Hi!
Yes, the ports at the client are identical, but the NAT router uses other ports at the public interface, e.g. if the client behind the NAT uses port 5060 for SIP (send&receive), the NATs publice interface may user for example port 50000. Therefore, the client listen on port 5060, but the packets have to be sent to port 50000 of the public IP address and then the NAT router rewrites the port back to 5060. Hence, the nathelper modules rewrites the IP address and the port in the contact header before saving them in the location database.
If the session in the NAT router times out although using natping, thats a pit. Maybe it helps to ping the proxy from the client, e.g. the budgetone phones support keep alive pinging.
Klaus
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Also, assuming many users (10k, 100k) doing natpings will be heavy.
But alas, NATs are a hack and maybe the only remedies will also be hacks, with all the pros and cons.
cheers /hans
4 dec 2003 kl. 17.43 skrev Klaus Darilion:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I belive we also tested another common broadband home router and it behaved the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On Dec 04, 2003 at 15:22, Ricardo Villa ricvil@epm.net.co wrote:
Did you try with smaller ping times? My freebsd nat box work perfectly with nat ping interval set to 30s. natping should keep the bindings alive also on any linux based nat (just make sure the nat ping interval is greater then the defautl udp binding expire time).
Andrei
Yes...we tried down to about 10 seconds. No good though. I think the other router was a D-Link 604. It failed too.
----- Original Message ----- From: "Andrei Pelinescu-Onciul" pelinescu-onciul@fokus.fraunhofer.de To: "Ricardo Villa" ricvil@epm.net.co Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; "Hans Eriksson" hansa@mac.com; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:27 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On Dec 04, 2003 at 15:22, Ricardo Villa ricvil@epm.net.co wrote:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we
were
initially testing the nathelper module we found out that external pings
did
packet
behaved
Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
I do not know which kernel version RH7.3 uses, but for Linux kernel version 2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box running. And a phone behind this NAT is perfectly reachable, because the NAT pings keep the connection tracking open. The default timeout for established UDP connections is 180 sections. If the natpinger is below that value it keeps tha hole open. at least for me :-)
Greets Nils
Its 2.4.18. So it could have been another problem here. All that we now is that we first tested here and then tested on a D-Link 604. Both failed so we switched to plan B, which was to make the UA generate the ping. After that all our UAs have worked perfectly with the rtpproxy.
----- Original Message ----- From: "Nils Ohlmeier" nils@ohlmeier.de To: "Ricardo Villa" ricvil@epm.net.co; "Jan Janak" jan@iptel.org; "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:45 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
from
with
all customers.
I do not know which kernel version RH7.3 uses, but for Linux kernel
version
2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box running. And a phone behind this NAT is perfectly reachable, because the
NAT
pings keep the connection tracking open. The default timeout for
established
behaved
regardsless
of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind
?
What makes you think that many firewall require traffic from inside
to
Hi again!
I've checked all the answers and it looks as if you guys have different solutions to the problem. I would be prompted to conclude that;
- 'Broadbandrouters' aren't necessarily symmetric - Not all firewalls - both included in 'broadbandrouters' and ordinary linux-based are i) state-aware ii) working with sers natping - there is no generic solution atm
However, even a firewall/broadbandrouter where we do not trust the state-awareness should work properly as long as outgoing traffic is allowed and incoming traffic is allowed on port 5060 (or whatever the contact-header says) as long as the nathelper does *not* rewrite the contact with the ip-source port. Or am i still missing something?
/Martin
Ricardo Villa wrote:
-
Andrei Pelinescu-Onciul -
Hans Eriksson -
Jan Janak -
Klaus Darilion -
Martin Anderberg -
Nils Ohlmeier -
Ricardo Villa