Hi all,
Following up on my post a couple days ago; http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
I have now tested with rtpproxy/nathelper and mediaproxy and I seem to be having the same results.
As of now my test environment is as follows;
I have two networks, 192.168.123.0/24 SER server 192.168.100.0/24 UAC (Grandstream HardPhone)
Currently I have a D-Link NAT router separating both networks. I have SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
I have had the same issue with both Maxims nathelper/rtproxy and Adrians mediaproxy. The below traces are from mediaproxy, as my most recent testing has been done here. I would like to have done the same analysis with nathelper/rtpproxy but I live under time constraints...
09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall -> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> Nat Firewall -> XXXXX
Example of two UDP packet from SER to Nat Firewall:
09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 4011 8627 c0a8 7b65 E...|}..@..'..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 4011 8621 c0a8 7b65 E...|...@..!..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Example of the two corresponding UDP packets inside the NAT Firewall from NAT Firewall to the UAC
09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 3f11 0225 c0a8 7b65 E...|}..?..%..{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 3f11 021f c0a8 7b65 E...|...?.....{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Here is an example of two packets that get sent from SER to the NAT Firewall but never get past the NAT firewall.
10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8193 0000 4011 8111 c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8198 0000 4011 810c c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
It appears that the NAT firewall stops transmitting the packets, nor does it reject them, they just silently get dropped, and ser just continues to send them with no idea if they are getting through or not. If I set the phone to a very low register time then everything works fine, as it keeps the nat mapping current, and I can make calls from outside the nat to the UAC on the inside.
I have attached my current config (mediaproxy) file.
Finally, I have had the same problems while Cisco IOS, and a cheap U.S. Robotics (Lucent based I think) for natting, which makes me assume that this is not a nat router specific issue.
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
If anyone wants more specific debug information then just let me know! :)
Thanks for your help, -Jev
Story of my life, forgot to attach the config.....
Jev wrote:
Hi all,
[snip]
# # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
debug=9 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=9 fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 #children=4 fifo="/tmp/ser_fifo"
sip_warning=yes
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/domain.so" loadmodule "/usr/local/lib/ser/modules/xlog.so" loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
modparam("registrar", "nat_flag", 6) #modparam("mediaproxy", "natping_interval", 4) # Ping interval 30 s modparam("mediaproxy", "natping_interval", 60) # Ping interval 30 s
# ------------------------- request routing logic -------------------
# main routing logic
route{
log(1, "-------------------------------------------\n"); log(1, "entering main loop\n");
if (client_nat_test("2")) { log(1, "src address different than via header->NAT detected\n"); log(1, "force_rport and fix_contact and setflag(5)\n"); #try NAT traversal, works only if the client is symmetrical force_rport(); fix_contact(); append_hf("P-hint: fixed NAT contact for request\r\n"); # flag 5 indicates that incoming request is from NATed client setflag(5); };
xlog("L_ERR", "[%rm] from [%fu] to [%tu]");
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") { log(1, "analyzing REGISTER request\n"); # Uncomment this if you want to use digest authentication if (!www_authorize("bottom.example.com", "subscriber")) { www_challenge("bottom.example.com", "0"); break; }; if (isflagset(5)) { #register from nated client, save nat_flag=6 #in location table log(1, "REGISTER from nated client\n"); setflag(6); }; if (!save("location")) { log(1, "save location error\n"); sl_reply_error(); }; break;
};
# native SIP destinations are handled using our USRLOC DB if (!lookup("aliases")) { log(1, "lookup(aliases) called\n"); } if (!lookup("location")) { ## Route local Vancouver numbers to the Peer1 Cisco #778, local fido mobile numbers. if (uri=~"^sip:604[0-9]*@.*" || uri=~"^sip:778[0-9]*@.*") { prefix("1"); log(1, "604 or 778 number, uri prefixed with 1\n"); route(2); break; } else if (uri=~"^sip:1[0-9]*@.*") { log(1, "Forwarding to Cisco\n"); route(2); break; }; sl_send_reply("404", "Not Found"); break; }; };
route(1); } route[1]{ log(1, "-------------------------------------------\n"); log(1, "entering route[1] - relaying SIP message\n"); if ((isflagset(5)) || (isflagset(6))) { log(1, "at least one of the participants is NATed->record_route\n"); record_route(); log(1, " -->setting up reply processing ->onreply_route[1]"); t_on_reply("1"); if (method=="INVITE") { log(1, " INVITE request-->use_media_proxy, set NATED-INVITE flag(7)"); use_media_proxy(); append_hf("P-hint: request forced to mediaproxy\r\n"); setflag(7); }; };
log(1, "relaying message ...\n"); if (!t_relay()) { log(1, "t_relay error occured\n"); sl_reply_error(); }; }
route[2]{ if ((isflagset(5)) || (isflagset(6))) { log(1, "at least one of the participants is NATed->record_route\n"); record_route(); log(1, " -->setting up reply processing ->onreply_route[2]"); t_on_reply("1"); if (method=="INVITE") { log(1, " INVITE request-->use_media_proxy, set NATED-INVITE flag(7)"); use_media_proxy(); append_hf("P-hint: request forced to mediaproxy\r\n"); setflag(7); }; };
log(1, "Forwarding to Cisco\n"); rewritehostport("127.0.0.1:5060"); if(!t_relay()){ log(1, "Relay to Cisco failed"); break; }; } #all incoming replies for t_onrepli-ed transactions enter here onreply_route[1] { log(1, "-------------------------------------------\n"); log(1, "onreply_route[1] entered\n");
if (isflagset(6)) { log(1, "transaction was sent to a NATED client -> fix nated contact\n"); fix_contact(); append_hf("P-hint: fixed NAT contact for response\r\n"); }
if ( (status=~"100") ) { log(1, "status 100 received\n"); };
if ( (status=~"180") ) { log(1, "status 180 received\n"); };
if ( (status=~"202") ) { log(1, "status 202 received\n"); };
if ( (status=~"200" || status=~"183") ) { log(1, "status 2xx or 183"); if ( isflagset(7) ) { log(1, "marked(7) as NATED-INVITE -> use_media_proxy \n"); use_media_proxy(); append_hf("P-hint: response forced to mediaproxy\r\n"); }; }; } onreply_route[2] { log(1, "-------------------------------------------\n"); log(1, "onreply_route[2] entered\n");
if (isflagset(6)) { log(1, "transaction was sent to a NATED client -> fix nated contact\n"); fix_contact(); append_hf("P-hint: fixed NAT contact for response\r\n"); }
if ( (status=~"100") ) { log(1, "status 100 received\n"); };
if ( (status=~"180") ) { log(1, "status 180 received\n"); };
if ( (status=~"202") ) { log(1, "status 202 received\n"); };
if ( (status=~"200" || status=~"183") ) { log(1, "status 2xx or 183"); if ( isflagset(7) ) { log(1, "marked(7) as NATED-INVITE -> use_media_proxy \n"); use_media_proxy(); append_hf("P-hint: response forced to mediaproxy\r\n"); }; }; }
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
We see this all the time. The only reliable way to make this work is to turn on the keep-alive on the UA so that it sends packets from the "inside" out to SER.
Andres wrote:
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
We see this all the time. The only reliable way to make this work is to turn on the keep-alive on the UA so that it sends packets from the "inside" out to SER.
But what about phones that don't support UA keep-alives? Do you suggest that I put my re register period way down?
I wonder is it possible for ser to query the UA on an existing udp session, something like an options query, that will illicit a response from the UA. It may generate as much traffic as a register, but it would probably be less load on the server, so perhaps the lesser of two evils?
I would like to try and identify a solution based in ser, so I don't have to rely on every phone supporting keep alives or the nth feature.
-Jev
But what about phones that don't support UA keep-alives? Do you suggest that I put my re register period way down?
I wonder is it possible for ser to query the UA on an existing udp session, something like an options query, that will illicit a response from the UA. It may generate as much traffic as a register, but it would probably be less load on the server, so perhaps the lesser of two evils?
I would like to try and identify a solution based in ser, so I don't have to rely on every phone supporting keep alives or the nth feature.
-Jev
You can try experimenting with the "serctl ping" command. You would have to device some sort of elaborate script to do it automatically every X seconds.
Andres wrote:
[snip]
You can try experimenting with the "serctl ping" command. You would have to device some sort of elaborate script to do it automatically every X seconds.
Good idea, but will the serctl utility not attempt to establish a new udp session, instead of picking up the existing (natted) udp session between ser and the UAC?
-Jev
Some (but not all) NAT devices have a UDP timeout of 60s. So, if nothing comes through the port mapping within that 60s, the association will be deleted from the NAT device memory. After that, any packet from the WAN side with this association will be dropped.
I notice that your nat ping interval is exactly 60s. Maybe you can try something smaller than that, say 55s. I have a good result with 50s for most residential ADSL routers.
Like Andres said, the best way to deal with NAT is to turn on keep-live on the UA.
Zeus
-----Original Message----- From: serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Jev Sent: Friday, 25 June 2004 4:12 AM To: serusers@lists.iptel.org Subject: [Serusers] nat_ping problems
Hi all,
Following up on my post a couple days ago; http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
I have now tested with rtpproxy/nathelper and mediaproxy and I seem to be having the same results.
As of now my test environment is as follows;
I have two networks, 192.168.123.0/24 SER server 192.168.100.0/24 UAC (Grandstream HardPhone)
Currently I have a D-Link NAT router separating both networks. I have SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
I have had the same issue with both Maxims nathelper/rtproxy and Adrians mediaproxy. The below traces are from mediaproxy, as my most recent testing has been done here. I would like to have done the same analysis with nathelper/rtpproxy but I live under time constraints...
09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall -> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> Nat Firewall -> XXXXX
Example of two UDP packet from SER to Nat Firewall:
09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 4011 8627 c0a8 7b65 E...|}..@..'..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 4011 8621 c0a8 7b65 E...|...@..!..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Example of the two corresponding UDP packets inside the NAT Firewall from NAT Firewall to the UAC
09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 3f11 0225 c0a8 7b65 E...|}..?..%..{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 3f11 021f c0a8 7b65 E...|...?.....{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Here is an example of two packets that get sent from SER to the NAT Firewall but never get past the NAT firewall.
10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8193 0000 4011 8111 c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8198 0000 4011 810c c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
It appears that the NAT firewall stops transmitting the packets, nor does it reject them, they just silently get dropped, and ser just continues to send them with no idea if they are getting through or not. If I set the phone to a very low register time then everything works fine, as it keeps the nat mapping current, and I can make calls from outside the nat to the UAC on the inside.
I have attached my current config (mediaproxy) file.
Finally, I have had the same problems while Cisco IOS, and a cheap U.S. Robotics (Lucent based I think) for natting, which makes me assume that this is not a nat router specific issue.
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
If anyone wants more specific debug information then just let me know! :)
Thanks for your help, -Jev
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Zeus,
I'm afraid I have even tested with the nat ping interval set at 5 seconds, and I have had the same results.
Do you have this, or a similar set up implemented and working?
Thanks, -Jev
Zeus Ng wrote:
Some (but not all) NAT devices have a UDP timeout of 60s. So, if nothing comes through the port mapping within that 60s, the association will be deleted from the NAT device memory. After that, any packet from the WAN side with this association will be dropped.
I notice that your nat ping interval is exactly 60s. Maybe you can try something smaller than that, say 55s. I have a good result with 50s for most residential ADSL routers.
Like Andres said, the best way to deal with NAT is to turn on keep-live on the UA.
Zeus
-----Original Message----- From: serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Jev Sent: Friday, 25 June 2004 4:12 AM To: serusers@lists.iptel.org Subject: [Serusers] nat_ping problems
Hi all,
Following up on my post a couple days ago; http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
I have now tested with rtpproxy/nathelper and mediaproxy and I seem to be having the same results.
As of now my test environment is as follows;
I have two networks, 192.168.123.0/24 SER server 192.168.100.0/24 UAC (Grandstream HardPhone)
Currently I have a D-Link NAT router separating both networks. I have SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
I have had the same issue with both Maxims nathelper/rtproxy and Adrians mediaproxy. The below traces are from mediaproxy, as my most recent testing has been done here. I would like to have done the same analysis with nathelper/rtpproxy but I live under time constraints...
09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall -> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> Nat Firewall -> XXXXX
Example of two UDP packet from SER to Nat Firewall:
09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 4011 8627 c0a8 7b65 E...|}..@..'..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 4011 8621 c0a8 7b65 E...|...@..!..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Example of the two corresponding UDP packets inside the NAT Firewall from NAT Firewall to the UAC
09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 3f11 0225 c0a8 7b65 E...|}..?..%..{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 3f11 021f c0a8 7b65 E...|...?.....{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Here is an example of two packets that get sent from SER to the NAT Firewall but never get past the NAT firewall.
10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8193 0000 4011 8111 c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8198 0000 4011 810c c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
It appears that the NAT firewall stops transmitting the packets, nor does it reject them, they just silently get dropped, and ser just continues to send them with no idea if they are getting through or not. If I set the phone to a very low register time then everything works fine, as it keeps the nat mapping current, and I can make calls from outside the nat to the UAC on the inside.
I have attached my current config (mediaproxy) file.
Finally, I have had the same problems while Cisco IOS, and a cheap U.S. Robotics (Lucent based I think) for natting, which makes me assume that this is not a nat router specific issue.
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
If anyone wants more specific debug information then just let me know! :)
Thanks for your help, -Jev
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I just verified this again at work just to be sure, I ran with natping_interval set to 5 seconds, and I see the udp packets every five seconds on both sides, 3 minutes and 8 seconds after the register and the nat router starts dropping packets. :(
Thanks for your help! -Jev
Jev wrote:
Hi Zeus,
I'm afraid I have even tested with the nat ping interval set at 5 seconds, and I have had the same results.
Do you have this, or a similar set up implemented and working?
Thanks, -Jev
Zeus Ng wrote:
Some (but not all) NAT devices have a UDP timeout of 60s. So, if nothing comes through the port mapping within that 60s, the association will be deleted from the NAT device memory. After that, any packet from the WAN side with this association will be dropped.
I notice that your nat ping interval is exactly 60s. Maybe you can try something smaller than that, say 55s. I have a good result with 50s for most residential ADSL routers.
Like Andres said, the best way to deal with NAT is to turn on keep-live on the UA.
Zeus
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Jev Sent: Friday, 25 June 2004 4:12 AM To: serusers@lists.iptel.org Subject: [Serusers] nat_ping problems
Hi all,
Following up on my post a couple days ago; http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
I have now tested with rtpproxy/nathelper and mediaproxy and I seem to be having the same results.
As of now my test environment is as follows;
I have two networks, 192.168.123.0/24 SER server 192.168.100.0/24 UAC (Grandstream HardPhone)
Currently I have a D-Link NAT router separating both networks. I have SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
I have had the same issue with both Maxims nathelper/rtproxy and Adrians mediaproxy. The below traces are from mediaproxy, as my most recent testing has been done here. I would like to have done the same analysis with nathelper/rtpproxy but I live under time constraints...
09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall -> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> Nat Firewall -> XXXXX
Example of two UDP packet from SER to Nat Firewall:
09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 4011 8627 c0a8 7b65 E...|}..@..'..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 4011 8621 c0a8 7b65 E...|...@..!..{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Example of the two corresponding UDP packets inside the NAT Firewall from NAT Firewall to the UAC
09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c7d 0000 3f11 0225 c0a8 7b65 E...|}..?..%..{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 [tos 0x10] 0x0000 4510 0020 7c83 0000 3f11 021f c0a8 7b65 E...|...?.....{e 0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2.... 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Here is an example of two packets that get sent from SER to the NAT Firewall but never get past the NAT firewall.
10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8193 0000 4011 8111 c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: udp 4 [tos 0x10] 0x0000 4510 0020 8198 0000 4011 810c c0a8 7b65 E.......@.....{e 0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............ 0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
It appears that the NAT firewall stops transmitting the packets, nor does it reject them, they just silently get dropped, and ser just continues to send them with no idea if they are getting through or not. If I set the phone to a very low register time then everything works fine, as it keeps the nat mapping current, and I can make calls from outside the nat to the UAC on the inside.
I have attached my current config (mediaproxy) file.
Finally, I have had the same problems while Cisco IOS, and a cheap U.S. Robotics (Lucent based I think) for natting, which makes me assume that this is not a nat router specific issue.
Is there something basic I'm missing here? How have people made this configuration work? Is there anyone actual using nathelper/rtpproxy or mediaproxy in production?
If anyone wants more specific debug information then just let me know! :)
Thanks for your help, -Jev
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Andres -
Jev -
Zeus Ng