Author |
Message |
fangqikun Brekeke Junior Member
Joined: 27 Jul 2015 Posts: 6
|
Posted: Thu Feb 18, 2016 7:49 pm Post subject: A problem NAT traversal |
|
|
1. Brekeke Product Name and Version: 3.5.5.2/424-1
2. Java version: OpenJDK 64-Bit Server VM 1.7.0_95
3. OS type and the version:CentOS 6.7 2.6.32-573.18.1.el6.x86_64
4. UA (phone), gateway or other hardware/software involved: eyebeam
5. Your problem:
i configure brekeke server IP address 10.34.14.24, and mapped to the public IP address 61.132.137.139, in WEB interface "network - Interface address 1" Enter the public IP address "61.132.137.139", when public and private network client called, the packet capture as follows:
server:
https://imageshack.com/i/pmE3Y8plp
public client
https://imageshack.com/i/pnUhmUHcp
brekeke server forwards private network client 200 OK message to the public network client, sends the address 10.34.14.24, public network client after receiving the message, SDP message sent to the 10.34.14.24, not 61.132.137.139.
What caused the problem? |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Thu Feb 18, 2016 10:52 pm Post subject: |
|
|
Do you have any settings at [Remote Address Pattern 1] and [External IP address pattern] in [Configuration]->[System] page?
They should be blank.
Also do you have any DialPlan rules? |
|
Back to top |
|
fangqikun Brekeke Junior Member
Joined: 27 Jul 2015 Posts: 6
|
Posted: Thu Feb 18, 2016 11:47 pm Post subject: |
|
|
[Remote Address Pattern 1] and [External IP Address Pattern] is blank, I don't have set any DialPlan rules |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Fri Feb 19, 2016 11:00 am Post subject: |
|
|
Can you see the global IP address "61.132.137.139" in the SIP Server's Status page as "interface"? If not, restart the SIP Server.
Are there any other IP addresses shown as "interface"? |
|
Back to top |
|
fangqikun Brekeke Junior Member
Joined: 27 Jul 2015 Posts: 6
|
Posted: Fri Feb 19, 2016 10:47 pm Post subject: |
|
|
ambrosio wrote: |
Can you see the global IP address "61.132.137.139" in the SIP Server's Status page as "interface"? If not, restart the SIP Server.
Are there any other IP addresses shown as "interface"? |
interface: 61.132.137.139,10.34.14.24 |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Sat Feb 20, 2016 12:22 am Post subject: |
|
|
Can you capture packets at the SIP Server's PC (10.34.14.24)?
If so, can you paste the "200 OK" SIP packet here? |
|
Back to top |
|
fangqikun Brekeke Junior Member
Joined: 27 Jul 2015 Posts: 6
|
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Mon Feb 22, 2016 10:56 am Post subject: |
|
|
It seems 10.34.14.30 behaves weird.
It should act as a router but it seems not.
What kind of product is it?
Can you find SIP-ALG option in the 10.34.14.30's setting? If so, disable it. |
|
Back to top |
|
fangqikun Brekeke Junior Member
Joined: 27 Jul 2015 Posts: 6
|
Posted: Wed Feb 24, 2016 7:39 am Post subject: |
|
|
10.34.14.30 is a Fortinet firewall, I have closed the sip-alg before, but I think it has nothing to do with the firewall. In another test environment,when brekeke sip server sends 200 OK SDP to the public network client, the IP address within the data packet has been modified into Brekeke sip server's public IP address. in the problems environment,When Brekeke sip server in the public network to send 200 OK SDP, IP addresses of the data package is still a private IP address of the Brekeke sip server.
I think problem is that the judge client wrong of private or public network of Brekeke Sip Server. How do I force the server to assume that the client is in the public as well?
normal test environment
http://imageshack.com/a/img922/6783/ElZaYG.png
brekeke sip server: LAN: 192.168.31.146 GATEWAY: 192.168.31.1 Public IP : 114.97.65.168
public Client: Lan: 10.137.185.132 Public IP: 183.162.9.185
Lan client: 192.168.31.174
Problems Test Environment
https://imageshack.com/i/pmSAhMzRp
Brekeke sip server: LAN: 10.34.14.24 GATEWAY: 10.34.14.30 Public IP: 61.132.137.139
public client: LAN: 192.168.31.174
Lan Client: Lan: 10.34.240.131 |
|
Back to top |
|
ambrosio Brekeke Master Guru
Joined: 27 Mar 2008 Posts: 215
|
Posted: Wed Feb 24, 2016 12:52 pm Post subject: |
|
|
The best way is you use another router/firewall as you does at another environment.
The current firewall doesn't handle packet routing correctly.
As you recognized, the firewall replaced the sender's IP address with its local IP address.
http://imageshack.com/i/pmE3Y8plp
Refer the above image. As you can see, the INVITE packet seems sent from 10.34.14.30 but it should indicate the client side's public IP address.
Since the INVITE looks came from the same LAN, Brekeke SIP Server doesn't handle NAT.
Anyway.. let you try this DialPaln rule. It will point 61.132.137.139 in SDP. If it doesn't work, you may need to use another firewall.
Matching Patterns | $request = ^INVITE $addr = 10.34.14.30
| Deploy Patterns | &net.rtp.ifsrc = 61.132.137.139 $continue = true
|
|
|
Back to top |
|
|