asterisk users - Jun 2006 - Broken firewall or brain damaged admin?

I am travelling this week and have had to buy connectivity from a hotel 
and at a couple of airports.

For the first time ever, I have had problems (twice out of four 
connections) with IAX traffic going through firewalls.

I'm almost certain I'm looking at a broken firewall, and if it's a 
commercial one that's in use by hotspot/hotel-type operations, I would 
like to follow up and see if I can figure out how to convince them to 
fix it.

In both cases I have been on a NAT connection.

In both cases I have been able trace and see the following behavior, 
identical in both:

1. My packets leave a private IP asking for a UDP connection to my home 
Asterisk server, port 4569.

2. Asterisk reports "<Unregistered>" when I do an iax2 show
registry.

3. Sniffing at my home server shows tons of traffic similar to this snippet:

21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)

I'd like to ask the list two things: first, is this indeed a broken 
firewall?  It seems like the NAT mapping that sends traffic out should 
accept the return traffic on the port it uses (4569 in this case) as its 
*source* port.

Second, and more important, anything I can do beyond beating my head 
against doltish ISP customer service reps, who in both cases told me 
that I had something broken "on my end?"

Thanks in advance.

B.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Brian Capouch wrote:
> I am travelling this week and have had to buy connectivity from a hotel 
> and at a couple of airports.
> 
> For the first time ever, I have had problems (twice out of four 
> connections) with IAX traffic going through firewalls.
> 
> I'm almost certain I'm looking at a broken firewall, and if
it's a
> commercial one that's in use by hotspot/hotel-type operations, I would 
> like to follow up and see if I can figure out how to convince them to 
> fix it.
> 
> In both cases I have been on a NAT connection.
> 
> In both cases I have been able trace and see the following behavior, 
> identical in both:
> 
> 1. My packets leave a private IP asking for a UDP connection to my home 
> Asterisk server, port 4569.
> 
> 2. Asterisk reports "<Unregistered>" when I do an iax2 show
registry.
> 
> 3. Sniffing at my home server shows tons of traffic similar to this 
> snippet:
> 
> 21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
> 21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
> 
> I'd like to ask the list two things: first, is this indeed a broken 
> firewall?  It seems like the NAT mapping that sends traffic out should 
> accept the return traffic on the port it uses (4569 in this case) as its 
> *source* port.
Probably not. If it were broken, then dns and other udp services would 
fail as well.
> Second, and more important, anything I can do beyond beating my head 
> against doltish ISP customer service reps, who in both cases told me 
> that I had something broken "on my end?"
Guess you could try changing the iax port (from 4569) to see if that 
works. If it does, there might be an access list applied somewhere that 
is blocking 4569.

A more complete/detailed sniffer trace might be helpful since the above 
snippet only shows one-way traffic and not much of the actual packet.

R.