[ previous ] [ next ] [ threads ]
 
 From:  Alex Neuman van der Hans <alex at nkpanama dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] SIP Problem
 Date:  Wed, 01 Mar 2006 22:01:32 -0500
How about reducing the MTU across the board?

Matthias Kessler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Soren Vanggaard Jensen schrieb:
>   
>> Hi Matthias,
>>     
>
> Hello Soren,
>
> thank you for your help.
>
>   
>> It's normally quite difficult to do tracing/sniffing on the WAN side of
>> a firewall. So my advice would be to dig into the SIP protocol and
>> understand this instead.
>>
>> I think that your monowall closes inbound ports due to timeouts in the
>> nat translation table. One solution is to do port forwarding to your
>> internal SIP client. However, a lot of effort has been put into
>> devoloping protocols to enable seemless NAT traversal. My advice is that
>> you use these protocols instead.
>>     
>
> I think that there is no timeout problem. I already did port forwarding
> rules for the needed ports but that didn't help.
>
> Now I think I found the problem. The incoming UDP packets are fragmented
> and only one part gets translated to the local IP address. See here:
>
> 17:20:08.612482 ng0 @0:23 b 212.227.15.197 -> 192.168.0.100 PR udp len
> 20 (756) (frag 45742:736@744+) IN
>
> 17:20:08.608072 ng0 @0:23 b 212.227.15.197 -> 84.156.3.228 PR udp len 20
> (143) (frag 45742:123@1480) IN
>
> (The address 192.168.0.100 is my SIP box)
>
>   
>> 1) Disable any SIP related portforwarding that you've set up in your
>> firewall -if any.
>> 2) Enable STUN on your SIP client
>> 3) Enable keep-alive packages from your SIP client
>>     
>
> I did this all with no success... Same problem as above!
>
>   
>> 4) Enable "rport" on your SIP client if possible
>> 5) reset the nat firewall state table (the simple way is to reboot the
>> firewall)
>> 6) Reset your SIP client to force a re-registration
>>
>> Now you should be up and running again. If not, then let me know.
>>     
>
> So do you (or anyone else on this list) know how to handle those
> fragmented packets? A simple "UDP any to any with allow fragmented" did
> not resolve the problem. I already tried this. Is there an option to do
> the NAT after _ALL_ fragments have been received?
>
> Thank you for the help,
> Matthias
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: GnuPT 2.5.5 by EQUIPMENTE.DE
>
> iD8DBQFEBiTNWAMWRD/YSL0RAg9TAKCUGopbp6pqHNAcC4Vq84qvNg9QnwCdH2ZB
> /8Uuac6adO72+8qxvV7vc2k=
> =DOZ0
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>   

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/