Hi!
-----Original Message----- From: Martin Anderberg [mailto:martin@namnupplysaren.net] Sent: Thursday, December 04, 2003 5:26 PM To: serusers@lists.iptel.org Subject: [Serusers] symmetric nat/ broadband routers
Howdy!
I'm having some trouble with the nathelper module and certain types of broadband routers (ie d-link 604 & d-link 624). I'll try to explain the situation below and hope that someone is willing to help me out, because i'm stuck.
In short, the setup is a ata-186 box (which is symmetric) behind a d-link 604 (which isn't symmetric at all times).
The nathelper module included in the distribution (both 0.8.11 and 0.8.12) has a function called fix_nated_contact(). fix_nated_contact() rewrites the contact-header with the source-ip & source-port of the packet.
However, in some cases (ie non-symmetric d-link router between the ata-box and the internet) this is a problem since the d-link router sometimes rewrites the source-port which is then used as a location in ser. When the session has timed out on the d-link (doesn't really seem to help with the natping) the location-information in ser is no longer valid.
Is there any reason why the nathelper rewrites the port in the contact-header? If the client is symmetric the source-port and the port in the contact-header shouldn't differ anyway? I trust there is a reason, i just dont see it ;)
Yes, the ports at the client are identical, but the NAT router uses other ports at the public interface, e.g. if the client behind the NAT uses port 5060 for SIP (send&receive), the NATs publice interface may user for example port 50000. Therefore, the client listen on port 5060, but the packets have to be sent to port 50000 of the public IP address and then the NAT router rewrites the port back to 5060. Hence, the nathelper modules rewrites the IP address and the port in the contact header before saving them in the location database.
If the session in the NAT router times out although using natping, thats a pit. Maybe it helps to ping the proxy from the client, e.g. the budgetone phones support keep alive pinging.
Klaus
On a side-note, when glancing at nathelper.c it looks as if the int len is calculated with the original values of the header, then filled through snprintf with values which are not 100% positively the same length (msg->rcv.src_port). Isn't it for example possible that the port in the header is 5060 but the source_port is 22444 (which is one character longer than the length of len is calculated to).
I hope someone can shed some light over the matter.
/Martin
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Also, assuming many users (10k, 100k) doing natpings will be heavy.
But alas, NATs are a hack and maybe the only remedies will also be hacks, with all the pros and cons.
cheers /hans
4 dec 2003 kl. 17.43 skrev Klaus Darilion:
Yes, the ports at the client are identical, but the NAT router uses other ports at the public interface, e.g. if the client behind the NAT uses port 5060 for SIP (send&receive), the NATs publice interface may user for example port 50000. Therefore, the client listen on port 5060, but the packets have to be sent to port 50000 of the public IP address and then the NAT router rewrites the port back to 5060. Hence, the nathelper modules rewrites the IP address and the port in the contact header before saving them in the location database.
If the session in the NAT router times out although using natping, thats a pit. Maybe it helps to ping the proxy from the client, e.g. the budgetone phones support keep alive pinging.
Klaus
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind ? What makes you think that many firewall require traffic from inside to keep the mapping open ?
Jan.
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I belive we also tested another common broadband home router and it behaved the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind ? What makes you think that many firewall require traffic from inside to keep the mapping open ?
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On Dec 04, 2003 at 15:22, Ricardo Villa ricvil@epm.net.co wrote:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I belive we also tested another common broadband home router and it behaved the same way.
Did you try with smaller ping times? My freebsd nat box work perfectly with nat ping interval set to 30s. natping should keep the bindings alive also on any linux based nat (just make sure the nat ping interval is greater then the defautl udp binding expire time).
Andrei
Yes...we tried down to about 10 seconds. No good though. I think the other router was a D-Link 604. It failed too.
----- Original Message ----- From: "Andrei Pelinescu-Onciul" pelinescu-onciul@fokus.fraunhofer.de To: "Ricardo Villa" ricvil@epm.net.co Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; "Hans Eriksson" hansa@mac.com; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:27 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On Dec 04, 2003 at 15:22, Ricardo Villa ricvil@epm.net.co wrote:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we
were
initially testing the nathelper module we found out that external pings
did
NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy
packet
from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I belive we also tested another common broadband home router and it
behaved
the same way.
Did you try with smaller ping times? My freebsd nat box work perfectly with nat ping interval set to 30s. natping should keep the bindings alive also on any linux based nat (just make sure the nat ping interval is greater then the defautl udp binding expire time).
Andrei
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I do not know which kernel version RH7.3 uses, but for Linux kernel version 2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box running. And a phone behind this NAT is perfectly reachable, because the NAT pings keep the connection tracking open. The default timeout for established UDP connections is 180 sections. If the natpinger is below that value it keeps tha hole open. at least for me :-)
Greets Nils
I belive we also tested another common broadband home router and it behaved the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind ? What makes you think that many firewall require traffic from inside to keep the mapping open ?
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Its 2.4.18. So it could have been another problem here. All that we now is that we first tested here and then tested on a D-Link 604. Both failed so we switched to plan B, which was to make the UA generate the ping. After that all our UAs have worked perfectly with the rtpproxy.
----- Original Message ----- From: "Nils Ohlmeier" nils@ohlmeier.de To: "Ricardo Villa" ricvil@epm.net.co; "Jan Janak" jan@iptel.org; "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:45 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going
from
inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly
with
all customers.
I do not know which kernel version RH7.3 uses, but for Linux kernel
version
2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box running. And a phone behind this NAT is perfectly reachable, because the
NAT
pings keep the connection tracking open. The default timeout for
established
UDP connections is 180 sections. If the natpinger is below that value it keeps tha hole open. at least for me :-)
Greets Nils
I belive we also tested another common broadband home router and it
behaved
the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive,
regardsless
of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind
?
What makes you think that many firewall require traffic from inside
to
keep the mapping open ?
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi again!
I've checked all the answers and it looks as if you guys have different solutions to the problem. I would be prompted to conclude that;
- 'Broadbandrouters' aren't necessarily symmetric - Not all firewalls - both included in 'broadbandrouters' and ordinary linux-based are i) state-aware ii) working with sers natping - there is no generic solution atm
However, even a firewall/broadbandrouter where we do not trust the state-awareness should work properly as long as outgoing traffic is allowed and incoming traffic is allowed on port 5060 (or whatever the contact-header says) as long as the nathelper does *not* rewrite the contact with the ip-source port. Or am i still missing something?
/Martin
Ricardo Villa wrote:
Its 2.4.18. So it could have been another problem here. All that we now is that we first tested here and then tested on a D-Link 604. Both failed so we switched to plan B, which was to make the UA generate the ping. After that all our UAs have worked perfectly with the rtpproxy.
----- Original Message ----- From: "Nils Ohlmeier" nils@ohlmeier.de To: "Ricardo Villa" ricvil@epm.net.co; "Jan Janak" jan@iptel.org; "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:45 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going
from
inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly
with
all customers.
I do not know which kernel version RH7.3 uses, but for Linux kernel
version
2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box running. And a phone behind this NAT is perfectly reachable, because the
NAT
pings keep the connection tracking open. The default timeout for
established
UDP connections is 180 sections. If the natpinger is below that value it keeps tha hole open. at least for me :-)
Greets Nils
I belive we also tested another common broadband home router and it
behaved
the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive,
regardsless
of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind
?
What makes you think that many firewall require traffic from inside
to
keep the mapping open ?
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Andrei Pelinescu-Onciul -
Hans Eriksson -
Jan Janak -
Klaus Darilion -
Martin Anderberg -
Nils Ohlmeier -
Ricardo Villa