[ previous ] [ next ] [ threads ]
 
 From:  "Mike Mee" <mikemee at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  voip problems under 1.3 but not 1.2?
 Date:  Mon, 14 Jan 2008 22:19:13 -0800 
I've just banged my head against this for way too long. Either its an
interesting difference between 1.2 and 1.3 (and possibly pfsense) or
I'm doing something stupid. I'm willing to bet on the latter, but I'm
not finding it!

The short version is that a set of simple voip/NAT rules I have for a
trixbox running behind a m0n0wall work great under 1.23x but appear to
cause problems with 1.3b8 (and also pfsense though I haven't tested as
heavily on that and it has dual WAN just to complicate things).

Specifically, the inbound UDP packets appear to being dropped. This
results in no inbound audio (or dtmf).  However, this only happens on
an inbound call, not on an outbound call. If the call originates from
the Trixbox (NAT'd behind the m0n0wall) then all packets both ways
happen ok.  This is also causing problems for external phones that try
to register (both SIP and IAX2) - they register eventually but not
immediately as expected.

The m0n0wall box does nothing else - just the trixbox connected to it.
I haven't yet completely totally confirmed that 1.3 is the only
variable, but when I downgraded firmware from 1.3b8 to 1.232 the same
set of rules suddenly started working as expected (and as they do on
other 1.2x installations I have). When I get some sleep I'll try
upgrading back to 1.3b8 just as a sanity check that the problems start
again.

Any insights welcomed!!!    Fwiw, here are the NAT rules followed by
the corresponding firewall rules (minus admin rules for brevity):

	<nat>
		<rule>
			<protocol>tcp/udp</protocol>
			<external-port>69</external-port>
			<target>pbx</target>
			<local-port>69</local-port>
			<interface>wan</interface>
			<descr>phone provisioning</descr>
		</rule>
		<rule>
			<protocol>tcp/udp</protocol>
			<external-port>4569</external-port>
			<target>pbx</target>
			<local-port>4569</local-port>
			<interface>wan</interface>
			<descr>IAX2 traffic</descr>
		</rule>
		<rule>
			<protocol>tcp/udp</protocol>
			<external-port>5060-5082</external-port>
			<target>pbx</target>
			<local-port>5060</local-port>
			<interface>wan</interface>
			<descr>SIP traffic</descr>
		</rule>
		<rule>
			<protocol>udp</protocol>
			<external-port>10000-20000</external-port>
			<target>pbx</target>
			<local-port>10000</local-port>
			<interface>wan</interface>
			<descr>VOIP traffic</descr>
		</rule>
	</nat>

and the corresponding auto generated firewall rules:

		<rule>
			<interface>wan</interface>
			<protocol>tcp/udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>pbx</address>
				<port>5060-5082</port>
			</destination>
			<descr>NAT SIP traffic</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>pbx</address>
				<port>10000-20000</port>
			</destination>
			<descr>NAT VOIP traffic</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp/udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>pbx</address>
				<port>69</port>
			</destination>
			<descr>NAT phone provisioning</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp/udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>pbx</address>
				<port>4569</port>
			</destination>
			<descr>NAT IAX2 traffic</descr>
		</rule>

Thanks in advance for any insights!

cheers, michael