5 Dec
2003
5 Dec
'03
12:12 a.m.
Hi again!
I've checked all the answers and it looks as if you guys have different
solutions to the problem. I would be prompted to conclude that;
- 'Broadbandrouters' aren't necessarily symmetric
- Not all firewalls - both included in 'broadbandrouters' and ordinary
linux-based are i) state-aware ii) working with sers natping
- there is no generic solution atm
However, even a firewall/broadbandrouter where we do not trust the
state-awareness should work properly as long as outgoing traffic is
allowed and incoming traffic is allowed on port 5060 (or whatever the
contact-header says) as long as the nathelper does *not* rewrite the
contact with the ip-source port. Or am i still missing something?
/Martin
Ricardo Villa wrote:
Its 2.4.18. So it could have been another problem
here. All that we now is
that we first tested here and then tested on a D-Link 604. Both failed so
we switched to plan B, which was to make the UA generate the ping. After
that all our UAs have worked perfectly with the rtpproxy.
----- Original Message -----
From: "Nils Ohlmeier" <nils(a)ohlmeier.de>
To: "Ricardo Villa" <ricvil(a)epm.net.co>co>; "Jan Janak"
<jan(a)iptel.org>rg>; "Hans
Eriksson" <hansa(a)mac.com>
Cc: "Klaus Darilion" <darilion(a)ict.tuwien.ac.at>at>;
<serusers(a)lists.iptel.org>
Sent: Thursday, December 04, 2003 3:45 PM
Subject: Re: [Serusers] symmetric nat/ broadband routers
version
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
Am Thursday 04 December 2003 21:22 schrieb Ricardo
Villa:
>On our lab we have a RH7.3 box with iptables firewall and NAT. When we
>were initially testing the nathelper module we found out that external
>pings did NOT keep the sessions alive on this box. Only pings going
from
>inside towards the internet. At that point we
decided to simply rely on
>the ability of devices like the ATA186 and GS phones to send a SIP Dummy
>packet from behind the NAT in order to keep the sessions alive. So far
>this approach has worked 100%. It is possible that the Linux box just
>needed some tweaking, but we needed a solution that worked seamlessly
with
all
customers.
I do not know which kernel version RH7.3 uses, but for Linux kernel 2.4 this is not true. I have a Linux router with
2.4 kernel as NAT box
running. And a phone behind this NAT is perfectly reachable, because the
NAT
pings keep the connection tracking open. The
default timeout for
established
UDP connections is 180 sections. If the natpinger
is below that value it
keeps tha hole open. at least for me :-)
Greets
Nils
>I belive we also tested another common broadband home router and it
behaved
>the same way.
>
>Regards,
>Andres
>
>
>----- Original Message -----
>From: "Jan Janak" <jan(a)iptel.org>
>To: "Hans Eriksson" <hansa(a)mac.com>
>Cc: "Klaus Darilion" <darilion(a)ict.tuwien.ac.at>at>;
<serusers(a)lists.iptel.org>
>Sent: Thursday, December 04, 2003 3:09 PM
>Subject: Re: [Serusers] symmetric nat/ broadband routers
>
>
>>On 04-12 18:12, Hans Eriksson wrote:
>>
>>>Klaus,
>>>
>>>Many commersial grade firewalls do not keep sessions alive,
regardsless
>>>of external pings, so it won't
work in rather too many cases.
>>
>> Which firewalls behave this way, do you have any particular in mind
?
>> What makes you think that many firewall
require traffic from inside
to
keep the mapping open ?
Jan.
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers