[Freeswitch-users] AutoNAT - Local Networks not excluded
g
g.d.monnezza at tiscali.it
Fri Jul 27 19:43:15 MSD 2012
Many interesting suggestions on you reply. Thanks. I'm now more confused :S
... But I have multiple path to solution of my issue :)
I think the most interesting is the <param name="apply-nat-acl"
value="rfc1918"/> I'm missing, but I can't try to add it now.
Anyway, here below some details of my installation.
With this setup, on FS eth0 interface I clearly see trafic from FS going out to
phone with addresses:
192.168.50.250 (FS) -> 192.168.40.103 (phone)
but no trafic coming bak from the phone.
Dumping network interface of the network gateway I see RTP packets trying to
go out from phone to the internet address XX.YY.ZZ.KK:
192.168.40.103 (phone) -> XX.YY.ZZ.KK (Public IP of the gateway)
So, is clear that FS presents itself to the phone with external IP, and the
phone replies to that IP :(
If the phone lives in same network as FS (i.e. 192.168.50.0/24) everything
works. So FS has a "brain" determining what is to NAT and what is not.
____
Configuration details
Interface profile settings:
<profile name="sipinterface_1">
<settings>
<param name="enable-timer" value="false"/>
<param name="user-agent-string" value="Configured by 2600hz!"/>
<param name="rtp-timer-name" value="soft"/>
<param name="codec-prefs" value="$${global_codec_prefs}"/>
<param name="inbound-codec-negotiation" value="generous"/>
<param name="inbound-reg-force-matching-username" value="true"/>
<param name="nonce-ttl" value="86400"/>
<param name="rfc2833-pt" value="101"/>
<param name="manage-presence" value="true"/>
<param name="auth-calls" value="true"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-port" value="5060"/>
<param name="nat-options-ping" value="true"/>
<param name="all-reg-options-ping" value="true"/>
<param name="context" value="multitenant_routing_context"/>
<param name="force-register-domain" value="$${location_1}"/>
<param name="force-register-db-domain" value="$${location_1}"/>
<param name="apply-inbound-acl" value="net_list_5"/>
<param name="NDLB-force-rport" value="true"/>
<param name="ext-sip-ip" value="auto-nat"/>
<param name="ext-rtp-ip" value="auto-nat"/>
</settings>
Interface details:
sofia status profile sipinterface_1
=================================================================================================
Name sipinterface_1
Domain Name N/A
Auto-NAT true
DBName sofia_reg_sipinterface_1
Pres Hosts
Dialplan XML
Context multitenant_routing_context
Challenge Realm auto_to
RTP-IP 192.168.50.250
Ext-RTP-IP XX.YY.ZZ.KK
SIP-IP 192.168.50.250
Ext-SIP-IP XX.YY.ZZ.KK
URL sip:mod_sofia at 192.168.50.250:5060
BIND-URL sip:mod_sofia at 192.168.50.250:5060
HOLD-MUSIC N/A
OUTBOUND-PROXY N/A
CODECS IN GSM,PCMU,PCMA
CODECS OUT GSM,PCMU,PCMA
TEL-EVENT 101
DTMF-MODE rfc2833
CNG 13
SESSION-TO 0
MAX-DIALOG 0
NOMEDIA false
LATE-NEG false
PROXY-MEDIA false
ZRTP-PASSTHRU false
AGGRESSIVENAT false
STUN-ENABLED true
STUN-AUTO-DISABLE false
CALLS-IN 0
FAILED-CALLS-IN 0
CALLS-OUT 0
FAILED-CALLS-OUT 0
REGISTRATIONS 12
Phone registration details:
Call-ID: 1180386363-5060-1 at BJC.BGI.EA.BAD
User: 101 at 192.168.200.250
Contact: "user" <sip:101 at 192.168.40.103:5060>
Agent: Grandstream GXP1105 1.0.4.9
Status: Registered(UDP)(unknown) EXP(2012-07-27 18:09:08)
EXPSECS(3476)
Host: microsrv
IP: 192.168.40.103
Port: 5060
Auth-User: 101
Auth-Realm: 192.168.50.250
MWI-Account: 101 at voicemail_1
On Friday 27 July 2012 10:49:09 Phil Quesinberry wrote:
> With that in mind - in my working configuration with phones both on the
> local LAN with FS as well as remote natted networks, I have:
> ./sip_profiles/internal.xml: <param name="apply-nat-acl"
> value="nat.auto"/> (All extensions are registered to the internal
> profile)
>
> In most cases, it was necessary to have FS rewrite the contact IP and port
> for remote extensions.
>
> - Phil
>
>
> I found someone talking about similar problems. I read that
> "... some lines of code in sofia_reg.c
>
> if (is_nat && profile->local_network &&
> switch_check_network_list_ip(network_ip, profile->local_network)) {
> if (profile->debug) {
> switch_log_printf(SWITCH_CHANNEL_LOG,
> SWITCH_LOG_DEBUG, "IP %s is on local network, not seting NAT mode.\n",
> network_ip);
> }
> is_nat = NULL;
> }
> "
>
> So I think there is the possibility to set which are local networks.
>
> Also I found in my sip_profiles for nat-mode contain (as it should be) the
> ext-
> IP declaration:
> <param name="ext-sip-ip" value="auto-nat"/>
> <param name="ext-rtp-ip" value="auto-nat"/>
> but not the line
> <param name="apply-nat-acl" value="rfc1918"/>
> May be this line solve my problem.
> I'll try as soon as possible, but all my FS servers ara actually in
> production
> environments :(
> If someone has the chance to test it successfully, please report it.
> g
>
> _____________________________________________
> From: Phil Quesinberry
> Sent: Friday, July 27, 2012 10:31 AM
> To: 'freeswitch-users at lists.freeswitch.org'
> Subject: RE: re: AutoNAT - Local Networks not excluded
>
>
> One other thing comes to mind. A lot of routers (especially SOHO routers)
> have ALG functionality that can break the SIP signaling, even when the ALG
> functionality is supposedly turned off. You can usually get around this by
> changing the SIP port to something other than 5060. If the phones connect
> via TLS (usually on port 5061) then this shouldn't be a problem, as they
> can't mess with the encrypted traffic.
>
> - Phil
> _____________________________________________
> From: Phil Quesinberry
> Sent: Friday, July 27, 2012 10:24 AM
> To: 'freeswitch-users at lists.freeswitch.org'
> Subject: RE: re: AutoNAT - Local Networks not excluded
>
>
> G,
>
> Are you registering your phones to the internal sip profile? Do you have
> anything like aggressive NAT detection enabled for that profile? For the
> extensions, are you rewriting the contact IP/port (is
> NDLB-connectile-dysfuncion or NDLB-tls-connectile-dysfunction specified for
> sip-force-contact)?
>
> Do a 'show registrations' from the fs_cli as well as a 'sofia status profile
> internal reg' and post the results here (you may want to partially obscure
> any external IP addresses shown before posting) to give us more of an idea
> of what's going on.
>
> - Phil
> _____________________________________________
> From: Phil Quesinberry
> Sent: Tuesday, July 24, 2012 3:19 PM
> To: 'freeswitch-users at lists.freeswitch.org'
> Subject: re: AutoNAT - Local Networks not excluded
>
>
> Set rtp-ip and sip-ip to your internal IP address. I believe that you
> should also be able to set it to: $${local_ip_v4} or $${bind_server_ip}
> as well.
>
> - Phil
>
> ----------
> VirteX g.d.monnezza at tiscali.it
> <mailto:freeswitch-users%40lists.freeswitch.org?Subject=%5BFreeswitch-users%
> 5D%20%20AutoNAT%20-%20Local%20Networks%20not%20excluded&In-Reply-To=> Tue
> Jul 24 16:12:08 MSD 2012
>
>
> Hi guys. I appreciate so much the Auto-NAT for uPnP capable firewalls. But
> I'm experiencing an issue.
> I have a FreeSwitch server behind a NAT, but I can't find a way to avoid
> FreeSwitch using external IP (for SIP and RTP) for local networks (i.e.
> 192.168.0.0/16).
> In my sip profiles for various interfaces I have NOT set the .
> Anyway, the sofia status for all interfaces shows the EXT-RTP-IP and
> EXT-SIP-IP set (with my public gateway IP). That's ok, even if I didn'
> declard it with
> My SIP phones register from a network different from the server one, but
> still a local network. Then, SIP phones receive (from the server) the rtp
> and sip signalling with its external IP. This prevent any communication.
> How it is possible to tell FreeSwitch to NOT use ext IP for particular
> networks?
> Thanks to anyone who will point me in the right direction.
> g
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list