[ previous ] [ next ] [ threads ]
 
 From:  Energy X <energyx at gmail dot com>
 To:  waa dash m0n0wall at revpol dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.31 released
 Date:  Fri, 9 Apr 2010 13:00:49 -0400
Will that help the incoming port mapping as well? And do I just use the IP
of the Grandstream in the Outbound rule, or do I need to specify the entire
internal subnet?

Thanks
Chris

On Fri, Apr 9, 2010 at 10:13 AM, mtnbkr <waa dash m0n0wall at revpol dot com> wrote:

> On 04/08/10 20:53, Energy X wrote:
> > I'm not sure what the exact problem was with 1.23, but I am now seeing an
> > issue with 1.31 and SIP/RTP. I have the Grandstream HT-502
> > ATA(192.168.50.112) behind m0n0wall with the following firewall/NAT
> > settings, per my provider:
> >
> > NAT Rule:
> > WAN       UDP       5004 - 65000       192.168.50.112       5004 - 65000
> >      VOIP UDP
> >
> > Firewall Rule:
> > UDP       *       *       192.168.50.112       *       NAT VOIP UDP
> >
> > The problem is that m0n0wall seems to assign random ports to the incoming
> > connections, and occasionally it will assign a port below 5004, which is
> > outside the NAT port range. A connection will come in on 5060 and
> m0n0wall
> > will use something like 2663 and the firewall blocks it since there is no
> > incoming NAT on that port for any internal addresses. Is there a way to
> > disable the random port translation? I would think m0n0wall would know it
> > set the port below the NAT rule and allow it through since the original
> > incoming request came in on an allowed port. Also, the connection being
> > blocked in the firewall log shows the original incoming port (usually
> 5060)
> > and the translated port (below 5004) with the WAN interface address and
> > deny.
>
>
> Hi Energy X
>
> On the NAT Page, Outbound Tab, you need to first Check the "Enable advanced
> outbound NAT" box and then manually create your outbound mappings.
>
> When creating the outbount NAT mapping for the subnet your Grandstream
> HT-502
> is on you need to make sure that you CHECK the box next to "Disable port
> mapping"
>
> That option is described on that page as follows:
>
> --[snip]--
> This option disables remapping of the source port number for outbound
> packets.
> This may help with software that insists on the source ports being left
> unchanged when applying NAT (such as some IPsec VPN gateways). However,
> with
> this option enabled, two clients behind NAT cannot communicate with the
> same
> server at the same time using the same source ports.
> --[snip]--
>
>
> --
> Bill Arlofski
> Reverse Polarity, LLC
> http://www.revpol.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>