[Freeswitch-users] MultiNAT
Steven Ayre
steveayre at gmail.com
Thu Jul 24 15:31:07 MSD 2014
Would it be possible to eliminate the NAT at the VPN making it a normal
router and then have the servers listen on both 198.168.*.* and X.Y.*.*?
You could then have 2 SIP profiles with different external IPs configured
(indeed the VPN wouldn't even need that setting).
On 24 July 2014 01:40, Kurtis Heimerl <kheimerl at cs.berkeley.edu> wrote:
> It's doable, but inelegant as I'd have to push some core configuration
> into the NAT itself to enable it (the port forwarding).
>
>
> On Wed, Jul 23, 2014 at 5:35 PM, William King <
> william.king at quentustech.com> wrote:
>
>> I'd be curious if having two profiles(each with their own external ip
>> configurations) would be the best way to handle this. Then you can in
>> your dialplan choose which profile to send the calls out, and the NAT
>> would still be handled properly for that route.
>>
>> William King
>> Senior Engineer
>> Quentus Technologies, INC
>> 1037 NE 65th St Suite 273
>> Seattle, WA 98115
>> Main: (877) 211-9337
>> Office: (206) 388-4772
>> Cell: (253) 686-5518
>> william.king at quentustech.com
>>
>> On 07/23/2014 04:43 PM, Kurtis Heimerl wrote:
>> > If the answer is no, the answer is no. I *think* I may be able to port
>> > forward 5060->5090 or something in the VPN NAT to enable a new profile,
>> > but I'm concerned about the reverse direction. Either way, it's not a
>> > scalable solution, so I'd prefer to set the return ips in the dialplan
>> > if able.
>> >
>> >
>> > On Wed, Jul 23, 2014 at 4:29 PM, Brian West <brian at freeswitch.org
>> > <mailto:brian at freeswitch.org>> wrote:
>> >
>> > This scenario is going to be a hard one to solve due to that... let
>> > me think about it.
>> >
>> >
>> > On Wed, Jul 23, 2014 at 2:40 PM, Kurtis Heimerl
>> > <kheimerl at cs.berkeley.edu <mailto:kheimerl at cs.berkeley.edu>> wrote:
>> >
>> > Hrm, this is more complicated to explain than I anticipated.
>> >
>> > Basically, this is the fault of VPNs. We have one machine in our
>> > data center that is running a VPN connecting (X.Y.*.*) to
>> > carrier 1. That box is one-to-one NATing all communciations to
>> > our (FS) VoIP server on the local subnet (192,168.*.*). So
>> > that's NAT 1.
>> >
>> > The second NAT is for the actual public access from our VoIP
>> > box. This has a public IP outside the firewall (A.B.*.*) and
>> > NATs again to the VoIP server on the local subnet (192.168.*.*)
>> >
>> > So, this one machine (192.168.*.*) is actually behind two
>> > separate NATs at the moment. It has some rules in the IP tables
>> > to route X.Y traffic to the VPN box, and otherwise route to the
>> > broader internet. The existing way to deal with a NAT in FS is
>> > the ext-rtp/sip-ip field in the profile, but that no longer
>> > works when we have to dynamically set these fields depending on
>> > which NAT they are going through.
>> >
>> > Does that make sense? Even if not, here's the problem: I want to
>> > set ext-rtp/sip-ip dynamically in the dialplan. Is that
>> possible?
>> >
>> >
>> > On Wed, Jul 23, 2014 at 5:40 AM, Brian West
>> > <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>> >
>> > I'm guessing both networks are behind the same nat and
>> > routed? Or is it two different nat'ed networks behind the
>> > same public IP? If its just two standard networks thats
>> > fully routed and no nat between the 192.x and the 10.x space
>> > then just set your local-network-acl to rfc1918.auto.
>> >
>> >
>> > On Wed, Jul 23, 2014 at 12:52 AM, Kurtis Heimerl
>> > <kheimerl at cs.berkeley.edu <mailto:kheimerl at cs.berkeley.edu
>> >>
>> > wrote:
>> >
>> > Comments in line:
>> >
>> >
>> > On Tue, Jul 22, 2014 at 9:22 PM, Pasha
>> > <pasha at prosperity4ever.com
>> > <mailto:pasha at prosperity4ever.com>> wrote:
>> >
>> > The problem with that though (if I understand your
>> > scenario correctly) is that even if there was a way
>> > to set external IP in freeswitch in the dial plan
>> > you say that you only have 1 external IP to deal
>> > with anyway, so what would you set your second IP to
>> > for routing to work properly?
>> >
>> > There's only one actual IP on the box, but it's behind
>> > *two* different NATs. Setting the ext-rtp/sip-ip to the
>> > appropriate NAT IP works for both connections, but I
>> > need to make that dynamic.
>> >
>> >
>> > In my mind what might work for you is if you create
>> > an alias to your single network controller with the
>> > second IP that you need, then if you have access to
>> > the firewall perform NAT so that if connection comes
>> > in from external IP of vendor #1 on 5060 you forward
>> > that to 5060 on internal IP 1 of your fresswitch
>> > box. If call comes in on external IP of vendor #2 on
>> > 5060 you forward to port 5060 of your internal IP #2
>> > (alias on freeswitch box)... that's for incoming...
>> >
>> >
>> > I'm not sure I understand this. Does a FS alias allow me
>> > to have multiple IPs on the same box somehow?
>> >
>> >
>> > I apologize if I didn't fully understand your
>> > scenario. I'm not even sure why you're having a
>> > conflict in this case because your providers are
>> > different, the only time you have an issue with
>> > single external IP is if you're trying to setup a
>> > second trunk to the same provider (most of them
>> > won't allow more than on trunk on a single IP).
>> >
>> >
>> > It's a relatively simple, but apparently uncommon, case,
>> > I agree. My issue sounds very similar to having multiple
>> > trunks to the same provider in a way, but I have
>> > different external IPs for RTP and such instead.
>> >
>> >
>> > Paul
>> >
>> >
>> > On 14-07-22 05:28 PM, Kurtis Heimerl wrote:
>> >> I can't do that unfortunately. Our providers are
>> >> hitting the generic SIP Port: 5060 so that's not
>> >> available. Our system behind the two NATs has only
>> >> one network interface, and as such only one
>> >> available public IP. So we can't just set up a new
>> >> profile. I can probably hack around this in
>> >> another way (port forwarding through one of the
>> >> NATs to allow a second profile on the same IP) but
>> >> that's pretty ugly and unsustainable going
>> >> forward. I'd much prefer to simply set the
>> >> expected external IP in the outbound dialplan for
>> >> each provider.
>> >>
>> >>
>> >> On Tue, Jul 22, 2014 at 5:07 PM, Russell Treleaven
>> >> <rtreleaven at bunnykick.ca
>> >> <mailto:rtreleaven at bunnykick.ca>> wrote:
>> >>
>> >> Either give them separate ip addresses or
>> >> separate ports.
>> >>
>> >>
>> >> Sent from my BlackBerry® PlayBook™
>> >> www.blackberry.com <http://www.blackberry.com>
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >> *From:* "Kurtis Heimerl"
>> >> <kheimerl at cs.berkeley.edu
>> >> <mailto:kheimerl at cs.berkeley.edu>>
>> >> *To:* "FreeSWITCH Users Help"
>> >> <freeswitch-users at lists.freeswitch.org
>> >> <mailto:freeswitch-users at lists.freeswitch.org
>> >>
>> >> *Sent:* 22 July, 2014 8:04 PM
>> >> *Subject:* Re: [Freeswitch-users] MultiNAT
>> >>
>> >> They all have to sit on the same internal IP
>> >> and Port, so I don't think I can.
>> >>
>> >>
>> >> On Tue, Jul 22, 2014 at 4:57 PM, Russell
>> >> Treleaven <rtreleaven at bunnykick.ca
>> >> <mailto:rtreleaven at bunnykick.ca>> wrote:
>> >>
>> >> Hi Kurtis,
>> >>
>> >> Why not make a separate profile for each
>> >> provider?
>> >>
>> >> Sent from my BlackBerry® PlayBook™
>> >> www.blackberry.com <
>> http://www.blackberry.com>
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >> *From:* "Kurtis Heimerl"
>> >> <kheimerl at cs.berkeley.edu
>> >> <mailto:kheimerl at cs.berkeley.edu>>
>> >> *To:* "FreeSWITCH Users Help"
>> >> <freeswitch-users at lists.freeswitch.org
>> >> <mailto:
>> freeswitch-users at lists.freeswitch.org>>
>> >> *Sent:* 22 July, 2014 7:14 PM
>> >> *Subject:* [Freeswitch-users] MultiNAT
>> >>
>> >> Hey Users,
>> >>
>> >> I have an interesting NAT setup. I'm
>> >> running FS on the inside of our network as
>> >> a router/proxy between some SIP phones and
>> >> DID providers. However, each DID provider
>> >> is behind a *different* NAT (a property of
>> >> our VPN setups for them).
>> >>
>> >> For instance: DID1 is at IP 192.168.1.1
>> >> and DID2 is at 10.0.0.1.
>> >>
>> >> I have calls working for each of them when
>> >> I set the following in my external profile:
>> >>
>> >> <param name="ext-rtp-ip" value="10.0.0.2"/>
>> >> <param name="ext-sip-ip" value="10.0.0.2"/>
>> >>
>> >> However, I need to dynamically route
>> >> between *both* of them. I need a mechanism
>> >> for setting ext-rtp-ip and ext-sip-ip in
>> >> the dialplan itself!
>> >>
>> >> Is there a set way to do this?
>> >>
>> >> Thanks!
>> >>
>> >>
>> _________________________________________________________________________
>> >> Professional FreeSWITCH Consulting
>> Services:
>> >> consulting at freeswitch.org
>> >> <mailto:consulting at freeswitch.org>
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> FreeSWITCH-powered IP PBX: The CudaTel
>> >> Communication Server
>> >>
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://wiki.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> <mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> >>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >>
>> >>
>> >>
>> >>
>> _________________________________________________________________________
>> >> Professional FreeSWITCH Consulting Services:
>> >> consulting at freeswitch.org
>> >> <mailto:consulting at freeswitch.org>
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> FreeSWITCH-powered IP PBX: The CudaTel
>> >> Communication Server
>> >>
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://wiki.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> >>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> _________________________________________________________________________
>> >> Professional FreeSWITCH Consulting Services:
>> >> consulting at freeswitch.org <mailto:
>> consulting at freeswitch.org>
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> FreeSWITCH-powered IP PBX: The CudaTel
>> Communication Server
>> >>
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://wiki.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org <mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> >>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com
>> >
>> > FreeSWITCH-powered IP PBX: The CudaTel Communication
>> > Server
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> >
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:
>> consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com
>> >
>> > FreeSWITCH-powered IP PBX: The CudaTel Communication
>> Server
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> >
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> > --
>> >
>> > */Brian West/*
>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>> >
>> >
>> > */Twitter: @FreeSWITCH , @briankwest/*
>> > http://www.freeswitchbook.com
>> > http://www.freeswitchcookbook.com
>> >
>> > *T:*+19184209001 <tel:%2B19184209001> | *F:*+19184209002
>> > <tel:%2B19184209002> | *M:*+1918424WEST (9378)
>> > *iNUM:*+883 5100 1420 9001
>> <tel:%2B883%205100%201420%209001>
>> > | *ISN:*410*543 | *Skype:*briankwest
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org
>> >
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> >
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> > --
>> >
>> > */Brian West/*
>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>> >
>> >
>> > */Twitter: @FreeSWITCH , @briankwest/*
>> > http://www.freeswitchbook.com
>> > http://www.freeswitchcookbook.com
>> >
>> > *T:*+19184209001 <tel:%2B19184209001> | *F:*+19184209002
>> > <tel:%2B19184209002> | *M:*+1918424WEST (9378)
>> > *iNUM:*+883 5100 1420 9001 <tel:%2B883%205100%201420%209001>
>> > | *ISN:*410*543 | *Skype:*briankwest
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140724/e3afb179/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list