I have four-interface Shorewall config set up. The "dmz" interface is bridged with "net" so I can assign public IP''s to the servers in the DMZ. I opted to do this rather than SNAT or ARP proxying because one of the servers runs Asterisk and SIP and NAT don''t always work well together. Somehow, my firewall config is causing a one-way audio problem in Asterisk. If a person calls into the PBX, they cannot hear me speaking, but I can hear them. If I plug the Asterisk server directly into the router, bypassing the bridge, the problem goes away. My best guess is that my Shorewall (and/or bridge) config is mangling or blocking the outgoing RTP (media) traffic. Using ipperf, I''ve successfully tested other UDP streams from the Asterisk server using the same high-number ports used by RTP. No problems there. Does anyone have suggestions on other types of tests I can perform? Unfortunately I don''t yet have another SIP endpoint that I can try to register with and confirm whether or not my RTP traffic is arriving there. Attached is a Shorewall dump, as requested in the support FAQ. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jamie J. Begin wrote:> I have four-interface Shorewall config set up. The "dmz" interface is > bridged with "net" so I can assign public IP''s to the servers in the DMZ.> I > opted to do this rather than SNAT or ARP proxying because one of the servers > runs Asterisk and SIP and NAT don''t always work well together. Somehow, my > firewall config is causing a one-way audio problem in Asterisk.Proxy ARP has nothing to do with NAT -- for Asterisk, proxy ARP and bridging should be equivalent. If a person> calls into the PBX, they cannot hear me speaking, but I can hear them. If I > plug the Asterisk server directly into the router, bypassing the bridge, the > problem goes away. >Try specifying this: rmmod ip_nat_sip rmmod ip_conntrack_sip In your shorewall.conf: DONT_LOAD=ip_nat_sip,ip_conntrack_sip Does it work now? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall- > users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep > Sent: Friday, May 23, 2008 8:05 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] Shorewall is eating my Asterisk egress > traffic > > Jamie J. Begin wrote: > > I have four-interface Shorewall config set up. The "dmz" interface is > > bridged with "net" so I can assign public IP''s to the servers in the > DMZ. > > > > I > > opted to do this rather than SNAT or ARP proxying because one of the > servers > > runs Asterisk and SIP and NAT don''t always work well together. Somehow, > my > > firewall config is causing a one-way audio problem in Asterisk. > > Proxy ARP has nothing to do with NAT -- for Asterisk, proxy ARP and > bridging > should be equivalent. > > > If a person > > calls into the PBX, they cannot hear me speaking, but I can hear them. > If I > > plug the Asterisk server directly into the router, bypassing the bridge, > the > > problem goes away. > > > > Try specifying this: > > rmmod ip_nat_sip > rmmod ip_conntrack_sip > > In your shorewall.conf: > > DONT_LOAD=ip_nat_sip,ip_conntrack_sip > > Does it work now? > > -TomBrilliant! If I''m ever out your way, I owe you at least three beers! I''ve been beating my head against the wall for the past two days over this. Am I losing any functionality by nuking those modules? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jamie J. Begin wrote:> >> -----Original Message----- >> From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall- >> users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep >> Sent: Friday, May 23, 2008 8:05 PM >> To: Shorewall Users >> Subject: Re: [Shorewall-users] Shorewall is eating my Asterisk egress >> traffic >> >> Jamie J. Begin wrote: >>> I have four-interface Shorewall config set up. The "dmz" interface is >>> bridged with "net" so I can assign public IP''s to the servers in the >> DMZ. >> >> >>> I >>> opted to do this rather than SNAT or ARP proxying because one of the >> servers >>> runs Asterisk and SIP and NAT don''t always work well together. Somehow, >> my >>> firewall config is causing a one-way audio problem in Asterisk. >> Proxy ARP has nothing to do with NAT -- for Asterisk, proxy ARP and >> bridging >> should be equivalent. >> >> >> If a person >>> calls into the PBX, they cannot hear me speaking, but I can hear them. >> If I >>> plug the Asterisk server directly into the router, bypassing the bridge, >> the >>> problem goes away. >>> >> Try specifying this: >> >> rmmod ip_nat_sip >> rmmod ip_conntrack_sip >> >> In your shorewall.conf: >> >> DONT_LOAD=ip_nat_sip,ip_conntrack_sip >> >> Does it work now? >> >> -Tom > > Brilliant! If I''m ever out your way, I owe you at least three beers! I''ve > been beating my head against the wall for the past two days over this.Should have checked the mailing list archives. This question gets asked and answered frequently.> > Am I losing any functionality by nuking those modules? >I''ve not heard of anyone having problems after removing those modules. Note that when you upgrade your kernel to 2.6.21 or later, the module names change to nf_conntrack_sip and nf_nat_sip. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Roberto C. Sánchez
2008-May-24 00:18 UTC
Re: Shorewall is eating my Asterisk egress traffic
On Fri, May 23, 2008 at 08:15:11PM -0400, Jamie J. Begin wrote:> > Brilliant! If I''m ever out your way, I owe you at least three beers! I''ve > been beating my head against the wall for the past two days over this. > > Am I losing any functionality by nuking those modules? >Those are just the NAT helper modules, so since you are not using NAT you won''t lose functionality. Of course, beating your head against the wall too severely may cause you to lose some functionality in your brain :-) Go easy on it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Jamie J. Begin wrote:>> I''ve >> been beating my head against the wall for the past two days over this. > > Should have checked the mailing list archives. This question gets asked > and answered frequently. >This is now Shorewall FAQ 77. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/