[Serusers] symmetric nat/ broadband routers

Martin Anderberg martin at namnupplysaren.net
Thu Dec 4 23:12:04 CET 2003 

Hi again!

I've checked all the answers and it looks as if you guys have different 
solutions to the problem. I would be prompted to conclude that;

- 'Broadbandrouters' aren't necessarily symmetric
- Not all firewalls - both included in 'broadbandrouters' and ordinary 
linux-based are i) state-aware ii) working with sers natping
- there is no generic solution atm

However, even a firewall/broadbandrouter where we do not trust the 
state-awareness should work properly as long as outgoing traffic is 
allowed and incoming traffic is allowed on port 5060 (or whatever the 
contact-header says) as long as the nathelper does *not* rewrite the 
contact with the ip-source port. Or am i still missing something?

/Martin



Ricardo Villa wrote:

> Its 2.4.18.  So it could have been another problem here.  All that we now is
> that we first tested here and then tested on a D-Link 604.  Both failed so
> we switched to plan B, which was to make the UA generate the ping.  After
> that all our UAs have worked perfectly with the rtpproxy.
> 
> ----- Original Message ----- 
> From: "Nils Ohlmeier" <nils at ohlmeier.de>
> To: "Ricardo Villa" <ricvil at epm.net.co>; "Jan Janak" <jan at iptel.org>; "Hans
> Eriksson" <hansa at mac.com>
> Cc: "Klaus Darilion" <darilion at ict.tuwien.ac.at>; <serusers at lists.iptel.org>
> Sent: Thursday, December 04, 2003 3:45 PM
> Subject: Re: [Serusers] symmetric nat/ broadband routers
> 
> 
> 
>>Am Thursday 04 December 2003 21:22 schrieb Ricardo Villa:
>>
>>>On our lab we have a RH7.3 box with iptables firewall and NAT.  When we
>>>were initially testing the nathelper module we found out that external
>>>pings did NOT keep the sessions alive on this box.  Only pings going
> 
> from
> 
>>>inside towards the internet.  At that point we decided to simply rely on
>>>the ability of devices like the ATA186 and GS phones to send a SIP Dummy
>>>packet from behind the NAT in order to keep the sessions alive.  So far
>>>this approach has worked 100%.  It is possible that the Linux box just
>>>needed some tweaking, but we needed a solution that worked seamlessly
> 
> with
> 
>>>all customers.
>>
>>I do not know which kernel version RH7.3 uses, but for Linux kernel
> 
> version
> 
>>2.4 this is not true. I have a Linux router with 2.4 kernel as NAT box
>>running. And a phone behind this NAT is perfectly reachable, because the
> 
> NAT
> 
>>pings keep the connection tracking open. The default timeout for
> 
> established
> 
>>UDP connections is 180 sections. If the natpinger is below that value it
>>keeps tha hole open. at least for me :-)
>>
>>Greets
>>  Nils
>>
>>
>>>I belive we also tested another common broadband home router and it
> 
> behaved
> 
>>>the same way.
>>>
>>>Regards,
>>>Andres
>>>
>>>
>>>----- Original Message -----
>>>From: "Jan Janak" <jan at iptel.org>
>>>To: "Hans Eriksson" <hansa at mac.com>
>>>Cc: "Klaus Darilion" <darilion at ict.tuwien.ac.at>; <serusers at lists.iptel.org>
>>>Sent: Thursday, December 04, 2003 3:09 PM
>>>Subject: Re: [Serusers] symmetric nat/ broadband routers
>>>
>>>
>>>>On 04-12 18:12, Hans Eriksson wrote:
>>>>
>>>>>Klaus,
>>>>>
>>>>>Many commersial grade firewalls do not keep sessions alive,
> 
> regardsless
> 
>>>>>of external pings, so it won't work in rather too many cases.
>>>>
>>>>  Which firewalls behave this way, do you have any particular in mind
> 
> ?
> 
>>>>  What makes you think that many firewall require traffic from inside
> 
> to
> 
>>>>  keep the mapping open ?
>>>>
>>>>   Jan.
>>>>
>>>>_______________________________________________
>>>>Serusers mailing list
>>>>serusers at lists.iptel.org
>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>
>>>_______________________________________________
>>>Serusers mailing list
>>>serusers at lists.iptel.org
>>>http://lists.iptel.org/mailman/listinfo/serusers
>>
>>_______________________________________________
>>Serusers mailing list
>>serusers at lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serusers
>>
> 
> 
> 
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list