[Freeswitch-users] MultiNAT

Kurtis Heimerl kheimerl at cs.berkeley.edu
Thu Jul 24 03:43:40 MSD 2014


If the answer is no, the answer is no. I *think* I may be able to port
forward 5060->5090 or something in the VPN NAT to enable a new profile, but
I'm concerned about the reverse direction. Either way, it's not a scalable
solution, so I'd prefer to set the return ips in the dialplan if able.


On Wed, Jul 23, 2014 at 4:29 PM, Brian West <brian at freeswitch.org> wrote:

> This scenario is going to be a hard one to solve due to that... let me
> think about it.
>
>
> On Wed, Jul 23, 2014 at 2:40 PM, Kurtis Heimerl <kheimerl at cs.berkeley.edu>
> wrote:
>
>> Hrm, this is more complicated to explain than I anticipated.
>>
>> Basically, this is the fault of VPNs. We have one machine in our data
>> center that is running a VPN connecting (X.Y.*.*) to carrier 1. That box is
>> one-to-one NATing all communciations to our (FS) VoIP server on the local
>> subnet (192,168.*.*). So that's NAT 1.
>>
>> The second NAT is for the actual public access from our VoIP box. This
>> has a public IP outside the firewall (A.B.*.*) and NATs again to the VoIP
>> server on the local subnet (192.168.*.*)
>>
>> So, this one machine (192.168.*.*) is actually behind two separate NATs
>> at the moment. It has some rules in the IP tables to route X.Y traffic to
>> the VPN box, and otherwise route to the broader internet. The existing way
>> to deal with a NAT in FS is the ext-rtp/sip-ip field in the profile, but
>> that no longer works when we have to dynamically set these fields depending
>> on which NAT they are going through.
>>
>> Does that make sense? Even if not, here's the problem: I want to set
>> ext-rtp/sip-ip dynamically in the dialplan. Is that possible?
>>
>>
>> On Wed, Jul 23, 2014 at 5:40 AM, Brian West <brian at freeswitch.org> wrote:
>>
>>> I'm guessing both networks are behind the same nat and routed? Or is it
>>> two different nat'ed networks behind the same public IP?  If its just two
>>> standard networks thats fully routed and no nat between the 192.x and the
>>> 10.x space then just set your local-network-acl to rfc1918.auto.
>>>
>>>
>>> On Wed, Jul 23, 2014 at 12:52 AM, Kurtis Heimerl <
>>> kheimerl at cs.berkeley.edu> wrote:
>>>
>>>> Comments in line:
>>>>
>>>>
>>>> On Tue, Jul 22, 2014 at 9:22 PM, Pasha <pasha at prosperity4ever.com>
>>>> wrote:
>>>>
>>>>>  The problem with that though (if I understand your scenario
>>>>> correctly) is that even if there was a way to set external IP in freeswitch
>>>>> in the dial plan you say that you only have 1 external IP to deal with
>>>>> anyway, so what would you set your second IP to for routing to work
>>>>> properly?
>>>>>
>>>>> There's only one actual IP on the box, but it's behind *two* different
>>>> NATs. Setting the ext-rtp/sip-ip to the appropriate NAT IP works for both
>>>> connections, but I need to make that dynamic.
>>>>
>>>>
>>>>> In my mind what might work for you is if you create an alias to your
>>>>> single network controller with the second IP that you need, then if you
>>>>> have access to the firewall perform NAT so that if connection comes in from
>>>>> external IP of vendor #1 on 5060 you forward that to 5060 on internal IP 1
>>>>> of your fresswitch box. If call comes in on external IP of vendor #2 on
>>>>> 5060 you forward to port 5060 of your internal IP #2 (alias on freeswitch
>>>>> box)... that's for incoming...
>>>>>
>>>>>
>>>> I'm not sure I understand this. Does a FS alias allow me to have
>>>> multiple IPs on the same box somehow?
>>>>
>>>>
>>>>>  I apologize if I didn't fully understand your scenario. I'm not even
>>>>> sure why you're having a conflict in this case because your providers are
>>>>> different, the only time you have an issue with single external IP is if
>>>>> you're trying to setup a second trunk to the same provider (most of them
>>>>> won't allow more than on trunk on a single IP).
>>>>>
>>>>>
>>>> It's a relatively simple, but apparently uncommon, case, I agree. My
>>>> issue sounds very similar to having multiple trunks to the same provider in
>>>> a way, but I have different external IPs for RTP and such instead.
>>>>
>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>> On 14-07-22 05:28 PM, Kurtis Heimerl wrote:
>>>>>
>>>>> I can't do that unfortunately. Our providers are hitting the generic
>>>>> SIP Port: 5060 so that's not available. Our system behind the two NATs has
>>>>> only one network interface, and as such only one available public IP. So we
>>>>> can't just set up a new profile. I can probably hack around this in another
>>>>> way (port forwarding through one of the NATs to allow a second profile on
>>>>> the same IP) but that's pretty ugly and unsustainable going forward. I'd
>>>>> much prefer to simply set the expected external IP in the outbound dialplan
>>>>> for each provider.
>>>>>
>>>>>
>>>>> On Tue, Jul 22, 2014 at 5:07 PM, Russell Treleaven <
>>>>> rtreleaven at bunnykick.ca> wrote:
>>>>>
>>>>>> Either give them separate ip addresses or separate ports.
>>>>>>
>>>>>>
>>>>>> Sent from my BlackBerry® PlayBook™
>>>>>> www.blackberry.com
>>>>>>
>>>>>> ------------------------------
>>>>>>  *From:* "Kurtis Heimerl" <kheimerl at cs.berkeley.edu>
>>>>>> *To:* "FreeSWITCH Users Help" <freeswitch-users at lists.freeswitch.org>
>>>>>>  *Sent:* 22 July, 2014 8:04 PM
>>>>>> *Subject:* Re: [Freeswitch-users] MultiNAT
>>>>>>
>>>>>> They all have to sit on the same internal IP and Port, so I don't
>>>>>> think I can.
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 22, 2014 at 4:57 PM, Russell Treleaven <
>>>>>> rtreleaven at bunnykick.ca> wrote:
>>>>>>
>>>>>>> Hi Kurtis,
>>>>>>>
>>>>>>>  Why not make a separate profile for each provider?
>>>>>>>
>>>>>>> Sent from my BlackBerry® PlayBook™
>>>>>>> www.blackberry.com
>>>>>>>
>>>>>>> ------------------------------
>>>>>>> *From:* "Kurtis Heimerl" <kheimerl at cs.berkeley.edu>
>>>>>>> *To:* "FreeSWITCH Users Help" <freeswitch-users at lists.freeswitch.org
>>>>>>> >
>>>>>>> *Sent:* 22 July, 2014 7:14 PM
>>>>>>> *Subject:* [Freeswitch-users] MultiNAT
>>>>>>>
>>>>>>> Hey Users,
>>>>>>>
>>>>>>>  I have an interesting NAT setup. I'm running FS on the inside of
>>>>>>> our network as a router/proxy between some SIP phones and DID providers.
>>>>>>> However, each DID provider is behind a *different* NAT (a property of our
>>>>>>> VPN setups for them).
>>>>>>>
>>>>>>>  For instance: DID1 is at IP 192.168.1.1 and DID2 is at 10.0.0.1.
>>>>>>>
>>>>>>>  I have calls working for each of them when I set the following in
>>>>>>> my external profile:
>>>>>>>
>>>>>>>  <param name="ext-rtp-ip" value="10.0.0.2"/>
>>>>>>> <param name="ext-sip-ip" value="10.0.0.2"/>
>>>>>>>
>>>>>>>  However, I need to dynamically route between *both* of them. I
>>>>>>> need a mechanism for setting ext-rtp-ip and ext-sip-ip in the dialplan
>>>>>>> itself!
>>>>>>>
>>>>>>>  Is there a set way to do this?
>>>>>>>
>>>>>>>  Thanks!
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________________________________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> 
>>>>>>> 
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://wiki.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> 
>>>>>> 
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://wiki.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>>>
>>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>>>
>>>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140723/de7d9207/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list