RE: [Serusers] SER + Proxy + NAT

Never tried it myself - but I think it should work the following way. If the Router (NAT) has DMZ support, you can put SER on a machine in the Router's DMZ interface. This will make the SER appear with a globally routable address (that of the gateway or something else if you have multiple IP address support). So when UA3 registers itself with SER (configured with NAT support), the nathelper module will detect that UA3 is behind a NAT gateway and will enable rtp-relaying. So the trick out here is to make the SER appear to be on the Internet - rather than on the private network. Note that the router should allow communication between NATted devices and machines on the DMZ. Also note that by putting the SER on the internet, you are making it open to attacks. Add proper firewall rules. Let me know if it works :) Dhiraj Bhuyan Network Security Specialist, BT Exact Business Assurance Solutions -----Original Message----- From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org]On Behalf Of Edson Gellert Schubert Sent: 29 January 2004 15:19 To: Adrian Georgescu Cc: Lista SER - IPTEL Subject: Re: [Serusers] SER + Proxy + NAT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thing that I didn't put myself very clear... Let me try an ASCII-Diagram... ;) UA1 ---- public IP ---- Internet ------ ADSL/GW ------ UA2 (Win Mes) (dialup) | | (IPTables) (Win Mes) | | /-----/ \-----------\ | | Router(NAT) ADSL/Win (Windows) | | UA3 ------------+ | (Win Mes) | UA4 (Win Mes) SER What I'm looking for is a Proxy to put in the ROUTER-Machine (could be a Linux/IPTables, FreeBSD, etc): I undestand what Jan explain, about the complications, and that's why I was asking about an "inteligent" Proxy to handle SIP traffic. Suppose that UA3 wants to talk with UA2 (were the ADSL/GW should have SIProxd installed). The communications flow would be UA3-SER-Router-Internet-ADSL/GW-UA2. Ok, in the Router appears the first challenge (how to transverse the NAT, keeping track from the flow?). Here comes the SIP-Proxy in action. It recieves the packet from SER, make desired changes and forward it through "Internet" to ADSL/GW. There, the SIProxyd recieves the packet, apply the related changes and forward it to UA2. Great. Is what we want. The reverse, that is, when UA2 (or UA1, or UA4) wants to talk with UA3 becomes the great challenge. How should the Proxy, in Router, knows where to send the packets that arrive from Internet? To SER? Directly to UA3? It's hard to make the decision. The Proxy had to have many from a SIP-Server functionalities. It has to maintain flows tables with users-ID, ports and servers IP used in each communication flow (other infos could help in other tasks, but I thing that these one are the minimum), so that it could decide to whom send each packet from each flow. So, do I make my doubts/points clear to You? If my understand is wrong, sorry and please correct me where necessary. Edson. P.S.: In my scenario there is no SER-2-SER communications, but another problem would be having two (or more) sites like the "Router" one. How to make than communicate each other through NAT GW/FW? - ----- Original Message ----- From: "Adrian Georgescu" < ag(a)ag-projects.com&gt; To: < serusers(a)lists.iptel.org&gt; Sent: Thursday, January 29, 2004 8:00 AM Subject: [Serusers] SER + Proxy + NAT - --------------------------------------------------------------------------------