[Freeswitch-users] MultiNAT
Kurtis Heimerl
kheimerl at cs.berkeley.edu
Thu Jul 24 20:58:12 MSD 2014
To do that we'd have to move the actual VPN onto the same box as
FreeSWITCH, which is again a bad architectural concern.
Sounds like there's no way to dynamically shift the ext-rtp-ip in the
dialplan. Bummer.
On Thu, Jul 24, 2014 at 4:31 AM, Steven Ayre <steveayre at gmail.com> wrote:
> Would it be possible to eliminate the NAT at the VPN making it a normal
> router and then have the servers listen on both 198.168.*.* and X.Y.*.*?
> You could then have 2 SIP profiles with different external IPs configured
> (indeed the VPN wouldn't even need that setting).
>
>
> On 24 July 2014 01:40, Kurtis Heimerl <kheimerl at cs.berkeley.edu> wrote:
>
>> It's doable, but inelegant as I'd have to push some core configuration
>> into the NAT itself to enable it (the port forwarding).
>>
>>
>> On Wed, Jul 23, 2014 at 5:35 PM, William King <
>> william.king at quentustech.com> wrote:
>>
>>> I'd be curious if having two profiles(each with their own external ip
>>> configurations) would be the best way to handle this. Then you can in
>>> your dialplan choose which profile to send the calls out, and the NAT
>>> would still be handled properly for that route.
>>>
>>> William King
>>> Senior Engineer
>>> Quentus Technologies, INC
>>> 1037 NE 65th St Suite 273
>>> Seattle, WA 98115
>>> Main: (877) 211-9337
>>> Office: (206) 388-4772
>>> Cell: (253) 686-5518
>>> william.king at quentustech.com
>>>
>>> On 07/23/2014 04:43 PM, Kurtis Heimerl wrote:
>>> > If the answer is no, the answer is no. I *think* I may be able to port
>>> > forward 5060->5090 or something in the VPN NAT to enable a new profile,
>>> > but I'm concerned about the reverse direction. Either way, it's not a
>>> > scalable solution, so I'd prefer to set the return ips in the dialplan
>>> > if able.
>>> >
>>> >
>>> > On Wed, Jul 23, 2014 at 4:29 PM, Brian West <brian at freeswitch.org
>>> > <mailto:brian at freeswitch.org>> wrote:
>>> >
>>> > This scenario is going to be a hard one to solve due to that... let
>>> > me think about it.
>>> >
>>> >
>>> > On Wed, Jul 23, 2014 at 2:40 PM, Kurtis Heimerl
>>> > <kheimerl at cs.berkeley.edu <mailto:kheimerl at cs.berkeley.edu>>
>>> wrote:
>>> >
>>> > Hrm, this is more complicated to explain than I anticipated.
>>> >
>>> > Basically, this is the fault of VPNs. We have one machine in
>>> our
>>> > data center that is running a VPN connecting (X.Y.*.*) to
>>> > carrier 1. That box is one-to-one NATing all communciations to
>>> > our (FS) VoIP server on the local subnet (192,168.*.*). So
>>> > that's NAT 1.
>>> >
>>> > The second NAT is for the actual public access from our VoIP
>>> > box. This has a public IP outside the firewall (A.B.*.*) and
>>> > NATs again to the VoIP server on the local subnet (192.168.*.*)
>>> >
>>> > So, this one machine (192.168.*.*) is actually behind two
>>> > separate NATs at the moment. It has some rules in the IP tables
>>> > to route X.Y traffic to the VPN box, and otherwise route to the
>>> > broader internet. The existing way to deal with a NAT in FS is
>>> > the ext-rtp/sip-ip field in the profile, but that no longer
>>> > works when we have to dynamically set these fields depending on
>>> > which NAT they are going through.
>>> >
>>> > Does that make sense? Even if not, here's the problem: I want
>>> to
>>> > set ext-rtp/sip-ip dynamically in the dialplan. Is that
>>> possible?
>>> >
>>> >
>>> > On Wed, Jul 23, 2014 at 5:40 AM, Brian West
>>> > <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>>> >
>>> > I'm guessing both networks are behind the same nat and
>>> > routed? Or is it two different nat'ed networks behind the
>>> > same public IP? If its just two standard networks thats
>>> > fully routed and no nat between the 192.x and the 10.x
>>> space
>>> > then just set your local-network-acl to rfc1918.auto.
>>> >
>>> >
>>> > On Wed, Jul 23, 2014 at 12:52 AM, Kurtis Heimerl
>>> > <kheimerl at cs.berkeley.edu <mailto:kheimerl at cs.berkeley.edu
>>> >>
>>> > wrote:
>>> >
>>> > Comments in line:
>>> >
>>> >
>>> > On Tue, Jul 22, 2014 at 9:22 PM, Pasha
>>> > <pasha at prosperity4ever.com
>>> > <mailto:pasha at prosperity4ever.com>> wrote:
>>> >
>>> > The problem with that though (if I understand your
>>> > scenario correctly) is that even if there was a way
>>> > to set external IP in freeswitch in the dial plan
>>> > you say that you only have 1 external IP to deal
>>> > with anyway, so what would you set your second IP
>>> to
>>> > for routing to work properly?
>>> >
>>> > There's only one actual IP on the box, but it's behind
>>> > *two* different NATs. Setting the ext-rtp/sip-ip to the
>>> > appropriate NAT IP works for both connections, but I
>>> > need to make that dynamic.
>>> >
>>> >
>>> > In my mind what might work for you is if you create
>>> > an alias to your single network controller with the
>>> > second IP that you need, then if you have access to
>>> > the firewall perform NAT so that if connection
>>> comes
>>> > in from external IP of vendor #1 on 5060 you
>>> forward
>>> > that to 5060 on internal IP 1 of your fresswitch
>>> > box. If call comes in on external IP of vendor #2
>>> on
>>> > 5060 you forward to port 5060 of your internal IP
>>> #2
>>> > (alias on freeswitch box)... that's for incoming...
>>> >
>>> >
>>> > I'm not sure I understand this. Does a FS alias allow
>>> me
>>> > to have multiple IPs on the same box somehow?
>>> >
>>> >
>>> > I apologize if I didn't fully understand your
>>> > scenario. I'm not even sure why you're having a
>>> > conflict in this case because your providers are
>>> > different, the only time you have an issue with
>>> > single external IP is if you're trying to setup a
>>> > second trunk to the same provider (most of them
>>> > won't allow more than on trunk on a single IP).
>>> >
>>> >
>>> > It's a relatively simple, but apparently uncommon,
>>> case,
>>> > I agree. My issue sounds very similar to having
>>> multiple
>>> > trunks to the same provider in a way, but I have
>>> > different external IPs for RTP and such instead.
>>> >
>>> >
>>> > Paul
>>> >
>>> >
>>> > On 14-07-22 05:28 PM, Kurtis Heimerl wrote:
>>> >> I can't do that unfortunately. Our providers are
>>> >> hitting the generic SIP Port: 5060 so that's not
>>> >> available. Our system behind the two NATs has only
>>> >> one network interface, and as such only one
>>> >> available public IP. So we can't just set up a new
>>> >> profile. I can probably hack around this in
>>> >> another way (port forwarding through one of the
>>> >> NATs to allow a second profile on the same IP) but
>>> >> that's pretty ugly and unsustainable going
>>> >> forward. I'd much prefer to simply set the
>>> >> expected external IP in the outbound dialplan for
>>> >> each provider.
>>> >>
>>> >>
>>> >> On Tue, Jul 22, 2014 at 5:07 PM, Russell Treleaven
>>> >> <rtreleaven at bunnykick.ca
>>> >> <mailto:rtreleaven at bunnykick.ca>> wrote:
>>> >>
>>> >> Either give them separate ip addresses or
>>> >> separate ports.
>>> >>
>>> >>
>>> >> Sent from my BlackBerry® PlayBook™
>>> >> www.blackberry.com <http://www.blackberry.com
>>> >
>>> >>
>>> >>
>>> ------------------------------------------------------------------------
>>> >> *From:* "Kurtis Heimerl"
>>> >> <kheimerl at cs.berkeley.edu
>>> >> <mailto:kheimerl at cs.berkeley.edu>>
>>> >> *To:* "FreeSWITCH Users Help"
>>> >> <freeswitch-users at lists.freeswitch.org
>>> >> <mailto:freeswitch-users at lists.freeswitch.org
>>> >>
>>> >> *Sent:* 22 July, 2014 8:04 PM
>>> >> *Subject:* Re: [Freeswitch-users] MultiNAT
>>> >>
>>> >> They all have to sit on the same internal IP
>>> >> and Port, so I don't think I can.
>>> >>
>>> >>
>>> >> On Tue, Jul 22, 2014 at 4:57 PM, Russell
>>> >> Treleaven <rtreleaven at bunnykick.ca
>>> >> <mailto:rtreleaven at bunnykick.ca>> wrote:
>>> >>
>>> >> Hi Kurtis,
>>> >>
>>> >> Why not make a separate profile for each
>>> >> provider?
>>> >>
>>> >> Sent from my BlackBerry® PlayBook™
>>> >> www.blackberry.com <
>>> http://www.blackberry.com>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------
>>> >> *From:* "Kurtis Heimerl"
>>> >> <kheimerl at cs.berkeley.edu
>>> >> <mailto:kheimerl at cs.berkeley.edu>>
>>> >> *To:* "FreeSWITCH Users Help"
>>> >> <freeswitch-users at lists.freeswitch.org
>>> >> <mailto:
>>> freeswitch-users at lists.freeswitch.org>>
>>> >> *Sent:* 22 July, 2014 7:14 PM
>>> >> *Subject:* [Freeswitch-users] MultiNAT
>>> >>
>>> >> Hey Users,
>>> >>
>>> >> I have an interesting NAT setup. I'm
>>> >> running FS on the inside of our network as
>>> >> a router/proxy between some SIP phones and
>>> >> DID providers. However, each DID provider
>>> >> is behind a *different* NAT (a property of
>>> >> our VPN setups for them).
>>> >>
>>> >> For instance: DID1 is at IP 192.168.1.1
>>> >> and DID2 is at 10.0.0.1.
>>> >>
>>> >> I have calls working for each of them when
>>> >> I set the following in my external
>>> profile:
>>> >>
>>> >> <param name="ext-rtp-ip"
>>> value="10.0.0.2"/>
>>> >> <param name="ext-sip-ip"
>>> value="10.0.0.2"/>
>>> >>
>>> >> However, I need to dynamically route
>>> >> between *both* of them. I need a mechanism
>>> >> for setting ext-rtp-ip and ext-sip-ip in
>>> >> the dialplan itself!
>>> >>
>>> >> Is there a set way to do this?
>>> >>
>>> >> Thanks!
>>> >>
>>> >>
>>> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting
>>> Services:
>>> >> consulting at freeswitch.org
>>> >> <mailto:consulting at freeswitch.org>
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> FreeSWITCH-powered IP PBX: The CudaTel
>>> >> Communication Server
>>> >>
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://wiki.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> <mailto:
>>> FreeSWITCH-users at lists.freeswitch.org>
>>> >>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >> UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >>
>>> >>
>>> >>
>>> >>
>>> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting Services:
>>> >> consulting at freeswitch.org
>>> >> <mailto:consulting at freeswitch.org>
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> FreeSWITCH-powered IP PBX: The CudaTel
>>> >> Communication Server
>>> >>
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://wiki.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> <mailto:FreeSWITCH-users at lists.freeswitch.org
>>> >
>>> >>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >> UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting Services:
>>> >> consulting at freeswitch.org <mailto:
>>> consulting at freeswitch.org>
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> FreeSWITCH-powered IP PBX: The CudaTel
>>> Communication Server
>>> >>
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://wiki.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org <mailto:
>>> FreeSWITCH-users at lists.freeswitch.org>
>>> >>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >> UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org
>>> > <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com
>>> >
>>> > FreeSWITCH-powered IP PBX: The CudaTel
>>> Communication
>>> > Server
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> >
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:
>>> consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com
>>> >
>>> > FreeSWITCH-powered IP PBX: The CudaTel Communication
>>> Server
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> >
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > */Brian West/*
>>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>>> >
>>> >
>>> > */Twitter: @FreeSWITCH , @briankwest/*
>>> > http://www.freeswitchbook.com
>>> > http://www.freeswitchcookbook.com
>>> >
>>> > *T:*+19184209001 <tel:%2B19184209001> | *F:*+19184209002
>>> > <tel:%2B19184209002> | *M:*+1918424WEST (9378)
>>> > *iNUM:*+883 5100 1420 9001
>>> <tel:%2B883%205100%201420%209001>
>>> > | *ISN:*410*543 | *Skype:*briankwest
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:
>>> consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> >
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > */Brian West/*
>>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>>> >
>>> >
>>> > */Twitter: @FreeSWITCH , @briankwest/*
>>> > http://www.freeswitchbook.com
>>> > http://www.freeswitchcookbook.com
>>> >
>>> > *T:*+19184209001 <tel:%2B19184209001> | *F:*+19184209002
>>> > <tel:%2B19184209002> | *M:*+1918424WEST (9378)
>>> > *iNUM:*+883 5100 1420 9001 <tel:%2B883%205100%201420%209001>
>>> > | *ISN:*410*543 | *Skype:*briankwest
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140724/239741a0/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list