[Freeswitch-users] NAT traversal questions - (long)...

David Ponzone david.ponzone at ipeva.fr
Sun Aug 29 01:15:19 PDT 2010


Dave,

quite quickly, it's obvious your FreeSWITCH is no longer able to  
detect that your HT-287 is behind NAT.
One possiblity is that the rport is missing from the REGISTER.
Perhaps your pfsense is messing with it ?

So to start, I would recommend you take a trace when the packet enters  
pfsense and when it goes out to your proxy, and compare them to see  
any differences.

David Ponzone  Direction Technique
email: david.ponzone at ipeva.fr
tel:      01 74 03 18 97
gsm:   06 66 98 76 34

Service Client IPeva
tel:      0811 46 26 26
www.ipeva.fr  -   www.ipeva-studio.com

Ce message et toutes les pièces jointes sont confidentiels et établis  
à l'intention exclusive de ses destinataires. Toute utilisation ou  
diffusion non autorisée est interdite. Tout message électronique est  
susceptible d'altération. IPeva décline toute responsabilité au  
titre de ce message s'il a été altéré, déformé ou falsifié. Si  
vous n'êtes pas destinataire de ce message, merci de le détruire  
immédiatement et d'avertir l'expéditeur.




Le 29/08/2010 à 09:01, Dave Redmore a écrit :

> Hello All,
>
> I ran into an issue today that has burned up most of my day  
> troubleshooting.  I have resolved the problem, but would really like  
> to understand what caused it, or some of the internal Freeswitch  
> plumbing that is at play so that I can learn something from all of  
> this time I have invested.
>
> I have a Freeswitch server running that acts as a proxy to an  
> account with an ITSP for doing T38 faxing.  The Freeswitch server  
> has a public IP address - there are four "users" who register simple  
> FXS ATAs to my server and it then proxies to the ITSP using the  
> "proxy_media" functionality.  It has been working very well for the  
> last 6 months or so.  I have never had to deal with any NAT  
> traversal issues - I just point the ATA to the IP to register and  
> everything is great.
>
> Here is what the four users "looked" like -
>
> User1 :  Grandstream HT-287 -> DD-WRT Router (NAT) -> Internet ->  
> Freeswitch Proxy
> User2 :  Grandstream HT-503 -> DD-WRT Router (NAT) -> Internet ->  
> Freeswitch Proxy
> User3 :  Grandstream HT-502 -> Comcast/SMC Router (NAT) -> Internet - 
> > Freeswitch Proxy
> User4 :  Grandstream HT-287 -> IPCOP 1.4.11 (NAT) -> Comcast Gateway  
> -> Freeswitch Proxy
>
> (User4 is my office, so the IPCOP firewall and the Freeswitch Proxy  
> sit on the same Comcast Gateway)
>
> As I said, this all worked perfectly without any need to "fiddle"  
> with anything on any firewalls - worked right out of the box.
>
> So, today I changed out my IPCOP firewall for a pfsense firewall -  
> and my HT-287 would no longer register.
>
> After much head-scratching, packet captures, etc. I found that I  
> needed to set up a Static Port NAT for the port the HT-287 was using  
> (5062) in order to get this to work.
>
> So, I see WHAT is happening, but I really want to know WHY it is  
> happening.
>
> Here are the gory details:
>
> The sofia status of the profile looks like this - when the I have  
> the Static Port NAT in place (details changed for security):
>
> _______________________________________________________________
> Call-ID:        0e551b3c694a793c at 192.168.1.137
> User:           8885554525 at 173.11.22.111
> Contact:        "user" <sip:8885554525 at 192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060 
> >
> Agent:          Grandstream HT287 1.1.0.45 DevId 000b821203c5
> Status:         Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:17:03)
> Host:           173-11-22-111-illinois.hfc.comcastbusiness.net
> IP:             173.22.22.55
> Port:           5060
> Auth-User:      8885554525
> Auth-Realm:     173.11.22.111
> MWI-Account:    8885554525 at 173.11.22.111
>
> Call-ID:        1716488819-5062-1 at 192.168.7.150
> User:           8885554544 at 173.11.22.111
> Contact:        "user" <sip:8885554544 at 192.168.7.150:5062;user=phone;fs_nat=yes 
> ;   fs_path=sip%3A8885554544%4098.255.0.11%3A5062%3Buser%3Dphone>
> Agent:          Grandstream HT-502  V1.1B 1.0.1.63
> Status:         Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:48:35)
> Host:           173-11-22-111-illinois.hfc.comcastbusiness.net
> IP:             98.255.0.11
> Port:           5062
> Auth-User:      8885554544
> Auth-Realm:     173.11.22.111
> MWI-Account:    8885554544 at 173.11.22.111
>
> Call-ID:        090ee80e1a0ec9ed at 10.8.11.149
> User:           8885554549 at 173.11.22.111
> Contact:        "user" <sip:8885554549 at 10.8.11.149:5062>
> Agent:          Grandstream HT287 1.1.0.45 DevId 000b82127390
> Status:         Registered(UDP)(unknown) EXP(2010-08-29 02:00:42)
> Host:           173-11-22-111-illinois.hfc.comcastbusiness.net
> IP:             173.11.22.99
> Port:           5062
> Auth-User:      8885554549
> Auth-Realm:     173.11.22.111
> MWI-Account:    8885554549 at 173.11.22.111
>
> Call-ID:        1035241259-5060-1 at 10.1.10.150
> User:           8885554547 at 173.11.22.111
> Contact:        "user" <sip:8885554547 at 10.1.10.150:5060;user=phone;fs_nat=yes;fs 
>    _path=sip%3A8885554547%4098.222.55.100%3A5060%3Buser%3Dphone>
> Agent:          Grandstream HT-503  V1.1B 1.0.1.63
> Status:         Registered(UDP-NAT)(unknown) EXP(2010-08-29 00:15:09)
> Host:           173-11-22-111-illinois.hfc.comcastbusiness.net
> IP:             98.222.55.100
> Port:           5060
> Auth-User:      8885554547
> Auth-Realm:     173.11.22.111
> MWI-Account:    8885554547 at 173.11.22.111
> ___________________________________________________________
>
> The "User4" account is in red.  The "Contact" field is substantially  
> different and the "Status" indicates "Registered (UDP)", rather than  
> "Registered (UDP-NAT)" as the others.
>
> When I do a packet capture on the external NIC interface (eth0) - I  
> see the following when the HT-287 tries to register and the Static  
> Port NAT is NOT in place:
>
> ___________________________________________________________________
> Internet Protocol, Src: 173.11.22.99 (173.11.22.99), Dst:  
> 173.11.22.111 (173.11.22.111)
> User Datagram Protocol, Src Port: 11521 (11521), Dst Port: 5090 (5090)
> Session Initiation Protocol
>     Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0
>         Method: REGISTER
>         Request-URI: sip:173.11.22.111:5090
>             Request-URI Host Part: 173.11.22.111
>             Request-URI Host Port: 5090
>     Message Header
>         Via: SIP/2.0/UDP  
> 10.8.11.149:5062;branch=z9hG4bKda48f838c8689e41
>             Transport: UDP
>             Sent-by Address: 10.8.11.149
>             Sent-by port: 5062
>             Branch: z9hG4bKda48f838c8689e41
>         From: <sip:8885554549 at 173.11.22.111:5090>;tag=c8a0d452edc5ac4b
>             SIP from address: sip:8885554549 at 173.11.22.111:5090
>             SIP tag: c8a0d452edc5ac4b
>         To: <sip:8885554549 at 173.11.22.111:5090>
>         Contact: <sip:88855564549 at 10.8.11.149:5062>
>             Contact Binding: <sip:8885554549 at 10.8.11.149:5062>
>         Supported: replaces, timer
>         Call-ID: aa77d777bae71be6 at 10.8.11.149
>         CSeq: 100 REGISTER
>             Sequence Number: 100
>             Method: REGISTER
>         Expires: 3600
>         User-Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390
>         Max-Forwards: 70
>         Allow:  
> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE
>         Content-Length: 0
> _______________________________________________________________
>
> When Freeswitch replies back with a "401 Unauthorized" - asking for  
> further Auth - it replies back to port 5062 - so the packet never  
> comes back (pfsense is looking for a packet back on port 11521 in  
> this case).
>
> If I put the Static Port NAT in place - all is well, because the  
> "Source" port shows as "5062" - the rest of the packet looks pretty  
> much the same.
>
> Now, here is a packet coming from one of the other Users - this one  
> comes through a DD-WRT router - here we see that the Source Port is  
> 5060 :
>
> _________________________________________________________________
> Internet Protocol, Src: 173.22.22.55 (173.22.22.55), Dst:  
> 173.11.22.111 (173.11.22.111)
> User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)
> Session Initiation Protocol
>     Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0
>         Method: REGISTER
>         Request-URI: sip:173.11.22.111:5090
>         [Resent Packet: False]
>     Message Header
>         Via: SIP/2.0/UDP 192.168.1.137;branch=z9hG4bK665bc67a1c64292b
>             Transport: UDP
>             Sent-by Address: 192.168.1.137
>             Branch: z9hG4bK665bc67a1c64292b
>         From: "fax" <sip: 
> 8885554525 at 173.11.22.111:5090>;tag=8dc68b35111c4261
>         To: <sip:8156564525 at 173.15.28.101:5090>
>         Contact: <sip:8885554525 at 192.168.1.137>
>             Contact Binding: <sip:8885554525 at 192.168.1.137>
>         Call-ID: 0e551b3c694a793c at 192.168.1.137
>         CSeq: 503 REGISTER
>             Sequence Number: 503
>             Method: REGISTER
>         Expires: 3600
>         User-Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5
>         Max-Forwards: 70
>         Allow:  
> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE
>         Content-Length: 0
> ______________________________________________________________________
>
> Here is one more packet coming from a Comcast/SMC Router - again,  
> the source port is correct:
>
> ______________________________________________________________________
>  Internet Protocol, Src: 98.244.55.100 (98.244.55.100), Dst:  
> 173.11.22.111 (173.11.22.111)
> User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)
> Session Initiation Protocol
>     Request-Line: REGISTER sip:173.11.22.111:5090 SIP/2.0
>     Message Header
>         Via: SIP/2.0/UDP 10.1.10.150:5060;branch=z9hG4bK58981045;rport
>             Transport: UDP
>             Sent-by Address: 10.1.10.150
>             Sent-by port: 5060
>             Branch: z9hG4bK58981045
>             RPort: rport
>         From: <sip: 
> 8885554547 at 173.11.22.111:5090;user=phone>;tag=138706651
>         To: <sip:8885554547 at 173.11.22.111:5090;user=phone>
>         Call-ID: 1035241259-5060-1 at 10.1.10.150
>         CSeq: 79875 REGISTER
>             Sequence Number: 79875
>             Method: REGISTER
>         Contact: <sip:8885554547 at 10.1.10.150:5060;user=phone>;reg- 
> id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84>"
>             Contact Binding: <sip:8885554547 at 10.1.10.150:5060;user=phone 
> >;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B821F9A84 
> >"
>         Max-Forwards: 70
>         User-Agent: Grandstream HT-503  V1.1B 1.0.1.63
>         Supported: path
>         Expires: 300
>         Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY,  
> INFO, REFER, UPDATE
>         Content-Length: 0
> ___________________________________________________________
>
> So, here are my questions:
>
> - Why is the Sofia Status so much different for the registration  
> coming through the pfSense firewall.  It looks like it doesn't get  
> tagged as being NAT'd and the "Contact" info is much less.
>
> - Do most modern routers automatically Static Port NAT any SIP  
> traffic?  Both DD-WRT and SMC routers appear to be doing this - and  
> not just on a simple Port bases (UDP 5060 only), because one of  
> these examples is on 5062.  Are these "SIP aware" firewalls that are  
> doing this automatically, as  the IPCOP did before?
>
> - Is the extra "Contact" data in the last packet example different  
> because it is a different UA (HT-503 rather than an HT-287)
>
> - Is Freeswitch not flagging the registration from my office (User4)  
> as being NAT'd because it is coming in on the same subnet as the  
> interface Freeswitch received the packet on (Freeswitch is at  
> 173.11.22.111 and pfsense is at 173.11.22.99)?
>
> Sorry for this terribly long posting - I'm just very curious to  
> understand what is going on here, now that I have collected all this  
> information.
>
> Thanks,
>
> Dave
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100829/da9cf23b/attachment-0001.html 


More information about the FreeSWITCH-users mailing list