[ previous ] [ next ] [ threads ]
 
 From:  "Wyn Bryant" <wynbryant at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: bad NAT from status.php logs
 Date:  Mon, 13 Sep 2010 18:39:32 -0400
We're still experiencing the same issue of "bad NAT" (inbound) for RTP
traffic.  I've narrowed the range to just 10000 - 10051 and taken out
everything in the configuration except for what's required for SIP.  

 

Updated config and logs attached.  I've tried with and without fragmented
packets.  

 

Here are snippets of the config and logs:

        <rule>

            <protocol>udp</protocol>

            <external-port>10000-10051</external-port>

            <target>192.168.0.12</target>

            <local-port>10000</local-port>

            <interface>wan</interface>

            <descr>RTP</descr>

        </rule>

 

Sep 13 22:18:01 m0n0wall ipmon[122]: 22:18:00.793775 bge0 @200:1 b
209.249.3.60,17375 -> 192.168.0.12,10025 PR udp len 20 116 IN bad NAT

Sep 13 22:18:01 m0n0wall ipmon[122]: 22:18:00.811888 22x bge0 @200:1 b
209.249.3.60,17374 -> 192.168.0.12,10024 PR udp len 20 200 IN bad NAT

 

If anyone has any thoughts or feedback, it would be greatly appreciated.
Interestingly enough we have no issues with the tomato firmware on a
WRT54GL.

 

Regards,

 

Wyn Bryant

 

From: Wyn Bryant [mailto:wynbryant at gmail dot com] 
Sent: Thursday, September 09, 2010 6:24 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: bad NAT from status.php logs

 

Dear Group,

 

I'm having an issue with inbound SIP ports (UDP 1-65535) passing through
m0n0 with inbound NAT.  status.php shows bad NAT for the rule in question:

Sep  8 21:31:36 m0n0wall ipmon[128]: 21:31:35.624147 50x bge0 @200:1 b
2.2.2.2,59114 -> 192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT

 

This m0n0 configuration (attached) uses WAN, LAN and OPT (intended to be a
second LAN) interfaces; with outbound NAT.  

 

Here is the NAT rule that is apparently the issue:

<rule>

                <external-address>71.XX.XX.243</external-address>

                <protocol>udp</protocol>

                <external-port>1-65535</external-port>

                <target>192.168.0.12</target>

                <local-port>1</local-port>

                <interface>wan</interface>

                <descr>SIP</descr>

</rule>

 

Note that other NAT rules are working to hosts on the OPT1 interface (such
as HTTPS and SMTP), but they are all TCP.

 

Would anyone be able to point me in the right direction?

 

I suppose a couple of options outside of m0n0 available are to use VLANS
with a managed switch instead of the LAN+OPT interfaces for the two LANs or
use filtering bridge (but I had hoped to eliminate the routers on both LANs
behind the m0n0).

 

Any feedback is appreciated.

 

Regards,

 

Wyn Bryant
<?xml version="1.0"?>
<m0n0wall>
    <version>1.8</version>
    <lastchange>1284415899</lastchange>
    <system>
        <hostname>m0n0wall</hostname>
        <domain>local</domain>
        <dnsallowoverride/>
        <username>admin</username>
        <password>xxxxx</password>
        <timezone>Etc/UTC</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>0.m0n0wall.pool.ntp.org</timeservers>
        <webgui>
            <protocol>http</protocol>
            <port/>
        </webgui>
        <dnsserver>65.XX.XX.65</dnsserver>
        <dnsserver>65.XX.XX.70</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>em0</if>
            <ipaddr>192.168.0.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>bge0</if>
            <blockpriv/>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>71.XXX.XXX.243</ipaddr>
            <subnet>29</subnet>
            <gateway>71.XXX.XXX.241</gateway>
        </wan>
    </interfaces>
    <staticroutes>
    </staticroutes>
    <pppoe/>
    <pptp/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
        </lan>
    </dhcpd>
    <pptpd>
        <mode/>
        <nunits>16</nunits>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <dnsmasq>
        <enable/>
    </dnsmasq>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag/>
    <bridge/>
    <syslog/>
    <nat>
        <rule>
            <protocol>udp</protocol>
            <external-port>10000-10051</external-port>
            <target>192.168.0.12</target>
            <local-port>10000</local-port>
            <interface>wan</interface>
            <descr>RTP</descr>
        </rule>
        <rule>
            <protocol>tcp/udp</protocol>
            <external-port>5060</external-port>
            <target>192.168.0.12</target>
            <local-port>5060</local-port>
            <interface>wan</interface>
            <descr>SIP</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>udp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.12</address>
                <port>10000-10051</port>
            </destination>
            <log/>
            <descr>NAT RTP</descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default IPsec VPN</descr>
            <interface>ipsec</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.12</address>
                <port>5060</port>
            </destination>
            <descr>NAT SIP</descr>
        </rule>
    </filter>
    <ipsec/>
    <aliases/>
    <proxyarp/>
    <wol/>
    <shaper>
        <magic>
            <maxup>1900</maxup>
            <maxdown>14000</maxdown>
        </magic>
    </shaper>
    <secondaries/>
    <vlans/>
</m0n0wall>
Sep 13 22:17:35 m0n0wall ipmon[122]: 22:17:34.931084 37x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:35 m0n0wall ipmon[122]: 22:17:35.653360 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:35 m0n0wall ipmon[122]: 22:17:35.671666 bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:36 m0n0wall ipmon[122]: 22:17:35.691034 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:37 m0n0wall ipmon[122]: 22:17:36.691728 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:38 m0n0wall ipmon[122]: 22:17:37.691472 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:39 m0n0wall ipmon[122]: 22:17:38.691529 14x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:39 m0n0wall ipmon[122]: 22:17:38.971264 15x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:39 m0n0wall ipmon[122]: 22:17:39.253247 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:39 m0n0wall ipmon[122]: 22:17:39.285097 21x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:40 m0n0wall ipmon[122]: 22:17:39.691355 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:41 m0n0wall ipmon[122]: 22:17:40.691490 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:42 m0n0wall ipmon[122]: 22:17:41.691124 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:43 m0n0wall ipmon[122]: 22:17:42.691259 9x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:43 m0n0wall ipmon[122]: 22:17:42.853507 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:43 m0n0wall ipmon[122]: 22:17:42.871155 41x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:44 m0n0wall ipmon[122]: 22:17:43.691518 51x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:45 m0n0wall ipmon[122]: 22:17:44.711550 19x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:45 m0n0wall ipmon[122]: 22:17:45.095069 31x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:46 m0n0wall ipmon[122]: 22:17:45.711623 37x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:46 m0n0wall ipmon[122]: 22:17:46.433746 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:46 m0n0wall ipmon[122]: 22:17:46.451237 13x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:47 m0n0wall ipmon[122]: 22:17:46.713327 14x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:47 m0n0wall ipmon[122]: 22:17:46.992043 36x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:48 m0n0wall ipmon[122]: 22:17:47.711549 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:49 m0n0wall ipmon[122]: 22:17:48.711217 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:50 m0n0wall ipmon[122]: 22:17:49.711397 15x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:50 m0n0wall ipmon[122]: 22:17:50.003660 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:50 m0n0wall ipmon[122]: 22:17:50.011329 35x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:51 m0n0wall ipmon[122]: 22:17:50.711484 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:52 m0n0wall ipmon[122]: 22:17:51.711899 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:53 m0n0wall ipmon[122]: 22:17:52.720028 45x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:53 m0n0wall ipmon[122]: 22:17:53.603850 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:53 m0n0wall ipmon[122]: 22:17:53.612054 5x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:54 m0n0wall ipmon[122]: 22:17:53.712217 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:55 m0n0wall ipmon[122]: 22:17:54.711336 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:56 m0n0wall ipmon[122]: 22:17:55.711477 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:57 m0n0wall ipmon[122]: 22:17:56.711920 25x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:57 m0n0wall ipmon[122]: 22:17:57.194013 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:17:57 m0n0wall ipmon[122]: 22:17:57.211503 25x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT
Sep 13 22:17:58 m0n0wall ipmon[122]: 22:17:57.712008 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:17:59 m0n0wall ipmon[122]: 22:17:58.711534 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:18:00 m0n0wall ipmon[122]: 22:17:59.711797 50x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:18:01 m0n0wall ipmon[122]: 22:18:00.711461 5x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 K-S IN bad NAT
Sep 13 22:18:01 m0n0wall ipmon[122]: 22:18:00.793775 bge0 @200:1 b 209.249.3.60,17375 ->
192.168.0.12,10025 PR udp len 20 116 IN bad NAT
Sep 13 22:18:01 m0n0wall ipmon[122]: 22:18:00.811888 22x bge0 @200:1 b 209.249.3.60,17374 ->
192.168.0.12,10024 PR udp len 20 200 IN bad NAT