[Serusers] symmetric nat/ broadband routers

Nils Ohlmeier nils at ohlmeier.de
Thu Dec 4 21:45:09 CET 2003 

Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
> On our lab we have a RH7.3 box with iptables firewall and NAT.  When we
> were initially testing the nathelper module we found out that external
> pings did NOT keep the sessions alive on this box.  Only pings going from
> inside towards the internet.  At that point we decided to simply rely on
> the ability of devices like the ATA186 and GS phones to send a SIP Dummy
> packet from behind the NAT in order to keep the sessions alive.  So far
> this approach has worked 100%.  It is possible that the Linux box just
> needed some tweaking, but we needed a solution that worked seamlessly with
> all customers.

I do not know which kernel version RH7.3 uses, but for Linux kernel version 
2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box 
running. And a phone behind this NAT is perfectly reachable, because the NAT 
pings keep the connection tracking open. The default timeout for established 
UDP connections is 180 sections. If the natpinger is below that value it 
keeps tha hole open. at least for me :-)

Greets
  Nils

> I belive we also tested another common broadband home router and it behaved
> the same way.
>
> Regards,
> Andres
>
>
> ----- Original Message -----
> From: "Jan Janak" <jan at iptel.org>
> To: "Hans Eriksson" <hansa at mac.com>
> Cc: "Klaus Darilion" <darilion at ict.tuwien.ac.at>; <serusers at lists.iptel.org>
> Sent: Thursday, December 04, 2003 3:09 PM
> Subject: Re: [Serusers] symmetric nat/ broadband routers
>
> > On 04-12 18:12, Hans Eriksson wrote:
> > > Klaus,
> > >
> > > Many commersial grade firewalls do not keep sessions alive, regardsless
> > > of external pings, so it won't work in rather too many cases.
> >
> >   Which firewalls behave this way, do you have any particular in mind ?
> >   What makes you think that many firewall require traffic from inside to
> >   keep the mapping open ?
> >
> >    Jan.
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list