<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Dave,<div><br></div><div>quite quickly, it's obvious your FreeSWITCH is no longer able to detect that your HT-287 is behind NAT.</div><div>One possiblity is that the rport is missing from the REGISTER.</div><div>Perhaps your pfsense is messing with it ?</div><div><br></div><div>So to start, I would recommend you take a trace when the packet enters pfsense and when it goes out to your proxy, and compare them to see any differences.</div><div><br></div><div><span class="Apple-style-span" style="font-family: 'Helvetica Neue'; font-size: 14px; "><font class="Apple-style-span" color="#1C00FF">David Ponzone </font></span><span class="Apple-style-span" style="font-family: 'Helvetica Neue'; font-size: 14px; "><font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="font-size: 12px; ">Direction Technique</span></font></span></div><div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">email: <a href="mailto:david.ponzone@ipeva.fr">david.ponzone@ipeva.fr</a></span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: 01 74 03 18 97</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">gsm: 06 66 98 76 34</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><br></font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">Service Client<span class="Apple-converted-space"> </span></font><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" color="#FF0000">IP</font></font><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">eva</font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Helvetica; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: 0811 46 26 26</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'" size="3"><span class="Apple-style-span" style="font-size: 13px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span style="text-decoration: underline; "><a href="BLOCKED::http://www.ipeva.fr/">www.ipeva.fr</a></span><span style="color: rgb(101, 104, 149); "> - <span style="color: rgb(0, 34, 243); text-decoration: underline; "><a href="BLOCKED::http://www.ipeva-studio.com/">www.ipeva-studio.com</a></span></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span" style="text-decoration: underline; "><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; text-align: justify; font: normal normal normal 10px/normal Arial; color: rgb(192, 192, 192); "><i>Ce message et toutes les pièces jointes sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. </i><b><i>IPeva</i></b><i> décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce message, merci de le détruire immédiatement et d'avertir l'expéditeur.</i></div><div style="text-decoration: underline; text-align: justify; "><font class="Apple-style-span" color="#C0C0C0"><i><br></i></font></div></span></div></span></font></div></span></font></div></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"> </div><br><div><div>Le 29/08/2010 à 09:01, Dave Redmore a écrit :</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div><div style="font-family: 'Times New Roman'; font-size: 12pt; color: rgb(0, 0, 0); ">Hello All,<br><br>I ran into an issue today that has burned up most of my day troubleshooting. I have resolved the problem, but would really like to understand what caused it, or some of the internal Freeswitch plumbing that is at play so that I can learn something from all of this time I have invested.<br><br>I have a Freeswitch server running that acts as a proxy to an account with an ITSP for doing T38 faxing. The Freeswitch server has a public IP address - there are four "users" who register simple FXS ATAs to my server and it then proxies to the ITSP using the "proxy_media" functionality. It has been working very well for the last 6 months or so. I have never had to deal with any NAT traversal issues - I just point the ATA to the IP to register and everything is great.<br><br>Here is what the four users "looked" like -<span class="Apple-converted-space"> </span><br><br>User1 : Grandstream HT-287 -> DD-WRT Router (NAT) -> Internet -> Freeswitch Proxy<br>User2 : Grandstream HT-503 -> DD-WRT Router (NAT) -> Internet -> Freeswitch Proxy<br>User3 : Grandstream HT-502 -> Comcast/SMC Router (NAT) -> Internet -> Freeswitch Proxy<br>User4 : Grandstream HT-287 -> IPCOP 1.4.11 (NAT) -> Comcast Gateway -> Freeswitch Proxy<br><br>(User4 is my office, so the IPCOP firewall and the Freeswitch Proxy sit on the same Comcast Gateway)<br><br>As I said, this all worked perfectly without any need to "fiddle" with anything on any firewalls - worked right out of the box.<br><br>So, today I changed out my IPCOP firewall for a pfsense firewall - and my HT-287 would no longer register.<br><br>After much head-scratching, packet captures, etc. I found that I needed to set up a Static Port NAT for the port the HT-287 was using (5062) in order to get this to work. <span class="Apple-converted-space"> </span><br><br>So, I see WHAT is happening, but I really want to know WHY it is happening.<br><br>Here are the gory details:<br><br>The sofia status of the profile looks like this - when the I have the Static Port NAT in place (details changed for security):<br><br>_______________________________________________________________<br>Call-ID: <span class="Apple-converted-space"> </span><a href="mailto:0e551b3c694a793c@192.168.1.137">0e551b3c694a793c@192.168.1.137</a><br>User: <span class="Apple-converted-space"> </span><a href="mailto:8885554525@173.11.22.111">8885554525@173.11.22.111</a><br>Contact: "user" <<a href="sip:8885554525@192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060">sip:8885554525@192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060</a>><br>Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5<br>Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:17:03)<br>Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>IP: 173.22.22.55<br>Port: 5060<br>Auth-User: 8885554525<br>Auth-Realm: 173.11.22.111<br>MWI-Account: <span class="Apple-converted-space"> </span><a href="mailto:8885554525@173.11.22.111">8885554525@173.11.22.111</a><br><br>Call-ID: <span class="Apple-converted-space"> </span><a href="mailto:1716488819-5062-1@192.168.7.150">1716488819-5062-1@192.168.7.150</a><br>User: <span class="Apple-converted-space"> </span><a href="mailto:8885554544@173.11.22.111">8885554544@173.11.22.111</a><br>Contact: "user" <<a href="sip:8885554544@192.168.7.150:5062;user=phone;fs_nat=yes">sip:8885554544@192.168.7.150:5062;user=phone;fs_nat=yes</a>; fs_path=sip%3A8885554544%4098.255.0.11%3A5062%3Buser%3Dphone><br>Agent: Grandstream HT-502 V1.1B 1.0.1.63<br>Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:48:35)<br>Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>IP: 98.255.0.11<br>Port: 5062<br>Auth-User: 8885554544<br>Auth-Realm: 173.11.22.111<br>MWI-Account: <span class="Apple-converted-space"> </span><a href="mailto:8885554544@173.11.22.111">8885554544@173.11.22.111</a><br><br><span style="color: rgb(255, 0, 0); ">Call-ID: <span class="Apple-converted-space"> </span><a href="mailto:090ee80e1a0ec9ed@10.8.11.149">090ee80e1a0ec9ed@10.8.11.149</a></span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">User: <span class="Apple-converted-space"> </span><a href="mailto:8885554549@173.11.22.111">8885554549@173.11.22.111</a></span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Contact: "user" <<a href="sip:8885554549@10.8.11.149:5062">sip:8885554549@10.8.11.149:5062</a>></span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Status: Registered(UDP)(unknown) EXP(2010-08-29 02:00:42)</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Host: 173-11-22-111-illinois.hfc.comcastbusiness.net</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">IP: 173.11.22.99</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Port: 5062</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Auth-User: 8885554549</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">Auth-Realm: 173.11.22.111</span><br style="color: rgb(255, 0, 0); "><span style="color: rgb(255, 0, 0); ">MWI-Account: <span class="Apple-converted-space"> </span><a href="mailto:8885554549@173.11.22.111">8885554549@173.11.22.111</a></span><br><br>Call-ID: <span class="Apple-converted-space"> </span><a href="mailto:1035241259-5060-1@10.1.10.150">1035241259-5060-1@10.1.10.150</a><br>User: <span class="Apple-converted-space"> </span><a href="mailto:8885554547@173.11.22.111">8885554547@173.11.22.111</a><br>Contact: "user" <<a href="sip:8885554547@10.1.10.150:5060;user=phone;fs_nat=yes;fs">sip:8885554547@10.1.10.150:5060;user=phone;fs_nat=yes;fs</a> _path=sip%3A8885554547%4098.222.55.100%3A5060%3Buser%3Dphone><br>Agent: Grandstream HT-503 V1.1B 1.0.1.63<br>Status: Registered(UDP-NAT)(unknown) EXP(2010-08-29 00:15:09)<br>Host: 173-11-22-111-illinois.hfc.comcastbusiness.net<br>IP: 98.222.55.100<br>Port: 5060<br>Auth-User: 8885554547<br>Auth-Realm: 173.11.22.111<br>MWI-Account: <span class="Apple-converted-space"> </span><a href="mailto:8885554547@173.11.22.111">8885554547@173.11.22.111</a><br>___________________________________________________________<br><br>The "User4" account is in red. The "Contact" field is substantially different and the "Status" indicates "Registered (UDP)", rather than "Registered (UDP-NAT)" as the others.<br><br>When I do a packet capture on the external NIC interface (eth0) - I see the following when the HT-287 tries to register and the Static Port NAT is NOT in place:<br><br>___________________________________________________________________<br>Internet Protocol, Src: 173.11.22.99 (173.11.22.99), Dst: 173.11.22.111 (173.11.22.111)<br>User Datagram Protocol, Src Port: 11521 (11521), Dst Port: 5090 (5090)<br>Session Initiation Protocol<br> Request-Line: REGISTER<span class="Apple-converted-space"> </span><a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><span class="Apple-converted-space"> </span>SIP/2.0<br> Method: REGISTER<br> Request-URI:<span class="Apple-converted-space"> </span><a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><br> Request-URI Host Part: 173.11.22.111<br> Request-URI Host Port: 5090<br> Message Header<br> Via: SIP/2.0/UDP 10.8.11.149:5062;branch=z9hG4bKda48f838c8689e41<br> Transport: UDP<br> Sent-by Address: 10.8.11.149<br> Sent-by port: 5062<br> Branch: z9hG4bKda48f838c8689e41<br> From: <<a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a>>;tag=c8a0d452edc5ac4b<br> SIP from address:<span class="Apple-converted-space"> </span><a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a><br> SIP tag: c8a0d452edc5ac4b<br> To: <<a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a>><br> Contact: <<a href="sip:88855564549@10.8.11.149:5062">sip:88855564549@10.8.11.149:5062</a>><br> Contact Binding: <<a href="sip:8885554549@10.8.11.149:5062">sip:8885554549@10.8.11.149:5062</a>><br> Supported: replaces, timer<br> Call-ID:<span class="Apple-converted-space"> </span><a href="mailto:aa77d777bae71be6@10.8.11.149">aa77d777bae71be6@10.8.11.149</a><br> CSeq: 100 REGISTER<br> Sequence Number: 100<br> Method: REGISTER<br> Expires: 3600<br> User-Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390<br> Max-Forwards: 70<br> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br> Content-Length: 0<br>_______________________________________________________________<br><br>When Freeswitch replies back with a "401 Unauthorized" - asking for further Auth - it replies back to port 5062 - so the packet never comes back (pfsense is looking for a packet back on port 11521 in this case). <span class="Apple-converted-space"> </span><br><br>If I put the Static Port NAT in place - all is well, because the "Source" port shows as "5062" - the rest of the packet looks pretty much the same.<br><br>Now, here is a packet coming from one of the other Users - this one comes through a DD-WRT router - here we see that the Source Port is 5060 :<br><br>_________________________________________________________________<br>Internet Protocol, Src: 173.22.22.55 (173.22.22.55), Dst: 173.11.22.111 (173.11.22.111)<br>User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br>Session Initiation Protocol<br> Request-Line: REGISTER<span class="Apple-converted-space"> </span><a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><span class="Apple-converted-space"> </span>SIP/2.0<br> Method: REGISTER<br> Request-URI:<span class="Apple-converted-space"> </span><a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><br> [Resent Packet: False]<br> Message Header<br> Via: SIP/2.0/UDP 192.168.1.137;branch=z9hG4bK665bc67a1c64292b<br> Transport: UDP<br> Sent-by Address: 192.168.1.137<br> Branch: z9hG4bK665bc67a1c64292b<br> From: "fax" <<a href="sip:8885554525@173.11.22.111:5090">sip:8885554525@173.11.22.111:5090</a>>;tag=8dc68b35111c4261<br> To: <<a href="sip:8156564525@173.15.28.101:5090">sip:8156564525@173.15.28.101:5090</a>><br> Contact: <<a href="sip:8885554525@192.168.1.137">sip:8885554525@192.168.1.137</a>><br> Contact Binding: <<a href="sip:8885554525@192.168.1.137">sip:8885554525@192.168.1.137</a>><br> Call-ID:<span class="Apple-converted-space"> </span><a href="mailto:0e551b3c694a793c@192.168.1.137">0e551b3c694a793c@192.168.1.137</a><br> CSeq: 503 REGISTER<br> Sequence Number: 503<br> Method: REGISTER<br> Expires: 3600<br> User-Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5<br> Max-Forwards: 70<br> Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br> Content-Length: 0<br>______________________________________________________________________<br><br>Here is one more packet coming from a Comcast/SMC Router - again, the source port is correct:<br><br>______________________________________________________________________<br> Internet Protocol, Src: 98.244.55.100 (98.244.55.100), Dst: 173.11.22.111 (173.11.22.111)<br>User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br>Session Initiation Protocol<br> Request-Line: REGISTER<span class="Apple-converted-space"> </span><a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><span class="Apple-converted-space"> </span>SIP/2.0<br> Message Header<br> Via: SIP/2.0/UDP 10.1.10.150:5060;branch=z9hG4bK58981045;rport<br> Transport: UDP<br> Sent-by Address: 10.1.10.150<br> Sent-by port: 5060<br> Branch: z9hG4bK58981045<br> RPort: rport<br> From: <<a href="sip:8885554547@173.11.22.111:5090;user=phone">sip:8885554547@173.11.22.111:5090;user=phone</a>>;tag=138706651<br> To: <<a href="sip:8885554547@173.11.22.111:5090;user=phone">sip:8885554547@173.11.22.111:5090;user=phone</a>><br> Call-ID:<span class="Apple-converted-space"> </span><a href="mailto:1035241259-5060-1@10.1.10.150">1035241259-5060-1@10.1.10.150</a><br> CSeq: 79875 REGISTER<br> Sequence Number: 79875<br> Method: REGISTER<br> Contact: <<a href="sip:8885554547@10.1.10.150:5060;user=phone">sip:8885554547@10.1.10.150:5060;user=phone</a>>;reg-id=1;+sip.instance="<<a href="urn:uuid:00000000-0000-1000-8000-000B821F9A84">urn:uuid:00000000-0000-1000-8000-000B821F9A84</a>>"<br> Contact Binding: <<a href="sip:8885554547@10.1.10.150:5060;user=phone">sip:8885554547@10.1.10.150:5060;user=phone</a>>;reg-id=1;+sip.instance="<<a href="urn:uuid:00000000-0000-1000-8000-000B821F9A84">urn:uuid:00000000-0000-1000-8000-000B821F9A84</a>>"<br> Max-Forwards: 70<br> User-Agent: Grandstream HT-503 V1.1B 1.0.1.63<br> Supported: path<br> Expires: 300<br> Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE<br> Content-Length: 0<br>___________________________________________________________<br><br>So, here are my questions:<br><br>- Why is the Sofia Status so much different for the registration coming through the pfSense firewall. It looks like it doesn't get tagged as being NAT'd and the "Contact" info is much less.<br><br>- Do most modern routers automatically Static Port NAT any SIP traffic? Both DD-WRT and SMC routers appear to be doing this - and not just on a simple Port bases (UDP 5060 only), because one of these examples is on 5062. Are these "SIP aware" firewalls that are doing this automatically, as the IPCOP did before?<br><br>- Is the extra "Contact" data in the last packet example different because it is a different UA (HT-503 rather than an HT-287)<br><br>- Is Freeswitch not flagging the registration from my office (User4) as being NAT'd because it is coming in on the same subnet as the interface Freeswitch received the packet on (Freeswitch is at 173.11.22.111 and pfsense is at 173.11.22.99)?<br><br>Sorry for this terribly long posting - I'm just very curious to understand what is going on here, now that I have collected all this information.<br><br>Thanks,<br><br>Dave<br><br> <br></div>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br></div></span></blockquote></div><br></div></body></html>