[Freeswitch-users] NAT traversal questions - (long)...

Dave Redmore dave.redmore at spigotsystems.com
Sun Aug 29 00:01:15 PDT 2010 

Hello All, 

I ran into an issue today that has burned up most of my day troubleshooting. I have resolved the problem, but would really like to understand what caused it, or some of the internal Freeswitch plumbing that is at play so that I can learn something from all of this time I have invested. 

I have a Freeswitch server running that acts as a proxy to an account with an ITSP for doing T38 faxing. The Freeswitch server has a public IP address - there are four "users" who register simple FXS ATAs to my server and it then proxies to the ITSP using the "proxy_media" functionality. It has been working very well for the last 6 months or so. I have never had to deal with any NAT traversal issues - I just point the ATA to the IP to register and everything is great. 

Here is what the four users "looked" like - 

User1 : Grandstream HT-287 -> DD-WRT Router (NAT) -> Internet -> Freeswitch Proxy 
User2 : Grandstream HT-503 -> DD-WRT Router (NAT) -> Internet -> Freeswitch Proxy 
User3 : Grandstream HT-502 -> Comcast/SMC Router (NAT) -> Internet -> Freeswitch Proxy 
User4 : Grandstream HT-287 -> IPCOP 1.4.11 (NAT) -> Comcast Gateway -> Freeswitch Proxy 

(User4 is my office, so the IPCOP firewall and the Freeswitch Proxy sit on the same Comcast Gateway) 

As I said, this all worked perfectly without any need to "fiddle" with anything on any firewalls - worked right out of the box. 

So, today I changed out my IPCOP firewall for a pfsense firewall - and my HT-287 would no longer register. 

After much head-scratching, packet captures, etc. I found that I needed to set up a Static Port NAT for the port the HT-287 was using (5062) in order to get this to work. 

So, I see WHAT is happening, but I really want to know WHY it is happening. 

Here are the gory details: 

The sofia status of the profile looks like this - when the I have the Static Port NAT in place (details changed for security): 

_______________________________________________________________ 
Call-ID: 0e551b3c694a793c at 192.168.1.137 
User: 8885554525 at 173.11.22.111 
Contact: "user" <sip:8885554525 at 192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060> 
Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5 
Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:17:03) 
Host: 173-11-22-111-illinois.hfc.comcastbusiness.net 
IP: 173.22.22.55 
Port: 5060 
Auth-User: 8885554525 
Auth-Realm: 173.11.22.111 
MWI-Account: 8885554525 at 173.11.22.111 

Call-ID: 1716488819-5062-1 at 192.168.7.150 
User: 8885554544 at 173.11.22.111 
Contact: "user" <sip:8885554544 at 192.168.7.150:5062;user=phone;fs_nat=yes; fs_path=sip%3A8885554544%4098.255.0.11%3A5062%3Buser%3Dphone> 
Agent: Grandstream HT-502 V1.1B 1.0.1.63 
Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:48:35) 
Host: 173-11-22-111-illinois.hfc.comcastbusiness.net 
IP: 98.255.0.11 
Port: 5062 
Auth-User: 8885554544 
Auth-Realm: 173.11.22.111 
MWI-Account: 8885554544 at 173.11.22.111 

Call-ID: 090ee80e1a0ec9ed at 10.8.11.149 
User: 8885554549 at 173.11.22.111 
Contact: "user" <sip:8885554549 at 10.8.11.149:5062> 
Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390 
Status: Registered(UDP)(unknown) EXP(2010-08-29 02:00:42) 
Host: 173-11-22-111-illinois.hfc.comcastbusiness.net 
IP: 173.11.22.99 
Port: 5062 
Auth-User: 8885554549 
Auth-Realm: 173.11.22.111 
MWI-Account: 8885554549 at 173.11.22.111 

Call-ID: 1035241259-5060-1 at 10.1.10.150 
User: 8885554547 at 173.11.22.111 
Contact: "user" <sip:8885554547 at 10.1.10.150:5060;user=phone;fs_nat=yes;fs _path=sip%3A8885554547%4098.222.55.100%3A5060%3Buser%3Dphone> 
Agent: Grandstream HT-503 V1.1B 1.0.1.63 
Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 00:15:09) 
Host: 173-11-22-111-illinois.hfc.comcastbusiness.net 
IP: 98.222.55.100 
Port: 5060 
Auth-User: 8885554547 
Auth-Realm: 173.11.22.111 
MWI-Account: 8885554547 at 173.11.22.111 
___________________________________________________________ 

The "User4" account is in red. The "Contact" field is substantially different and the "Status" indicates "Registered (UDP)", rather than "Registered (UDP-NAT)" as the others. 

When I do a packet capture on the external NIC interface (eth0) - I see the following when the HT-287 tries to register and the Static Port NAT is NOT in place: 

___________________________________________________________________ 
Internet Protocol, Src: 173.11.22.99 (173.11.22.99), Dst: 173.11.22.111 (173.11.22.111) 
User Datagram Protocol, Src Port: 11521 (11521), Dst Port: 5090 (5090) 
Session Initiation Protocol 
Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0 
Method: REGISTER 
Request-URI: sip:173.11.22.111:5090 
Request-URI Host Part: 173.11.22.111 
Request-URI Host Port: 5090 
Message Header 
Via: SIP/2.0/UDP 10.8.11.149:5062;branch=z9hG4bKda48f838c8689e41 
Transport: UDP 
Sent-by Address: 10.8.11.149 
Sent-by port: 5062 
Branch: z9hG4bKda48f838c8689e41 
From: <sip:8885554549 at 173.11.22.111:5090>;tag=c8a0d452edc5ac4b 
SIP from address: sip:8885554549 at 173.11.22.111:5090 
SIP tag: c8a0d452edc5ac4b 
To: <sip:8885554549 at 173.11.22.111:5090> 
Contact: <sip:88855564549 at 10.8.11.149:5062> 
Contact Binding: <sip:8885554549 at 10.8.11.149:5062> 
Supported: replaces, timer 
Call-ID: aa77d777bae71be6 at 10.8.11.149 
CSeq: 100 REGISTER 
Sequence Number: 100 
Method: REGISTER 
Expires: 3600 
User-Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390 
Max-Forwards: 70 
Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE 
Content-Length: 0 
_______________________________________________________________ 

When Freeswitch replies back with a "401 Unauthorized" - asking for further Auth - it replies back to port 5062 - so the packet never comes back (pfsense is looking for a packet back on port 11521 in this case). 

If I put the Static Port NAT in place - all is well, because the "Source" port shows as "5062" - the rest of the packet looks pretty much the same. 

Now, here is a packet coming from one of the other Users - this one comes through a DD-WRT router - here we see that the Source Port is 5060 : 

_________________________________________________________________ 
Internet Protocol, Src: 173.22.22.55 (173.22.22.55), Dst: 173.11.22.111 (173.11.22.111) 
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090) 
Session Initiation Protocol 
Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0 
Method: REGISTER 
Request-URI: sip:173.11.22.111:5090 
[Resent Packet: False] 
Message Header 
Via: SIP/2.0/UDP 192.168.1.137;branch=z9hG4bK665bc67a1c64292b 
Transport: UDP 
Sent-by Address: 192.168.1.137 
Branch: z9hG4bK665bc67a1c64292b 
From: "fax" <sip:8885554525 at 173.11.22.111:5090>;tag=8dc68b35111c4261 
To: <sip:8156564525 at 173.15.28.101:5090> 
Contact: <sip:8885554525 at 192.168.1.137> 
Contact Binding: <sip:8885554525 at 192.168.1.137> 
Call-ID: 0e551b3c694a793c at 192.168.1.137 
CSeq: 503 REGISTER 
Sequence Number: 503 
Method: REGISTER 
Expires: 3600 
User-Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5 
Max-Forwards: 70 
Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE 
Content-Length: 0 
______________________________________________________________________ 

Here is one more packet coming from a Comcast/SMC Router - again, the source port is correct: 

______________________________________________________________________ 
Internet Protocol, Src: 98.244.55.100 (98.244.55.100), Dst: 173.11.22.111 (173.11.22.111) 
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090) 
Session Initiation Protocol 
Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0 
Message Header 
Via: SIP/2.0/UDP 10.1.10.150:5060;branch=z9hG4bK58981045;rport 
Transport: UDP 
Sent-by Address: 10.1.10.150 
Sent-by port: 5060 
Branch: z9hG4bK58981045 
RPort: rport 
From: <sip:8885554547 at 173.11.22.111:5090;user=phone>;tag=138706651 
To: <sip:8885554547 at 173.11.22.111:5090;user=phone> 
Call-ID: 1035241259-5060-1 at 10.1.10.150 
CSeq: 79875 REGISTER 
Sequence Number: 79875 
Method: REGISTER 
Contact: <sip:8885554547 at 10.1.10.150:5060;user=phone>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84>" 
Contact Binding: <sip:8885554547 at 10.1.10.150:5060;user=phone>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84>" 
Max-Forwards: 70 
User-Agent: Grandstream HT-503 V1.1B 1.0.1.63 
Supported: path 
Expires: 300 
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE 
Content-Length: 0 
___________________________________________________________ 

So, here are my questions: 

- Why is the Sofia Status so much different for the registration coming through the pfSense firewall. It looks like it doesn't get tagged as being NAT'd and the "Contact" info is much less. 

- Do most modern routers automatically Static Port NAT any SIP traffic? Both DD-WRT and SMC routers appear to be doing this - and not just on a simple Port bases (UDP 5060 only), because one of these examples is on 5062. Are these "SIP aware" firewalls that are doing this automatically, as the IPCOP did before? 

- Is the extra "Contact" data in the last packet example different because it is a different UA (HT-503 rather than an HT-287) 

- Is Freeswitch not flagging the registration from my office (User4) as being NAT'd because it is coming in on the same subnet as the interface Freeswitch received the packet on (Freeswitch is at 173.11.22.111 and pfsense is at 173.11.22.99)? 

Sorry for this terribly long posting - I'm just very curious to understand what is going on here, now that I have collected all this information. 

Thanks, 

Dave 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100829/6f7db29c/attachment-0001.html

More information about the FreeSWITCH-users mailing list