-----BEGIN PGP SIGNED MESSAGE-----
Soren Vanggaard Jensen schrieb:
> Hi Matthias,
thank you for your help.
> It's normally quite difficult to do tracing/sniffing on the WAN side of
> a firewall. So my advice would be to dig into the SIP protocol and
> understand this instead.
> I think that your monowall closes inbound ports due to timeouts in the
> nat translation table. One solution is to do port forwarding to your
> internal SIP client. However, a lot of effort has been put into
> devoloping protocols to enable seemless NAT traversal. My advice is that
> you use these protocols instead.
I think that there is no timeout problem. I already did port forwarding
rules for the needed ports but that didn't help.
Now I think I found the problem. The incoming UDP packets are fragmented
and only one part gets translated to the local IP address. See here:
17:20:08.612482 ng0 @0:23 b 220.127.116.11 -> 192.168.0.100 PR udp len
20 (756) (frag 45742:736@744+) IN
17:20:08.608072 ng0 @0:23 b 18.104.22.168 -> 22.214.171.124 PR udp len 20
(143) (frag 45742:123@1480) IN
(The address 192.168.0.100 is my SIP box)
> 1) Disable any SIP related portforwarding that you've set up in your
> firewall -if any.
> 2) Enable STUN on your SIP client
> 3) Enable keep-alive packages from your SIP client
I did this all with no success... Same problem as above!
> 4) Enable "rport" on your SIP client if possible
> 5) reset the nat firewall state table (the simple way is to reboot the
> 6) Reset your SIP client to force a re-registration
> Now you should be up and running again. If not, then let me know.
So do you (or anyone else on this list) know how to handle those
fragmented packets? A simple "UDP any to any with allow fragmented" did
not resolve the problem. I already tried this. Is there an option to do
the NAT after _ALL_ fragments have been received?
Thank you for the help,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.5.5 by EQUIPMENTE.DE
-----END PGP SIGNATURE-----