I have a problem with Shorewall Asterisk and X-Lite(a sip soft phone). I have found the problem and how to correct for it but want to know if there is an easier way. My Shorewall 3.0.0 has 4 interfaces with 6 zones(fw, net, loc, wifi, vpn, dmz). I masq my all my zones/nics through x.x.x.65. My asterisk(x.x.x.69) is in my dmz with proxy arp. The issue is that when I am in my loc my X-Lite tells my Asterisk server that I have a nat between me and my asterisk and that my ip is x.x.x.65. I discovered this through a packet dump. Is it possible to somehow masq again my networks to my dmz? If there is no other fix just tell me. I will try any suggestion. I will even write docs on whatever works. (I''m on break finally) Attached is my Shorewall dump if needed. Thank you all for this wonderful software its awesome and I haven''t used anything else for 2 Years. Todd Johnson ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 30 December 2005 14:28, Todd Johnson wrote:> Attached is my Shorewall dump if needed.I don''t see the attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Friday 30 December 2005 14:28, Todd Johnson wrote: > > > >>Attached is my Shorewall dump if needed. >> >> > >I don''t see the attachment. > >-Tom > >Its pending aproval I just sent it. It was 64k. Todd ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Todd Johnson wrote:> Tom Eastep wrote: > >> On Friday 30 December 2005 14:28, Todd Johnson wrote: >> >> >> >>> Attached is my Shorewall dump if needed. >>> >> >> >> I don''t see the attachment. >> >> -Tom >> >> > Its pending aproval I just sent it. It was 64k. > Todd >Got it gziped down to 8k
On Friday 30 December 2005 14:28, Todd Johnson wrote:> I have a problem with Shorewall Asterisk and X-Lite(a sip soft phone). > I have found the problem and how to correct for it but want to know if > there is an easier way. > > My Shorewall 3.0.0 has 4 interfaces with 6 zones(fw, net, loc, wifi, > vpn, dmz). I masq my all my zones/nics through x.x.x.65. My > asterisk(x.x.x.69) is in my dmz with proxy arp. The issue is that when > I am in my loc my X-Lite tells my Asterisk server that I have a nat > between me and my asterisk and that my ip is x.x.x.65. I discovered > this through a packet dump. > > Is it possible to somehow masq again my networks to my dmz? If there is > no other fix just tell me. I will try any suggestion. I will even > write docs on whatever works. (I''m on break finally)It is idiotic to masqerade systems that have public IP addresses already. DON''T MASQUERADE YOUR DMZ! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Friday 30 December 2005 14:28, Todd Johnson wrote: > > >>I have a problem with Shorewall Asterisk and X-Lite(a sip soft phone). >>I have found the problem and how to correct for it but want to know if >>there is an easier way. >> >>My Shorewall 3.0.0 has 4 interfaces with 6 zones(fw, net, loc, wifi, >>vpn, dmz). I masq my all my zones/nics through x.x.x.65. My >>asterisk(x.x.x.69) is in my dmz with proxy arp. The issue is that when >>I am in my loc my X-Lite tells my Asterisk server that I have a nat >>between me and my asterisk and that my ip is x.x.x.65. I discovered >>this through a packet dump. >> >>Is it possible to somehow masq again my networks to my dmz? If there is >>no other fix just tell me. I will try any suggestion. I will even >>write docs on whatever works. (I''m on break finally) >> >> > >It is idiotic to masqerade systems that have public IP addresses already. >DON''T MASQUERADE YOUR DMZ! > >-Tom > >With my SIP Soft phone on my private network trying to communicate with the proxy arp asterisk server. The soft phone gives the asterisk server the public masqed ip. But that connection is not masqed. It is trying to respond to the non masqed ip. If in theory the proxy arp is supposed to make the server appear on the public network then would the client behind another private network on that same firewall have a masqed connection to that server? I might just be totaly wrong and stupid. Just tell me if I am. I suck at ascii art so I attached a pic. Here is a tethereal snip of the client trying to register. 34.499673 192.168.0.243 -> 69.220.214.69 SIP Request: REGISTER sip:69.220.214.69 34.500381 69.220.214.69 -> 69.220.214.65 SIP Status: 100 Trying (1 bindings) 34.500773 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable (Port unreachable) 34.500571 69.220.214.69 -> 69.220.214.65 SIP Status: 401 Unauthorized (1 bindings) 34.501036 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable (Port unreachable)
On Friday 30 December 2005 16:41, Todd Johnson wrote:> Tom Eastep wrote: > >On Friday 30 December 2005 14:28, Todd Johnson wrote: > >>I have a problem with Shorewall Asterisk and X-Lite(a sip soft phone). > >>I have found the problem and how to correct for it but want to know if > >>there is an easier way. > >> > >>My Shorewall 3.0.0 has 4 interfaces with 6 zones(fw, net, loc, wifi, > >>vpn, dmz). I masq my all my zones/nics through x.x.x.65. My > >>asterisk(x.x.x.69) is in my dmz with proxy arp. The issue is that when > >>I am in my loc my X-Lite tells my Asterisk server that I have a nat > >>between me and my asterisk and that my ip is x.x.x.65. I discovered > >>this through a packet dump. > >> > >>Is it possible to somehow masq again my networks to my dmz? If there is > >>no other fix just tell me. I will try any suggestion. I will even > >>write docs on whatever works. (I''m on break finally) > > > >It is idiotic to masqerade systems that have public IP addresses already. > >DON''T MASQUERADE YOUR DMZ! > > > >-Tom > > With my SIP Soft phone on my private network trying to communicate with > the proxy arp asterisk server. The soft phone gives the asterisk server > the public masqed ip. But that connection is not masqed. It is trying > to respond to the non masqed ip. If in theory the proxy arp is supposed > to make the server appear on the public network then would the client > behind another private network on that same firewall have a masqed > connection to that server? I might just be totaly wrong and stupid. > Just tell me if I am. I suck at ascii art so I attached a pic. > > Here is a tethereal snip of the client trying to register. > 34.499673 192.168.0.243 -> 69.220.214.69 SIP Request: REGISTER > sip:69.220.214.69 > 34.500381 69.220.214.69 -> 69.220.214.65 SIP Status: 100 Trying (1 > bindings) > 34.500773 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable > (Port unreachable) > 34.500571 69.220.214.69 -> 69.220.214.65 SIP Status: 401 > Unauthorized (1 bindings) > 34.501036 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable > (Port unreachable)Please do as I asked then re-test. The way that you have this set up, any connection from your DMZ to the Internet is masqueraded (actually, they are SNATed to 69.220.214.65) -- I believe that is your core problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Friday 30 December 2005 16:41, Todd Johnson wrote: > > >>Tom Eastep wrote: >> >> >>>On Friday 30 December 2005 14:28, Todd Johnson wrote: >>> >>> >>>>I have a problem with Shorewall Asterisk and X-Lite(a sip soft phone). >>>>I have found the problem and how to correct for it but want to know if >>>>there is an easier way. >>>> >>>>My Shorewall 3.0.0 has 4 interfaces with 6 zones(fw, net, loc, wifi, >>>>vpn, dmz). I masq my all my zones/nics through x.x.x.65. My >>>>asterisk(x.x.x.69) is in my dmz with proxy arp. The issue is that when >>>>I am in my loc my X-Lite tells my Asterisk server that I have a nat >>>>between me and my asterisk and that my ip is x.x.x.65. I discovered >>>>this through a packet dump. >>>> >>>>Is it possible to somehow masq again my networks to my dmz? If there is >>>>no other fix just tell me. I will try any suggestion. I will even >>>>write docs on whatever works. (I''m on break finally) >>>> >>>> >>>It is idiotic to masqerade systems that have public IP addresses already. >>>DON''T MASQUERADE YOUR DMZ! >>> >>>-Tom >>> >>> >>With my SIP Soft phone on my private network trying to communicate with >>the proxy arp asterisk server. The soft phone gives the asterisk server >>the public masqed ip. But that connection is not masqed. It is trying >>to respond to the non masqed ip. If in theory the proxy arp is supposed >>to make the server appear on the public network then would the client >>behind another private network on that same firewall have a masqed >>connection to that server? I might just be totaly wrong and stupid. >>Just tell me if I am. I suck at ascii art so I attached a pic. >> >>Here is a tethereal snip of the client trying to register. >> 34.499673 192.168.0.243 -> 69.220.214.69 SIP Request: REGISTER >>sip:69.220.214.69 >> 34.500381 69.220.214.69 -> 69.220.214.65 SIP Status: 100 Trying (1 >>bindings) >> 34.500773 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable >>(Port unreachable) >> 34.500571 69.220.214.69 -> 69.220.214.65 SIP Status: 401 >>Unauthorized (1 bindings) >> 34.501036 69.220.214.65 -> 69.220.214.69 ICMP Destination unreachable >>(Port unreachable) >> >> > >Please do as I asked then re-test. The way that you have this set up, any >connection from your DMZ to the Internet is masqueraded (actually, they are >SNATed to 69.220.214.65) -- I believe that is your core problem. > >-Tom > >The client still thinks it is behind a nat. If I add the line "eth3 eth1 69.220.214.65" to my masq it works. Is this a fix that would work and not screw up shorewall? I belive that this problem is because of its STUN. Todd ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 30 December 2005 18:51, Todd Johnson wrote:> The client still thinks it is behind a nat. If I add the line "eth3 > eth1 69.220.214.65" to my masq it works. Is this a fix that would work > and not screw up shorewall? I belive that this problem is because of > its STUN.It won''t "screw up shorewall" -- it is just an idiotic hack that negates the advantage of multiple public IP addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 30 December 2005 19:27, Tom Eastep wrote:> On Friday 30 December 2005 18:51, Todd Johnson wrote: > > The client still thinks it is behind a nat. If I add the line "eth3 > > eth1 69.220.214.65" to my masq it works. Is this a fix that would work > > and not screw up shorewall? I belive that this problem is because of > > its STUN. > > It won''t "screw up shorewall" -- it is just an idiotic hack that negates > the advantage of multiple public IP addresses.The least that you can do is to only SNAT the asterisk server -- Your other servers shouldn''t pay the penalty for your hack. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key