nethesis · paolovisintin · Nov 22, 2025 · Nov 22, 2025 · Dec 18, 2025 · Jan 22, 2026
diff --git a/.cursorindexingignore b/.cursorindexingignore
@@ -0,0 +1,3 @@
+
+# Don't index SpecStory auto-save files, but allow explicit context inclusion via @ references
+.specstory/**
diff --git a/.specstory/.gitignore b/.specstory/.gitignore
@@ -0,0 +1,4 @@
+# SpecStory project identity file
+/.project.json
+# SpecStory explanation file
+/.what-is-this.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,4 +24,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `postgres` module folder
 - `redis` module folder
 - `rtpengine` module folder
-- basic structure of folders and files (`modules`, `.env.template`, `.gitignore`, `CHANGELOG.md`, ...)
+- basic structure of folders and files (`modules`, `.env.template`, `.gitignore`, `CHANGELOG.md`, ...)
diff --git a/imageroot/actions/create-module/20firewall b/imageroot/actions/create-module/20firewall
@@ -8,8 +8,11 @@
 import os
 import agent
 
-# Open SIP (5060), SIPS (5061) port and RTP range (10000-20000)
+# Open SIP (5060), SIPS (5061), custom port (6060,6061) and RTP range (10000-20000)
 agent.assert_exp(agent.add_public_service(os.environ['MODULE_ID'], [
     "5060-5061/tcp",
     "5060-5061/udp",
+    "6060/tcp",
+    "6060/udp",
+    "6061/tcp",
     "10000-20000/udp"]))
diff --git a/modules/kamailio/bootstrap.sh b/modules/kamailio/bootstrap.sh
@@ -33,6 +33,10 @@ if [ "${BEHIND_NAT}" == "true" ]; then
     echo "listen=tcp:${PRIVATE_IP}:5060 advertise ${PUBLIC_IP}:5060" >> /tmp/kamailio-local-additional.cfg
     # doing the same for TLS
     echo "listen=tls:${PRIVATE_IP}:5061 advertise ${PUBLIC_IP}:5061" >> /tmp/kamailio-local-additional.cfg
+    # Add listeners for port 6060
+    echo "listen=udp:${PRIVATE_IP}:6060" >> /tmp/kamailio-local-additional.cfg
+    echo "listen=tcp:${PRIVATE_IP}:6060" >> /tmp/kamailio-local-additional.cfg
+    echo "listen=tls:${PRIVATE_IP}:6061" >> /tmp/kamailio-local-additional.cfg
 else
     # now I have to add the listen with the public IP in the kamailio-local-additional.cfg
     echo "listen=udp:${PUBLIC_IP}:5060" > /tmp/kamailio-local-additional.cfg

diff --git a/modules/kamailio/config/kamailio.cfg b/modules/kamailio/config/kamailio.cfg
@@ -412,6 +412,8 @@ route[WITHINDLG] {
         route(DLGURI);
         if ( is_method("ACK") ) {
             # ACK is forwarded statelessly
+            # Ensure correct socket is used (especially for INTERNAL_NETWORK)
+            route(SET_SOCKET);
             route(NATMANAGE);
         } else if ( is_method("NOTIFY") ) {
             # Add Record-Route for in-dialog NOTIFY as per RFC 6665.
@@ -1053,17 +1055,29 @@ route[HANDLE_ALIAS] {
 } # end of route[HANDLE_ALIAS]
 
 # -----------------------------------------------------------------------------
-# route[SET_FROM_SOCKET]
-# this route set the from socket accoding also to LOCALNETWORKS
+# route[SET_SOCKET]
+# this route sets the from socket according to LOCALNETWORKS and INTERNAL_NETWORK
+# - LOCALNETWORKS: uses PRIVATE_IP for advertised address
+# - INTERNAL_NETWORK: forces socket to SERVICE_IP for traffic to Asterisk
 # -----------------------------------------------------------------------------
 route[SET_SOCKET] {
     if( $shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - in SET_SOCKET route \n");
+    if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: ENTER \n");
     if(is_request()) {
+        if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: is_request=TRUE \n");
         # print $rd is an ip and is in LOCALNETWORKS then print it
         $var(destination_ip)= $null; # reinitialize the variable
-        $var(destination_ip) = $(ru{uri.host}); # fetch the destination ip from ru
+        # if $du is present, the destination ip is the one in $du
+        if ($du != $null && $du != 0 && $du != "") {
+            $var(destination_ip) = $(du{uri.host});
+        } else {
+            $var(destination_ip) = $(ru{uri.host}); # fetch the destination ip from ru
+        }
+        if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: destination_ip=$var(destination_ip) ru=$ru \n");
         if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - destination ip: $var(destination_ip) \n");
+        if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: before validity check \n");
         if ($var(destination_ip) != $null && $var(destination_ip) != 0 && $var(destination_ip) != "") {
+            if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: destination_ip is VALID \n");
             if ($avp(direction) == 'in' && $dlg_var(direction) == 'in') {
                 if (($du == $null) && ($ru =~ "^sips:") && !($ru =~ ";transport=")) {
                     if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - ru: $ru - du: $du - Rewriting ru and du for EA-51 \n");
@@ -1075,7 +1089,8 @@ route[SET_SOCKET] {
             if (is_in_subnet($var(destination_ip), LOCALNETWORKS)) {
                 if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - destination ip is in LOCALNETWORKS \n");
                 $var(from_socket) = PRIVATE_IP;
-                set_advertised_address(PRIVATE_IP);
+                $fs = PRIVATE_IP + ":6060";
+                if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET(fs): $fs \n");
                 # logging I've set the PRIVATE IP
                 if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - from_socket: $var(from_socket) \n");
                 # handling rtpengine manage
@@ -1085,9 +1100,29 @@ route[SET_SOCKET] {
                 # logging rtpengine_conf
                 if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - rtpengine_conf: $var(rtpengine_conf) \n");
             }
+            # Handle traffic to INTERNAL_NETWORK (service network where Asterisk lives)
+            if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: about to check INTERNAL_NETWORK for $var(destination_ip) \n");
+            if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - checking if $var(destination_ip) is in INTERNAL_NETWORK \n");
+            if (is_in_subnet($var(destination_ip), INTERNAL_NETWORK)) {
+                if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: MATCH! $var(destination_ip) IS in INTERNAL_NETWORK \n");
+                if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - destination ip is in INTERNAL_NETWORK, forcing socket to SERVICE_IP \n");
+                # Force using the service network interface
+                $fs = SERVICE_IP + ":5060";
+                if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: forced $fs \n");
+                # replace external in rtpengine_conf with internal
+                $var(rtpengine_conf) = $(var(rtpengine_conf){s.replace,external,internal});
+                if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - forced socket: $fs, rtpengine_conf: $var(rtpengine_conf) \n");
+            } else {
+                if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: NO MATCH! $var(destination_ip) NOT in INTERNAL_NETWORK \n");
+                if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - destination ip $var(destination_ip) is NOT in INTERNAL_NETWORK \n");
+            }
+        } else {
+            if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: destination_ip INVALID (null/0/empty) \n");
         }
     } else {
+        if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: is_request=FALSE, checking is_reply \n");
         if(is_reply()){
+            if ($shv(debug) == 1) xlog('L_WARN', "[TT157] - $ci $rm-$cs - SET_SOCKET: is_reply=TRUE \n");
             $var(destination_ip)= $null; # reinitialize the variable
             # logging $dlg_var(source_ip)
             if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - Original source ip: $dlg_var(source_ip) \n");
@@ -1102,7 +1137,15 @@ route[SET_SOCKET] {
                     # logging rtpengine_conf
                     if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - rtpengine_conf: $var(rtpengine_conf) \n");
                 }
+                # Handle reply to INTERNAL_NETWORK (service network)
+                if (is_in_subnet($var(destination_ip), INTERNAL_NETWORK)) {
+                    if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - reply destination ip is in INTERNAL_NETWORK \n");
+                    # replace external in rtpengine_conf with internal
+                    $var(rtpengine_conf) = $(var(rtpengine_conf){s.replace,external,internal});
+                    if ($shv(debug) == 1) xlog('L_WARN', "[DEV] - $ci $rm-$cs - rtpengine_conf: $var(rtpengine_conf) \n");
+                }
             }
         }
     }
 } # end of route[SET_SOCKET]
+# TT157 TEST MARKER
diff --git a/modules/kamailio/config/template.kamailio-local.cfg b/modules/kamailio/config/template.kamailio-local.cfg
@@ -49,6 +49,7 @@
 #!define WITH_TLS
 #!define LOCALNETWORKS "${LOCALNETWORKS}"
 #!define PRIVATE_IP "${PRIVATE_IP}"
+#!define SERVICE_IP "${SERVICE_IP}"
 
 server_header="Server: ${KML_SERVER_HEADER}"
 user_agent_header="User-Agent: ${KML_UA_HEADER}"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@

		# Don't index SpecStory auto-save files, but allow explicit context inclusion via @ references
		.specstory/**