19:b4 brd ff:ff:ff:ff:ff:ff
15: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 100
    link/ether 72:3f:bc:f3:19:b5 brd ff:ff:ff:ff:ff:ff
16: nbif0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
17: nbif1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:b7 brd ff:ff:ff:ff:ff:ff
    inet 10.166.58.255/19 brd 10.166.63.255 scope global nbif1
18: nbif2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:b6 brd ff:ff:ff:ff:ff:ff
19: nbif3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 08:3f:bc:f3:19:ba brd ff:ff:ff:ff:ff:ff
    inet 10.28.246.157/18 brd 10.28.255.255 scope global nbif3
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 100.104.148.2 peer 100.104.128.1/32 scope global ppp0

3.3.4 add new route on the router:

Next I found out that I could add a route like this:

/ # ip route add 10.40.0.0/24 via 10.166.32.1 dev nbif1

3.3.5 now ping works from the router:

After that, ping worked also from the shell:

/ # ping 10.40.0.9
PING 10.40.0.9 (10.40.0.9): 56 data bytes
Reply from 10.40.0.9: bytes=56 ttl=253 time=6.8 ms seq=0
Reply from 10.40.0.9: bytes=56 ttl=253 time=22.3 ms seq=1
Reply from 10.40.0.9: bytes=56 ttl=253 time=28.2 ms seq=2
Reply from 10.40.0.9: bytes=56 ttl=253 time=6.2 ms seq=3

--- 10.40.0.9 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 6.2/15.8/28.2 ms

3.4 still can't ping from lan:

I thought if the default gateway (192.168.100.1) knows how to reach the sip server (10.40.0.9), then any other device in my lan should also know it, right?

But then why doesn't it work? I cannot ping 10.40.0.9 from like 192.168.100.2 or another local device.

4. My question:

Do you have any idea what route I can add in order to reach the server?

Thank you very much!

5. network diagram for illustration

enter image description here

Show the output of iptables-save command from the router shell. – Anton Danilov yesterday

Additional Information:

iptables -L

/ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp !echo-request
ACCEPT     all  --  anywhere             anywhere             destination IP range 224.0.0.0-239.255.255.255
6rd        all  --  anywhere             anywhere            
srvcntrl   all  --  anywhere             anywhere            
srvdrop    all  --  anywhere             anywhere            
fwports    all  --  anywhere             anywhere            
fwinput    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp !echo-request
ACCEPT     all  --  anywhere             anywhere             destination IP range 224.0.0.0-239.255.255.255
macfilter  all  --  anywhere             anywhere            
upnp       all  --  anywhere             anywhere            
algfilter  all  --  anywhere             anywhere            
ipfilter   all  --  anywhere             anywhere            
portmapp   all  --  anywhere             anywhere            
dmzmapp    all  --  anywhere             anywhere            
fwforward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain 6rd (1 references)
target     prot opt source               destination         

Chain algfilter (1 references)
target     prot opt source               destination         

Chain dmzmapp (1 references)
target     prot opt source               destination         

Chain fwforward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             DEVWL match:WANDEV


Chain fwinput (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request DEVWL match:WANDEV

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED DEVWL match:WANDEV

ACCEPT     all  --  anywhere             anywhere             DEVWL match:WANDEV


Chain fwports (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5060
ACCEPT     udp  --  anywhere             anywhere             udp dpts:4000:4012
ACCEPT     tcp  --  anywhere             10.28.246.157        tcp dpt:58000

Chain ipfilter (1 references)
target     prot opt source               destination         

Chain macfilter (1 references)
target     prot opt source               destination         

Chain portmapp (1 references)
target     prot opt source               destination         

Chain srvcntrl (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:telnet
DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet

Chain srvdrop (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:http DEVWL match:WANDEV

DROP       tcp  --  anywhere             anywhere             tcp dpt:ftp DEVWL match:WANDEV

DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet DEVWL match:WANDEV

DROP       tcp  --  anywhere             anywhere             tcp dpt:https DEVWL match:WANDEV


Chain upnp (1 references)
target     prot opt source               destination         

Chain webfilter (0 references)
target     prot opt source               destination         

Chain webpolicy (0 references)
target     prot opt source               destination         

Chain wfmode (0 references)
target     prot opt source               destination         
/ #
66
0 + 0
Anton Danilov avatar
cn flag
Anton Danilov
Show the output of `iptables-save` command from the router shell.
0
Reply
hans2020dieter avatar
my flag
hans2020dieter
`iptables-save` is not available on my router, command not found. I guess because of BusyBox v1.01. Fortunately `iptables -L` works! I wrote the output below. Maybe it helps. Thank you!
0
Reply
Anton Danilov avatar
cn flag
Anton Danilov
`iptables -L` shows only the filter table. Paste the output of `iptables -t nat -L`, please.
0
Reply
Score:0
Chris9834 avatar Server
id flag
Chris9834

Do you want to use the SIP-client on you router or one on the LAN (e.g. zoiper app) I don't think it's a routing problem. The SIP-server should be able to reach via (correctly set) default route from your LAN also. But it's maybe a problem with your router SIP-client.

I had a similar problem in my company's remote location. There was also a cheap ISP-router with included SIP-client and this SIP clients blocked all access from the LAN to any ISP in the internet cause it terminates SIP only at the router itself and does not transmit SIP packets to/from the LAN.

I have not really solved that problem but just used not a SIP, but a IAX-client (also zoiper ;-) in the LAN.

0 + 0
Chris9834 avatar
id flag
Chris9834
ah, i have checked your picture again. You have connected your analog phone to the ISP router, which means that the SIP-client on the router is active. Try disabling that SIP-client o the router or try it with another router without SIP client and you will hopefully/probably have success.
0
Reply
hans2020dieter avatar
my flag
hans2020dieter
Unfortunately there is no such option on my router. It's a very stupid old ZTE router. I sure I could circumstance this issue by setting a correct route on the shell. But I am not so familiar with routing and networking and I am not sure, what routes I need. If I can ping the SIP Server from the router, then there must be a possibility to ping from LAN. But I must know how to deal with different Interfaces, VLANs and Routes.
0
Reply
Chris9834 avatar
id flag
Chris9834
Pls update your text with the info on which device you have done that steps you describe (e.g. adding that route. On your PC or on the router)? The next problem is that the SIP-server you like to reach as well as the SIP-gateway you like to reach are in the private network space, which is NEVER routed via internet. It's a private network and if you router is able to connect to it (your ping via router webgui shows that) that means that the router uses a VPN or something similar to reach the ISPs-SIP-server.
0
Reply
Chris9834 avatar
id flag
Chris9834
And cause that VPN is probably not reachable from the LAN port, you are not able to connect to the SIP-server via that VPN. SO in think i see two blocks for your goal - router internal SIP client would block SIP usage from the LAN. - router internal VPN to private address of SIP-server is not available from LAN. In the end. As longer i look onto your configuration, the more i would say: go and buy a router that's worth it's bucks. Check the used parts market, there are really great enterprise routers to sell for cheap.
0
Reply
Chris9834 avatar
id flag
Chris9834
And check the ISPs manual about and if at all, how to connect a SIP client other then the router to that SIP-server
0
Reply
hans2020dieter avatar
my flag
hans2020dieter
Thank you for your reply. I know that the router is bad, but unfortunately at the time its impossible to replace it with a new one. I have got this telnet shell and can run unix commands on it. Is there really no chance to make some sort of forward rule or add a route or something, to make Interface `br0 192.168.100.1` routing into the isps vpn on Interface `nbif1 10.166.58.255/19`?
0
Reply
Chris9834 avatar
id flag
Chris9834
From my knowledge, NO. You can add a route in your router or PC that says that, but as the inernet's switches and routers just dump every packet that starts with 10. (priate IP address), nothing will reach your target. As long as you are not able to route INTO that VPN on your router from your LAN, it's not possible. And i think that's not poosible at all cause the VPN terminates probably on 127.0.0.1 inside the router. Again, what does the ISP say about connecting SIP-softphones to the ISP SIP servers? In that manual you could find info how to do it / how the environment is designed.
0
Reply
Chris9834 avatar
id flag
Chris9834
what kind of ISP connection are you using? I#m to used to "normal" IP connections, but in customer networks the ISPs use strange other things that could explain the behaviour. So, which protocll does your router use?
0
Reply
Chris9834 avatar
id flag
Chris9834
Ah, reading helps. I should be more carefully reading logs :-( Your router is using a PPP-connection, that's the VPN i locked for. OK.
0
Reply
hans2020dieter avatar
my flag
hans2020dieter
Crap... so my router can run this old analog phone ... my router can ping the sip server ... but unfortunately my router cannot forward anything to my LAN. I thought there must be some solution. Some forward rule or anything, I mean the ipconfig and ip add tools are very powerful in Linux, I'm surprised that there is no way of forwarding.
0
Reply
hans2020dieter avatar
my flag
hans2020dieter
To your first question: unfortunately no, the ISP has absolutely no documentation on SIP and I called the customer support. They have no idea how to do it and they told me, if I want to build PBX I should consult the business department and buy a commercial SIP Trunk for businesses, which will eventually cost a lot of money. Soooo.... the simple way by just using my already existing private telephone line to connect it to any other device is not supported by the ISP, so I have to find it out by my own how to solve this issue. :(
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.