[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.31 released
 Date:  Fri, 09 Apr 2010 10:13:11 -0400
On 04/08/10 20:53, Energy X wrote:
> I'm not sure what the exact problem was with 1.23, but I am now seeing an
> issue with 1.31 and SIP/RTP. I have the Grandstream HT-502
> ATA(192.168.50.112) behind m0n0wall with the following firewall/NAT
> settings, per my provider:
> 
> NAT Rule:
> WAN       UDP       5004 - 65000       192.168.50.112       5004 - 65000
>      VOIP UDP
> 
> Firewall Rule:
> UDP       *       *       192.168.50.112       *       NAT VOIP UDP
> 
> The problem is that m0n0wall seems to assign random ports to the incoming
> connections, and occasionally it will assign a port below 5004, which is
> outside the NAT port range. A connection will come in on 5060 and m0n0wall
> will use something like 2663 and the firewall blocks it since there is no
> incoming NAT on that port for any internal addresses. Is there a way to
> disable the random port translation? I would think m0n0wall would know it
> set the port below the NAT rule and allow it through since the original
> incoming request came in on an allowed port. Also, the connection being
> blocked in the firewall log shows the original incoming port (usually 5060)
> and the translated port (below 5004) with the WAN interface address and
> deny.


Hi Energy X

On the NAT Page, Outbound Tab, you need to first Check the "Enable advanced
outbound NAT" box and then manually create your outbound mappings.

When creating the outbount NAT mapping for the subnet your Grandstream HT-502
is on you need to make sure that you CHECK the box next to "Disable port mapping"

That option is described on that page as follows:

--[snip]--
This option disables remapping of the source port number for outbound packets.
This may help with software that insists on the source ports being left
unchanged when applying NAT (such as some IPsec VPN gateways). However, with
this option enabled, two clients behind NAT cannot communicate with the same
server at the same time using the same source ports.
--[snip]--


--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/