Fongo Community Forums

[Liptonbrisk]

Please visit https://status.fongo.com/ to ensure there are no reported issues.

- Always disable Follow Me while testing for problems related to incoming calls.

- If your ATA, IP Phone, or SIP app is connected to the internet using a third party VPN service, disable the VPN and test calls again if you're experiencing a problem.

- When you login your FPL (website) account online and see "Your SIP Settings", those recommended settings listed under that heading, unless you've manually entered them, don't reflect the settings presently entered in your ATA, IP Phone, or SIP app. Everyone sees the same settings, except SIP username and SIP password.





Hi,

If you require troubleshooting assistance, please provide the following information in your post:

1) the brand and model of the modem provided by or used with your ISP,

a) If you're using a modem/router combo, gateway, or hub issued by your ISP (and are NOT using your own additional separate router), contact your ISP to ask for assistance for disabling SIP ALG in the modem/router combo, gateway, or hub. Disable SIP ALG.


Here are examples for disabling SIP ALG in gateways:


i) Hitron CGN3ACSMR and CODA-4582 series gateway modem/router combo from Rogers (and possibly other ISPs)


Open your web browser, and login at 192.168.0.1. Default username is cusadmin.
Select the “Basic” tab and disable “SIP ALG.” Click the “save changes” button.

ii) HItron CODA--4680 (possibly from Fizz and other ISPs)

Login at192.168.0.1.
Navigate to Basic Settings -->Gateway Function tab
Disable SIP ALG
Save Changes.


iii) Arris XB6 from Rogers

Open your web browser, and login at 10.0.0.1
Navigate to Advanced-->Options.
Uncheck the SIP box.
Click "Apply".


iv) SageMcom F@st3896 V2 from Cogeco

Open your web browser, and login at 192.168.0.1
Default username is "admin"
Password is located on the sticker on the back of the gateway.
Navigate to Access Control-->Advanced Options.
Turn off SIP ALG.
Click "Apply".

Be careful not to reset the F@st3896 gateway. Otherwise, SIP ALG will turn back on.

v) Technicolor XB7 from Rogers

Note that here isn't an option to disable SIP ALG in a (Technicolor CGM4331COM) XB7 (Gen 2) gateway with this Rogers firmware version:
eMTA & DOCSIS Software Version: Prod_21.1_d31 & Prod_21.1
Software Image Name: CGM4331COM_5.2p12s1_PROD_sey

According to a tier 2 rep at Rogers, SIP ALG is enabled by default in XB7 with no way to disable it.
I'm not sure whether that representative is correct (the part about SIP ALG being enabled). However, the response from Rogers seems to coincide with what's happening in Xfinity/Comcast XB7's in the U.S.: https://forums.xfinity.com/conversation ... 66f45f8df1. If you are experiencing issues with a Rogers XB7, try voip4.freephoneline.ca:6060 along with a high, random local SIP Port (X_UserAgentPort should be a random port number between 30000 and 60000 with Obihai ATAs and Obihai IP Phones, and SIP Port, found by navigating to Voice-->whatever Line you're using for FPL-->SIP settings, should be a random number between 30000 and 60000 when using a Linksys/Cisco ATA).

vi) XB8 (Gen 3) has just been released from Rogers

I have no information yet concerning whether SIP ALG can be disabled in the XB8.
A tier 2 rep mentioned that Rogers is moving towards locking out administration setting changes for users, so it's doubtful that SIP ALG can be disabled in the XB8, but we'll have to wait to confirm.
His reasoning is that if you can't disable SIP ALG in XB7, it's unlikely XB8 will offer the capacity to disable SIP ALG either.


vi) Nettis 4422 modem from Carry Telecom

Q : DSL - My VoIP phone does not work with Netis 4422 modem.
A: Please download the newest Netis firmware file, and update the firmware file netis1228.img for your modem. The new firmware has been tested and working
with most of Voip phone providers



b) If you are also using your own separate router in addition to the one supplied by your ISP, then you should be enabling bridge mode instead in the modem/router combo, gateway, or hub issued by your ISP.
For Bell Hubs, visit http://forums.redflagdeals.com/please-s ... r-1993629/. For Bell and Virgin Hubs, I find it's often simpler to perform PPPoE login in your own router (this is PPPoE Passthrough) and disable Wi-Fi in the hub. You will need the PPPoE Username and Password from Bell or Virgin.

For Rogers, visit https://www.rogers.com/customer/support ... ridgemodem.
Shaw users will have to call Shaw to enable bridge mode at the time of this post.

For Telus Wi-Fi Hubs, put LAN port 1 on the Hub in bridge mode. Then connect your router to LAN port 1.
Alternatively, contact Telus and ask them how to enable bridge mode.


c) Afterwards, disable SIP ALG in your own separate router if you own one. Here is an example: https://kb.netgear.com/30796/How-do-I-d ... -interface.

When using official Asus router firmware, SIP ALG is called SIP Passthrough (Navigate to Advanced Settings–>WAN–>NAT Passthrough). Disable SIP Passthrough.

In Asuswrt-Merlin, the ALG is "+NAT Helper". Just make sure SIP Passthrough in Merlin does not show "+NAT Helper". I've tested "Enabled" for SIP Passthrough in Asuswrt-Merlin without any problems.


2) the brand and model of your router and firmware version used,

a) Make sure whatever modem/router combo, gateway, or hub your ISP gave you is in bridge mode if (and only if) you are using your own separate router as well. Call/contact your ISP if you have to.
For Bell Hubs, visit http://forums.redflagdeals.com/please-s ... r-1993629/. For Bell and Virgin Hubs, I find it's often simpler to perform PPPoE login in your own router (this is PPPoE Passthrough) and disable Wi-Fi in the hub. You will need the PPPoE Username and Password from Bell or Virgin. For Rogers, visit https://www.rogers.com/customer/support ... ridgemodem. Shaw users will have to call Shaw to enable bridge mode at the time of this post.


b) If you are also using your own separate router in addition to the one supplied by your ISP, then disable SIP ALG in your own router. Here is an example:
https://www.obitalk.com/info/faq/sip-alg/disable-alg.

i) Asus routers

- When using official Asus router firmware, SIP ALG is called SIP Passthrough (Navigate to Advanced Settings–>WAN–>NAT Passthrough). Disable SIP Passthrough.

- When using Asuswrt-Merlin firmware, the ALG is "+NAT Helper". Just make sure SIP Passthrough in Merlin does not show "+NAT Helper". I use "Enabled" for SIP Passthrough in Asuswrt-Merlin without any problems.

- For Asus router users, login to your router’s web UI. Navigate to Advanced Settings–>Administration–>System (tab)–>Basic Config–>
Change “Enable WAN down browser redirect notice” to "No".
Click “Apply”. That fixes potential problems with a SIP device (ATA, IP Phone) attempting to register with 10.0.0.1
when it's booted before the modem is fully up and running first (after a power outage, for example).

- A number of people have been trying to eliminate Bell Hubs from their setups completely by removing
the module inside it and using a TP-LINK MC220L or something else. At the time of this post being
written, NAT acceleration must be disabled in this setup in order for SIP services, including
Freephoneline, to work properly. In your router, navigate to Advanced Settings-->LAN-->Switch
Control-->NAT Acceleration. Select "disable." Click "apply."Then reboot your modem, router (wait for
Wi-Fi SSIDs to populate first before rebooting ATA), and your ATA or IP Phone, in that order.
If you do require NAT Acceleration to be enabled, don’t use VLAN with Asus routers.


ii) Ubiquiti routers

If you're an Ubiquiti router user, disable jumbo frames.




3) the brand and model of your ATA, IP Phone, or smartphone (if you're using a SIP app or Freephoneline's desktop app, specify the name of the app and version) and firmware version used,

4) the proxy server your ATA or IP Phone is using (for example, voip.freephoneline.ca, voip2.freephoneline.ca, or voip4.freephoneline.ca:6060),

5) the registration status in your ATA or IP Phone and also "SIP status" after logging in at https://www.freephoneline.ca/showSipSettings

Please note that if "SIP User Agent" reflects a different device than the one you're using, someone else is likely using your Freephoneline VoIP unlock key.
Only one registration is permitted at any time per Freephoneline VoIP unlock key. Registration is a requirement for incoming calls but not for outgoing calls.

6) If applicable, please also login at https://www.freephoneline.ca/callLogs and provide the date and time of the failed call and, especially, the "Disconnect reason".
Check and confirm that the "To" and "From" fields represent numbers you expect.

7) Similarly (with respect to #6), if your ATA or IP Phone has call logs, please check your call log history to see whether any useful information, such as a 3 digit SIP error code is listed.
If so, please provide that information.

8) If you heard an error message, especially a 3 digit SIP error code, please provide it.

9) This is always proper device reboot order:

A.Turn off modem, router and ATA (or IP Phone or close SIP App).

B. Turn on modem. Wait for modem to be fully up and running.

C.Turn on router.
Wait for modem to be fully up and transmitting data before turning on router.

D. Turn on ATA (or IP Phone or open SIP app) only after the router is fully up and running.

The SIP device (ATA, IP Phone, or SIP app) should be the last device powered on in the device chain.



The first 3 pieces of information requested are often important.

Thank you

[Liptonbrisk]

(Generic info)

Typically, for VoIP SIP services, especially for Freephoneline/Fongo, you want

A) a router that does not have a full cone NAT,

Visit https://www.ietf.org/rfc/rfc3489.txt (scroll down to "NAT Variations").
Mango from the Obitalk.com forums writes,
“Use a restricted cone NAT router, and do not use port forwarding or DMZ. Restricted cone NAT will only permit
inbound traffic from the service provider you're registered to. If you have a full cone NAT router, it will allow traffic
from any source. This is probably not what you intend.
If you have a Windows computer, you can test your router using the utility here:
http://www.dslreports.com/forum/remark,22292023. To run it, use stun stun.ekiga.net from a command prompt.”
Essentially, you download the stun-test.zip file; extract the stun.exe file from within the zip file to an easily
accessible location; use an elevated command prompt (visit
http://www.thewindowsclub.com/how-to-ru ... inistrator); change directory (cd) to the
directory or location where you extracted stun.exe (visit
http://www.digitalcitizen.life/command- ... c-commands); and type “stun stun.ekiga.net” without
the quotation marks followed by the enter/return button on your keyboard.
Asus routers, at the time of this writing, produce port restricted cone NAT routers, for example and are fine,
provided you’re using one with Asuswrt-Merlin, third party firmware installed.

B) a router that lets you disable SIP ALG if it's buggy,

To understand why SIP ALG often causes horrible problems, please visit
https://www.voip-info.org/routers-sip-alg/ (scroll down to the section on SIP ALG problems).

If you're dealing with a modem/router combo issued by an ISP or a router with SIP ALG forced on, you may have
to use voip4.freephoneline.ca:6060 for the Proxy Server. The purpose of voip4.freephoneline.ca:6060 is to circumvent
faulty SIP ALG features in routers.

Also, scroll all the way down to the final post in this thread.



C) a router that allows you to set QoS or assign highest priority to your ATA or IP Phone over all other devices on your LAN (local area network),

For a very general description of what QoS can do for you, visit https://www.voipmechanic.com/qos-for-voip.htm.
The basic idea is if you're torrenting or have a bunch of other computers, smartphones, tablets, etc. downloading and uploading (hogging all your available bandwidth), you don't want
your ATA not to have access to enough bandwidth to make or receive calls properly. So QoS or a Bandwidth Monitor feature (which is just another form of QoS) is a really good idea for VoIP users.

I often get an occasional relative complaining to me, "Hey my calls sound choppy." And then when I go visit, some kids are playing MMOs on a computer, while another person is downloading a huge file,
and another person is backing up files to a cloud service all at the same time someone else is trying to talk on the phone. All those devices, without QoS enabled, are fighting over available bandwidth along with the ATA.

and D) A router that lets you adjust both Unreplied and Assured UDP timeouts.

Thanks to Mango, many of us now understand that in order for ATAs to remain registered and working properly with a VoIP SIP provider like Freephoneline, in particular after power failures, the following conditions must be met:

UDP Unreplied Timeout (in your router) < NAT Keep-alive Interval (in your ATA; for Obihai ATAs this is X_KeepAliveExpires; for Grandstream, the setting is SIP Notify Keep Alive Interval) < UDP Assured Timeout or UDP Stream (in your router) < SIP Registration Failure Retry Wait Time (or RegisterRetryInterval in Obihai ATAs)

“<“ means less than.

When a modem leases a new IP address, a problem can arise where prior associations using the old IP address are maintained in the router. When the ATA attempts to communicate using the old IP address, the response is unreplied, and then if the UDP Unreplied timeout is greater than the Keep Alive Interval (and UDP Unreplied timeout is often set to 30 by default in consumer routers) a problem arises where the corrupted connection persists. If UDP Unreplied timeout is, for example, 15, and the NAT Keep Alive Interval is 20, then the corrupted connection will timeout or close. A new connection will be created, and everything will work fine.

Another problem can occur when the Keep-Alive interval is greater than UDP Assured Timeout (often 180 by default in consumer routers): the NAT hole will close due to the ATA not communicating frequently enough with the SIP server. In turn, incoming calls may, intermittently, not reach the ATA. Again, X_KeepAlivesExpires (SIP Notify Keep Alive Interval) is supposed to be 20 with FPL.



Getting access to both UDP Unreplied Timeout and UDP Assured Timeout settings in consumer routers may be difficult, if not impossible. Asuswrt-Merlin (I would avoid any model below/less powerful than an RT-AC68U), third party firmware for Asus routers, does offer easy access to these two settings, which are found under General–>Tools-->Other settings. My understanding is that third party Tomato firmware has these two settings as well. So if your router supports Tomato firmware, that may be another option. Note that I will not be held accountable any damage resulting from failed firmware updates. Apparently, Mikrotik routers also allow users to change both Assured and Unreplied UDP timeout settings as well: https://forums.redflagdeals.com/recomme ... #p28059363.

Router firmware that allows users to adjust Assured and Unreplied UDP timeouts include

Asuswrt-Merlin
Ubiquiti
Mikrotik
pfSense
Tomato
DD-WRT
OpenWRT

The keep alive interval for FPL is 20. The SIP Registration Failure Retry Wait Time is 120. I use 15 for UDP Unreplied Timeout and 115 for UDP Assured Timeout.



ISPs do not issue customers routers that can do all four things I just listed. Typically it's far better to have your own router with strong QoS functions and a restricted cone NAT firewall,
disable whatever SIP ALG feature is enabled in the router, and stick whatever modem/router combo your ISP gives you into bridge mode. For Bell Hubs, visit http://forums.redflagdeals.com/please-s ... r-1993629/. For Rogers, visit https://www.rogers.com/customer/support ... ridgemodem.

[Liptonbrisk]

(continuing point D above)



a. Asuswrt-Merlin

i) Login to router's web UI
ii) Navigate to General-->Tools-->Other Settings
iii) Change "UDP Timeout: Assured" to 115 seconds if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
iv) Change "UDP Timeout: Unreplied" to 15 seconds if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.
v) Click "Apply"


b. Ubiquiti

i) Login to Unifi Controller
ii) Navigate to Routing & Firewall-->Firewall-->Settings-->State Timeouts
iii) Change "UDP Stream" to 115 seconds if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
iv) Change "UDP Other" to 15 seconds if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.
v) Click "Apply Settings" (Save changes made).


c. Mikrotik

i) Use Winbox: https://download2.mikrotik.com/routeros ... winbox.exe
To learn how to connect to your router, visit https://wiki.mikrotik.com/wiki/Manual:Winbox. Connect to your router and login.
ii) Enter "ip firewall connection tracking set udp-stream-timeout=115s" (without the quotation marks) if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
iii) Enter "ip firewall connection tracking set udp-timeout=15s" (without the quotation marks) if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.

d. pfSense

UDP Multiple is UDP Assured
UDP Single is UDP Unreplied
Based on https://www.netgate.com/docs/pfsense/bo ... l-nat.html

i) Login to pfSense GUI.
ii) Navigate to System-->Advanced-->Firewall & NAT-->Firewall Optimization Options
Scroll down to "State Timeouts".
iii) Change UDP First (udp.first) to 115 seconds if the failed registration retry timer in your ATA or IP Phone in your ATA or IP Phone is 120 seconds for Freephoneline.
iv) Change UDP Single (udp.single) to 15 seconds if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.
iv) Change UDP Multiple (udp.multiple) to 115 seconds if the failed registration retry timer in your ATA or IP Phone in your ATA or IP Phone is 120 seconds for Freephoneline.
v) Save settings


e. Tomato

i) Login to router's web UI
ii) Navigate to Avanced-->Conntrack / Netfilter-->UDP Timeout
iii) Change "UDP Timeout: Assured" to 115 seconds if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
iv) Change "UDP Timeout: Unreplied" to 15 seconds if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.
v) Click "Save"

f. DD-WRT (I've never used DD-WRT and am not able to test whether this works)

i) Login to router web UI.
ii) Navigate to Administration-->Commands (use command shell). Or SSH/Telnet into your router.

Enter the following:
iii) "echo 115 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream" (without the quotation marks) if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
iv) "echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout" (without the quotation marks) if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.

Note: It's possible these changes may not be saved in DD-WRT after rebooting:
https://www.linksysinfo.org/index.php?t ... ost-274528

To persist changes after reboot, you need to add your command to crontab or "startup scripts".
In my case I had to shove the damn assignment into crontab, because either the startup command fails sometimes or the value gets reset eventually

One of these two UDP settings is adjustable in DD-WRT web UI at Administration-->Management-->IP Filter Settings-->UDP Timeout (in seconds), but depending on the firmware version used, the single UDP timeout setting that is adjustable differs.

g. OpenWrt

Add the following (or change) to /etc/sysctl.conf

i) net.netfilter.nf_conntrack_udp_timeout_stream=115 if the failed registration retry timer in your ATA or IP Phone is 120 seconds for Freephoneline.
ii) net.netfilter.nf_conntrack_udp_timeout=15 if the NAT Keep-alive Interval in your ATA or IP Phone is 20 seconds for Freephoneline.

Then run sysctl -p to load the new settings from the file.


-----
Guides you should be following are located at viewforum.php?f=15.

Lastly, VoIP Unlock key Credentials can be found at https://support.freephoneline.ca/hc/en- ... redentials.

[Liptonbrisk]

Did I mention SIP ALG might cause problems? How about a security issue?

https://www.snbforums.com/threads/vulne ... ost-657216

The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.

RMerlin is the developer of Asuswrt-Merlin firmware. He is referring to settings in Merlin router firmware.

NAT slipstreaming involving ALGs, including SIP ALG, doesn't just apply to Asuswrt-Merlin, of course: https://samy.pl/slipstream/. It's a potential issue for everyone.