[ previous ] [ next ] [ threads ]
 
 From:  Matthias Kessler <Matthias dot Kessler at RZ dot Uni dash Augsburg dot DE>
 To:  Soren Vanggaard Jensen <svanggaard at hotmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] SIP Problem
 Date:  Wed, 01 Mar 2006 23:48:45 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Soren Vanggaard Jensen schrieb:
> Hi Matthias,

Hello Soren,

thank you for your help.

> It's normally quite difficult to do tracing/sniffing on the WAN side of
> a firewall. So my advice would be to dig into the SIP protocol and
> understand this instead.
> 
> I think that your monowall closes inbound ports due to timeouts in the
> nat translation table. One solution is to do port forwarding to your
> internal SIP client. However, a lot of effort has been put into
> devoloping protocols to enable seemless NAT traversal. My advice is that
> you use these protocols instead.

I think that there is no timeout problem. I already did port forwarding
rules for the needed ports but that didn't help.

Now I think I found the problem. The incoming UDP packets are fragmented
and only one part gets translated to the local IP address. See here:

17:20:08.612482 ng0 @0:23 b 212.227.15.197 -> 192.168.0.100 PR udp len
20 (756) (frag 45742:736@744+) IN

17:20:08.608072 ng0 @0:23 b 212.227.15.197 -> 84.156.3.228 PR udp len 20
(143) (frag 45742:123@1480) IN

(The address 192.168.0.100 is my SIP box)

> 1) Disable any SIP related portforwarding that you've set up in your
> firewall -if any.
> 2) Enable STUN on your SIP client
> 3) Enable keep-alive packages from your SIP client

I did this all with no success... Same problem as above!

> 4) Enable "rport" on your SIP client if possible
> 5) reset the nat firewall state table (the simple way is to reboot the
> firewall)
> 6) Reset your SIP client to force a re-registration
> 
> Now you should be up and running again. If not, then let me know.

So do you (or anyone else on this list) know how to handle those
fragmented packets? A simple "UDP any to any with allow fragmented" did
not resolve the problem. I already tried this. Is there an option to do
the NAT after _ALL_ fragments have been received?

Thank you for the help,
Matthias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.5.5 by EQUIPMENTE.DE

iD8DBQFEBiTNWAMWRD/YSL0RAg9TAKCUGopbp6pqHNAcC4Vq84qvNg9QnwCdH2ZB
/8Uuac6adO72+8qxvV7vc2k=
=DOZ0
-----END PGP SIGNATURE-----