Hello All, I’m using Shorewall 4.4.6 on Ubuntu 10.04 My internet conection (pppoe) is ppp0 with a /29 network size. (222.x.y.72, first ip). My /etc/shorewall/masq file is: ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE At my /etc/shorewall/rules, I have this rule: ACCEPT loc:$VOIPGW net all DNAT net:$JP voip:$VOIPGW:5060 udp 5060 - 222.x.y.75 My problem is: When I make a call, I did not hear the voice on the other side of the line, but the other person hears me. The tcpdump log is.... 16:08:02.020241 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.060239 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.100251 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.140236 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.180240 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.220236 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 and 16:08:02.501975 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 16:08:02.517805 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 16:08:02.537948 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 So... Where is my worng? Can you help me? Thanks a lot. Watanabe Anderson ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
This is most likey a problem with the SIP protocol and NAT. SIP has a lot of problems with NAT. Are you able to use the IAX2 protocol for voip trunking rather than SIP? Either that or you may need to setup a static NAT that will translate all external UDP ports to a single local IP on which the voip endpoint is installed. Regards, T Watanabe Anderson <wataankaol@gmail.com> wrote: Hello All, I’m using Shorewall 4.4.6 on Ubuntu 10.04 My internet conection (pppoe) is ppp0 with a /29 network size. (222.x.y.72, first ip). My /etc/shorewall/masq file is: ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE At my /etc/shorewall/rules, I have this rule: ACCEPT loc:$VOIPGW net all DNAT net:$JP voip:$VOIPGW:5060 udp 5060 - 222.x.y.75 My problem is: When I make a call, I did not hear the voice on the other side of the line, but the other person hears me. The tcpdump log is.... 16:08:02.020241 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.060239 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.100251 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.140236 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.180240 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 16:08:02.220236 IP 192.168.168.10.10780 > pw126245036149.5.tik.panda-world.ne.jp.16384: UDP, length 52 and 16:08:02.501975 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 16:08:02.517805 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 16:08:02.537948 IP pw126245036149.5.tik.panda-world.ne.jp > 192.168.168.10: ICMP pw126245036149.5.tik.panda-world.ne.jp udp port 16384 unreachable, length 36 So... Where is my worng? Can you help me? Thanks a lot. Watanabe Anderson ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
On 11/15/2010 10:41 AM, Watanabe Anderson wrote:> Hello All, > I’m using Shorewall 4.4.6 on Ubuntu 10.04 > My internet conection (pppoe) is ppp0 with a /29 network size. > (222.x.y.72, first ip). > My /etc/shorewall/masq file is: > ############################################################################### > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK > ppp0 eth1 > ppp0 eth2 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > At my /etc/shorewall/rules, I have this rule: > ACCEPT loc:$VOIPGW net all > DNAT net:$JP voip:$VOIPGW:5060 udp 5060 - 222.x.y.75 >I Presume that you have a voip server in you local lan ??? Where is your rtp config ? Depending on your voip server config of rtp you also have declare these ports to shorewall if your rtp is 10000-10100 DNAT net:$JP voip:$VOIPGW udp 10000:10100 Have a look here /etc/astertisk/rtp.conf or in your web pbx config ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
Hello All (and Harry & Terry too) Initially, I added the rpt rules and now, are running. Maybe, I’ll think about to move this voip server to DMZ and do a NAT one-To-one, after it, apply rules to block unnecessary traffics. Thanks so much! Best regards, Anderson. From: Harry Lachanas Sent: Monday, November 15, 2010 6:24 PM To: Shorewall Users Subject: Re: [Shorewall-users] Problem With VoipServer - Corrected On 11/15/2010 10:41 AM, Watanabe Anderson wrote: Hello All, I’m using Shorewall 4.4.6 on Ubuntu 10.04 My internet conection (pppoe) is ppp0 with a /29 network size. (222.x.y.72, first ip). My /etc/shorewall/masq file is: ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE At my /etc/shorewall/rules, I have this rule: ACCEPT loc:$VOIPGW net all DNAT net:$JP voip:$VOIPGW:5060 udp 5060 - 222.x.y.75 I Presume that you have a voip server in you local lan ??? Where is your rtp config ? Depending on your voip server config of rtp you also have declare these ports to shorewall if your rtp is 10000-10100 DNAT net:$JP voip:$VOIPGW udp 10000:10100 Have a look here /etc/astertisk/rtp.conf or in your web pbx config -------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev -------------------------------------------------------------------------------- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
As Terry says, SIP gets well mangled by NAT. IIRC Asterisk can be configured to use the internal (private) address in SIP messages with external partners - and this would be my preferred option. Secondly, you need to port forward the right traffic (port 5060 for SIP, UDP and/or TCP depending which you use; and your RTP ports). Lastly, you really need to disable (remove/disable the module) the SIP helper in your firewall/NAT gateway. The default for modern distros is to enable this, and it will mange your SIP traffic. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
On 11/15/10 4:20 AM, Simon Hobson wrote:> Lastly, you really need to disable (remove/disable the module) the > SIP helper in your firewall/NAT gateway. The default for modern > distros is to enable this, and it will mange your SIP traffic. >There are instructions in the Shorewall FAQ for preventing Shorewall from loading those modules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev