<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'>Confusion abounds here - sorry if I am being obtuse...<br><br>A few points on all this - <br><br>1 - sipproxd is NOT installed on the firewall<br><br>2 - I am confused by the source port randomization issue. I think that what pfsense does by default is randomize the source port translations, rather than using the same source port translations for all connections from an internal host. This is completely different from the issue of telling pfsense to not change the source port at all - i.e. create a Static Port NAT.<br><br>3 - One of the things that I find most confusing about what I saw/see in the packet captures is that I EXPECTED to see non-SIP ports as the source port for the registration requests. What we commonly call NAT is more accurately described as PAT (Port Address Translation) - it functions by translating the source port of requests in and out of the firewall. It is one of the FEW things that I like about Cisco is that they more accurately use the terms NAT and PAT.<br><br>4 - So, that brings me back to why am I NOT seeing random source ports - why is Freeswitch NOT tagging my connection from pfsense as being NAT'd? <br><br>Dave<br><br> <br><br><div><div><img src="http://www.spigotnetworks.com/SpigotLogo-tiny.jpg"><font style="font-family: Arial,Helvetica,sans-serif;" size="2">To start receiving Spigot Network's once a month newsletter filled with interesting technology news and great offers click <span class="Object" id="OBJ_PREFIX_DWT1415"><a href="http://www.spigotnetworks.com/lists/?p=subscribe&id=1" target="_blank">SUBSCRIBE</a></span></font></div></div><br><br>----- Original Message -----<br>From: "Tony Graziano" <tgraziano@myitdepartment.net><br>To: "FreeSWITCH Users Help" <freeswitch-users@lists.freeswitch.org><br>Sent: Sunday, August 29, 2010 7:11:26 AM GMT -06:00 US/Canada Central<br>Subject: Re: [Freeswitch-users] NAT traversal questions - (long)...<br><br>Yeah, the sipxroxd is in the installed packages on his build. Remove<br>the intsalled package and make sure the default rule for outgoing<br>traffic is set for manual/static nat, not automatic.<br><br>http://blog.myitdepartment.net/?p=37<br><br>On Sun, Aug 29, 2010 at 7:40 AM, Tony Graziano<br><tgraziano@myitdepartment.net> wrote:<br>> Ipcop has a similar setting to pfsense. You probably missed it.<br>><br>> MOST FIREWALLS do not use static port NAT. The default rules for<br>> pfsense (and packages) for port 5060 should be removed.<br>><br>> On your outbound rule for your LAN static port nat needs to be<br>> enabled. Once you do that recreate the nat rules AND remove the<br>> siproxd package by default.<br>><br>> This is really a pfsense firewall question, it is clear static port<br>> was not enabled so the source port was re-written because that is what<br>> MOST firewalls do by default.<br>><br>> On 8/29/10, Dave Redmore <dave.redmore@spigotsystems.com> wrote:<br>>> Hello All,<br>>><br>>> I ran into an issue today that has burned up most of my day troubleshooting.<br>>> I have resolved the problem, but would really like to understand what caused<br>>> it, or some of the internal Freeswitch plumbing that is at play so that I<br>>> can learn something from all of this time I have invested.<br>>><br>>> I have a Freeswitch server running that acts as a proxy to an account with<br>>> an ITSP for doing T38 faxing. The Freeswitch server has a public IP address<br>>> - there are four "users" who register simple FXS ATAs to my server and it<br>>> then proxies to the ITSP using the "proxy_media" functionality. It has been<br>>> working very well for the last 6 months or so. I have never had to deal with<br>>> any NAT traversal issues - I just point the ATA to the IP to register and<br>>> everything is great.<br>>><br>>> Here is what the four users "looked" like -<br>>><br>>> User1 : Grandstream HT-287 -> DD-WRT Router (NAT) -> Internet -> Freeswitch<br>>> Proxy<br>>> User2 : Grandstream HT-503 -> DD-WRT Router (NAT) -> Internet -> Freeswitch<br>>> Proxy<br>>> User3 : Grandstream HT-502 -> Comcast/SMC Router (NAT) -> Internet -><br>>> Freeswitch Proxy<br>>> User4 : Grandstream HT-287 -> IPCOP 1.4.11 (NAT) -> Comcast Gateway -><br>>> Freeswitch Proxy<br>>><br>>> (User4 is my office, so the IPCOP firewall and the Freeswitch Proxy sit on<br>>> the same Comcast Gateway)<br>>><br>>> As I said, this all worked perfectly without any need to "fiddle" with<br>>> anything on any firewalls - worked right out of the box.<br>>><br>>> So, today I changed out my IPCOP firewall for a pfsense firewall - and my<br>>> HT-287 would no longer register.<br>>><br>>> After much head-scratching, packet captures, etc. I found that I needed to<br>>> set up a Static Port NAT for the port the HT-287 was using (5062) in order<br>>> to get this to work.<br>>><br>>> So, I see WHAT is happening, but I really want to know WHY it is happening.<br>>><br>>> Here are the gory details:<br>>><br>>> The sofia status of the profile looks like this - when the I have the Static<br>>> Port NAT in place (details changed for security):<br>>><br>>> _______________________________________________________________<br>>> Call-ID: 0e551b3c694a793c@192.168.1.137<br>>> User: 8885554525@173.11.22.111<br>>> Contact: "user"<br>>> <sip:8885554525@192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060><br>>> Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5<br>>> Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:17:03)<br>>> Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>>> IP: 173.22.22.55<br>>> Port: 5060<br>>> Auth-User: 8885554525<br>>> Auth-Realm: 173.11.22.111<br>>> MWI-Account: 8885554525@173.11.22.111<br>>><br>>> Call-ID: 1716488819-5062-1@192.168.7.150<br>>> User: 8885554544@173.11.22.111<br>>> Contact: "user" <sip:8885554544@192.168.7.150:5062;user=phone;fs_nat=yes;<br>>> fs_path=sip%3A8885554544%4098.255.0.11%3A5062%3Buser%3Dphone><br>>> Agent: Grandstream HT-502 V1.1B 1.0.1.63<br>>> Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:48:35)<br>>> Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>>> IP: 98.255.0.11<br>>> Port: 5062<br>>> Auth-User: 8885554544<br>>> Auth-Realm: 173.11.22.111<br>>> MWI-Account: 8885554544@173.11.22.111<br>>><br>>> Call-ID: 090ee80e1a0ec9ed@10.8.11.149<br>>> User: 8885554549@173.11.22.111<br>>> Contact: "user" <sip:8885554549@10.8.11.149:5062><br>>> Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390<br>>> Status: Registered(UDP)(unknown) EXP(2010-08-29 02:00:42)<br>>> Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>>> IP: 173.11.22.99<br>>> Port: 5062<br>>> Auth-User: 8885554549<br>>> Auth-Realm: 173.11.22.111<br>>> MWI-Account: 8885554549@173.11.22.111<br>>><br>>> Call-ID: 1035241259-5060-1@10.1.10.150<br>>> User: 8885554547@173.11.22.111<br>>> Contact: "user" <sip:8885554547@10.1.10.150:5060;user=phone;fs_nat=yes;fs<br>>> _path=sip%3A8885554547%4098.222.55.100%3A5060%3Buser%3Dphone><br>>> Agent: Grandstream HT-503 V1.1B 1.0.1.63<br>>> Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 00:15:09)<br>>> Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>>> IP: 98.222.55.100<br>>> Port: 5060<br>>> Auth-User: 8885554547<br>>> Auth-Realm: 173.11.22.111<br>>> MWI-Account: 8885554547@173.11.22.111<br>>> ___________________________________________________________<br>>><br>>> The "User4" account is in red. The "Contact" field is substantially<br>>> different and the "Status" indicates "Registered (UDP)", rather than<br>>> "Registered (UDP-NAT)" as the others.<br>>><br>>> When I do a packet capture on the external NIC interface (eth0) - I see the<br>>> following when the HT-287 tries to register and the Static Port NAT is NOT<br>>> in place:<br>>><br>>> ___________________________________________________________________<br>>> Internet Protocol, Src: 173.11.22.99 (173.11.22.99), Dst: 173.11.22.111<br>>> (173.11.22.111)<br>>> User Datagram Protocol, Src Port: 11521 (11521), Dst Port: 5090 (5090)<br>>> Session Initiation Protocol<br>>> Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0<br>>> Method: REGISTER<br>>> Request-URI: sip:173.11.22.111:5090<br>>> Request-URI Host Part: 173.11.22.111<br>>> Request-URI Host Port: 5090<br>>> Message Header<br>>> Via: SIP/2.0/UDP 10.8.11.149:5062;branch=z9hG4bKda48f838c8689e41<br>>> Transport: UDP<br>>> Sent-by Address: 10.8.11.149<br>>> Sent-by port: 5062<br>>> Branch: z9hG4bKda48f838c8689e41<br>>> From: <sip:8885554549@173.11.22.111:5090>;tag=c8a0d452edc5ac4b<br>>> SIP from address: sip:8885554549@173.11.22.111:5090<br>>> SIP tag: c8a0d452edc5ac4b<br>>> To: <sip:8885554549@173.11.22.111:5090><br>>> Contact: <sip:88855564549@10.8.11.149:5062><br>>> Contact Binding: <sip:8885554549@10.8.11.149:5062><br>>> Supported: replaces, timer<br>>> Call-ID: aa77d777bae71be6@10.8.11.149<br>>> CSeq: 100 REGISTER<br>>> Sequence Number: 100<br>>> Method: REGISTER<br>>> Expires: 3600<br>>> User-Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390<br>>> Max-Forwards: 70<br>>> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br>>> Content-Length: 0<br>>> _______________________________________________________________<br>>><br>>> When Freeswitch replies back with a "401 Unauthorized" - asking for further<br>>> Auth - it replies back to port 5062 - so the packet never comes back<br>>> (pfsense is looking for a packet back on port 11521 in this case).<br>>><br>>> If I put the Static Port NAT in place - all is well, because the "Source"<br>>> port shows as "5062" - the rest of the packet looks pretty much the same.<br>>><br>>> Now, here is a packet coming from one of the other Users - this one comes<br>>> through a DD-WRT router - here we see that the Source Port is 5060 :<br>>><br>>> _________________________________________________________________<br>>> Internet Protocol, Src: 173.22.22.55 (173.22.22.55), Dst: 173.11.22.111<br>>> (173.11.22.111)<br>>> User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br>>> Session Initiation Protocol<br>>> Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0<br>>> Method: REGISTER<br>>> Request-URI: sip:173.11.22.111:5090<br>>> [Resent Packet: False]<br>>> Message Header<br>>> Via: SIP/2.0/UDP 192.168.1.137;branch=z9hG4bK665bc67a1c64292b<br>>> Transport: UDP<br>>> Sent-by Address: 192.168.1.137<br>>> Branch: z9hG4bK665bc67a1c64292b<br>>> From: "fax" <sip:8885554525@173.11.22.111:5090>;tag=8dc68b35111c4261<br>>> To: <sip:8156564525@173.15.28.101:5090><br>>> Contact: <sip:8885554525@192.168.1.137><br>>> Contact Binding: <sip:8885554525@192.168.1.137><br>>> Call-ID: 0e551b3c694a793c@192.168.1.137<br>>> CSeq: 503 REGISTER<br>>> Sequence Number: 503<br>>> Method: REGISTER<br>>> Expires: 3600<br>>> User-Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5<br>>> Max-Forwards: 70<br>>> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br>>> Content-Length: 0<br>>> ______________________________________________________________________<br>>><br>>> Here is one more packet coming from a Comcast/SMC Router - again, the source<br>>> port is correct:<br>>><br>>> ______________________________________________________________________<br>>> Internet Protocol, Src: 98.244.55.100 (98.244.55.100), Dst: 173.11.22.111<br>>> (173.11.22.111)<br>>> User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br>>> Session Initiation Protocol<br>>> Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0<br>>> Message Header<br>>> Via: SIP/2.0/UDP 10.1.10.150:5060;branch=z9hG4bK58981045;rport<br>>> Transport: UDP<br>>> Sent-by Address: 10.1.10.150<br>>> Sent-by port: 5060<br>>> Branch: z9hG4bK58981045<br>>> RPort: rport<br>>> From: <sip:8885554547@173.11.22.111:5090;user=phone>;tag=138706651<br>>> To: <sip:8885554547@173.11.22.111:5090;user=phone><br>>> Call-ID: 1035241259-5060-1@10.1.10.150<br>>> CSeq: 79875 REGISTER<br>>> Sequence Number: 79875<br>>> Method: REGISTER<br>>> Contact:<br>>> <sip:8885554547@10.1.10.150:5060;user=phone>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84>"<br>>> Contact Binding:<br>>> <sip:8885554547@10.1.10.150:5060;user=phone>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84>"<br>>> Max-Forwards: 70<br>>> User-Agent: Grandstream HT-503 V1.1B 1.0.1.63<br>>> Supported: path<br>>> Expires: 300<br>>> Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER,<br>>> UPDATE<br>>> Content-Length: 0<br>>> ___________________________________________________________<br>>><br>>> So, here are my questions:<br>>><br>>> - Why is the Sofia Status so much different for the registration coming<br>>> through the pfSense firewall. It looks like it doesn't get tagged as being<br>>> NAT'd and the "Contact" info is much less.<br>>><br>>> - Do most modern routers automatically Static Port NAT any SIP traffic? Both<br>>> DD-WRT and SMC routers appear to be doing this - and not just on a simple<br>>> Port bases (UDP 5060 only), because one of these examples is on 5062. Are<br>>> these "SIP aware" firewalls that are doing this automatically, as the IPCOP<br>>> did before?<br>>><br>>> - Is the extra "Contact" data in the last packet example different because<br>>> it is a different UA (HT-503 rather than an HT-287)<br>>><br>>> - Is Freeswitch not flagging the registration from my office (User4) as<br>>> being NAT'd because it is coming in on the same subnet as the interface<br>>> Freeswitch received the packet on (Freeswitch is at 173.11.22.111 and<br>>> pfsense is at 173.11.22.99)?<br>>><br>>> Sorry for this terribly long posting - I'm just very curious to understand<br>>> what is going on here, now that I have collected all this information.<br>>><br>>> Thanks,<br>>><br>>> Dave<br>>><br>>><br>>><br>><br>> --<br>> Sent from my mobile device<br>><br>> ======================<br>> Tony Graziano, Manager<br>> Telephone: 434.984.8430<br>> sip: tgraziano@voice.myitdepartment.net<br>> Fax: 434.984.8431<br>><br>> Email: tgraziano@myitdepartment.net<br>><br>> LAN/Telephony/Security and Control Systems Helpdesk:<br>> Telephone: 434.984.8426<br>> sip: helpdesk@voice.myitdepartment.net<br>> Fax: 434.984.8427<br>><br>> Helpdesk Contract Customers:<br>> http://www.myitdepartment.net/gethelp/<br>><br>> Why do mathematicians always confuse Halloween and Christmas?<br>> Because 31 Oct = 25 Dec.<br>><br><br><br><br>-- <br>======================<br>Tony Graziano, Manager<br>Telephone: 434.984.8430<br>sip: tgraziano@voice.myitdepartment.net<br>Fax: 434.984.8431<br><br>Email: tgraziano@myitdepartment.net<br><br>LAN/Telephony/Security and Control Systems Helpdesk:<br>Telephone: 434.984.8426<br>sip: helpdesk@voice.myitdepartment.net<br>Fax: 434.984.8427<br><br>Helpdesk Contract Customers:<br>http://www.myitdepartment.net/gethelp/<br><br>Why do mathematicians always confuse Halloween and Christmas?<br>Because 31 Oct = 25 Dec.<br><br>_______________________________________________<br>FreeSWITCH-users mailing list<br>FreeSWITCH-users@lists.freeswitch.org<br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></div></body></html>