Brian Capouch
2006-Jun-09 19:08 UTC
[Asterisk-Users] Broken firewall or brain damaged admin?
I am travelling this week and have had to buy connectivity from a hotel and at a couple of airports. For the first time ever, I have had problems (twice out of four connections) with IAX traffic going through firewalls. I'm almost certain I'm looking at a broken firewall, and if it's a commercial one that's in use by hotspot/hotel-type operations, I would like to follow up and see if I can figure out how to convince them to fix it. In both cases I have been on a NAT connection. In both cases I have been able trace and see the following behavior, identical in both: 1. My packets leave a private IP asking for a UDP connection to my home Asterisk server, port 4569. 2. Asterisk reports "<Unregistered>" when I do an iax2 show registry. 3. Sniffing at my home server shows tons of traffic similar to this snippet: 21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF) 21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF) I'd like to ask the list two things: first, is this indeed a broken firewall? It seems like the NAT mapping that sends traffic out should accept the return traffic on the port it uses (4569 in this case) as its *source* port. Second, and more important, anything I can do beyond beating my head against doltish ISP customer service reps, who in both cases told me that I had something broken "on my end?" Thanks in advance. B. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Rich Adamson
2006-Jun-10 02:00 UTC
[Asterisk-Users] Broken firewall or brain damaged admin?
Brian Capouch wrote:> I am travelling this week and have had to buy connectivity from a hotel > and at a couple of airports. > > For the first time ever, I have had problems (twice out of four > connections) with IAX traffic going through firewalls. > > I'm almost certain I'm looking at a broken firewall, and if it's a > commercial one that's in use by hotspot/hotel-type operations, I would > like to follow up and see if I can figure out how to convince them to > fix it. > > In both cases I have been on a NAT connection. > > In both cases I have been able trace and see the following behavior, > identical in both: > > 1. My packets leave a private IP asking for a UDP connection to my home > Asterisk server, port 4569. > > 2. Asterisk reports "<Unregistered>" when I do an iax2 show registry. > > 3. Sniffing at my home server shows tons of traffic similar to this > snippet: > > 21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: > ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF) > 21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: > ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF) > > I'd like to ask the list two things: first, is this indeed a broken > firewall? It seems like the NAT mapping that sends traffic out should > accept the return traffic on the port it uses (4569 in this case) as its > *source* port.Probably not. If it were broken, then dns and other udp services would fail as well.> Second, and more important, anything I can do beyond beating my head > against doltish ISP customer service reps, who in both cases told me > that I had something broken "on my end?"Guess you could try changing the iax port (from 4569) to see if that works. If it does, there might be an access list applied somewhere that is blocking 4569. A more complete/detailed sniffer trace might be helpful since the above snippet only shows one-way traffic and not much of the actual packet. R.