Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Sep 2017 14:17:14 +0200
From:      Damjan Jovanovic <damjan.jov@gmail.com>
To:        "O. Hartmann" <o.hartmann@walstatt.org>
Cc:        "O. Hartmann" <ohartmann@walstatt.org>, freebsd-current <freebsd-current@freebsd.org>,  freebsd-ipfw@freebsd.org, Guido Falsi <madpilot@freebsd.org>
Subject:   Re: FreeBSD, IPFW and the SIP/VoIP NAT problem
Message-ID:  <CAJm2B-kr90UtMKxTK1sntUfPSKq7aZXOT-aQriKK2DbeumoHPA@mail.gmail.com>
In-Reply-To: <20170927131651.7346fd1f@freyja.zeit4.iv.bundesimmobilien.de>
References:  <20170926103543.0aa03c7a@freyja.zeit4.iv.bundesimmobilien.de> <CAJm2B-nLU5ZOCRjmbVzWJ-AoeUmF2kSfjfisif6V=CvNJye7Yg@mail.gmail.com> <20170926154429.1c79d842@freyja.zeit4.iv.bundesimmobilien.de> <CAJm2B-n4B8SaF_vAjKdWD0DTL7NhnuQL1kN4mvfvSMK1N+0v+Q@mail.gmail.com> <20170927131651.7346fd1f@freyja.zeit4.iv.bundesimmobilien.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Sep 27, 2017 at 1:16 PM, O. Hartmann <o.hartmann@walstatt.org>
wrote:

> On Tue, 26 Sep 2017 16:26:51 +0200
> Damjan Jovanovic <damjan.jov@gmail.com> wrote:
>
> > On Tue, Sep 26, 2017 at 3:44 PM, O. Hartmann <o.hartmann@walstatt.org>
> > wrote:
> >
> > > On Tue, 26 Sep 2017 11:00:45 +0200
> > > Damjan Jovanovic <damjan.jov@gmail.com> wrote:
> > >
> > > > On Tue, Sep 26, 2017 at 10:35 AM, O. Hartmann <
> ohartmann@walstatt.org>
> > > > wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > trying to build a FreeBSD based router/PBX (Asterisk 13)
> appliance, I
> > > ran
> > > > > into
> > > > > several problems. My questions might have a "noobish" character,
> so my
> > > > > apology,
> > > > > my experiences with IPFW are not as thorough as they should be.
> > > > >
> > > > > Before I'll got into medias res, aquestion about Pine64/AARCH64:
> > > > >
> > > > > - port net/asterisk13 is supposed to build only on armv6, is
> aarch64
> > > about
> > > > >   coming soon also supported?
> > > > > - would a Pine64 running CURRENT (12) be sufficient as a PBX
> platform
> > > > > (assumed
> > > > >   having 2 GB of RAM)?
> > > > >
> > > > > My main concern is about IPFW (we do not use PF for some reasons, I
> > > have to
> > > > > stay with IPFW).
> > > > >
> > > > > I'm a customer of two ITSPs and my SoHo network is behind NAT and
> not
> > > yet
> > > > > IPv6.
> > > > > The FreeBSD system acting as a router is supposed to have a jail
> soon
> > > > > containing the Asterisk 13 IP PBX (at the moment running on the
> main
> > > > > system).
> > > > > To provide access to the VoIP infrastructure inside/behind the
> > > router/NAT
> > > > > system, the in-kernel NAT facility of FreeBSD is forwarding the
> > > relevant
> > > > > UPD/TCP ports for VoIP to its destination network, and here I have
> a
> > > > > problem to
> > > > > solve.
> > > > >
> > > > > While it is sumple and easy to forward 5060/udp, 5070/tcp and other
> > > ports,
> > > > > it
> > > > > is a mess and pain in the arse to forward a whole range, say
> 11000/udp
> > > -
> > > > > 35000/udp, which is a range one of my providers is sending RTP on.
> A
> > > second
> > > > > provider uses another range for RTP, starting at 5000/udp. So, the
> > > logical
> > > > > consequence would be a union set up UDP range to forward, which
> exapnds
> > > > > then
> > > > > form 5000/udp to 45000/udp - which is much more a pain ...
> > > > >
> > > > > One of the most disturbing and well known problems is that due to
> the
> > > > > stateful
> > > > > firewall the RTP session very often is half duplex - it seems one
> > > direction
> > > > > of the RTP connection doesn't make it through IPFW/NAT. As often I
> > > search
> > > > > the
> > > > > net, I always get informed this is a typical problem and solutions
> are
> > > > > provided by so called ALGs - since SIP protocol's SDP indicates
> within
> > > the
> > > > > payload of the packets on which UDP ports both ends wish to
> establish
> > > their
> > > > > RTP session, it would be "easy" to pinhole the IPFW on exactly
> those
> > > ports
> > > > > for
> > > > > a theoretical large number of sessions, if IPFW could "divert"
> those
> > > > > packets
> > > > > to an instance inspecting SDP (or whatever is used for the RTP port
> > > > > indication, I'm new to that, sorry for the terminology) and then
> > > pinholing
> > > > > the
> > > > > NAT/IPFW for exactly this purpose without the forwarding mess. I
> came
> > > along
> > > > > netgraph() while searching for hints and hooks, but it seems a
> complete
> > > > > Linux
> > > > > domain, when it somes to appliances like VoIP/IP PBX.
> > > > >
> > > > > Either, the problem is that trivial on FreeBSD, so no further
> > > mentioning is
> > > > > necessary (which would explain the vast emptyness of explanations,
> > > hints
> > > > > and
> > > > > so on) or FreeBSD is a complete wasteland on this subject - which I
> > > also
> > > > > suspect, since pfSense and OPNsense must have come along with such
> > > problems
> > > > > and I simply do not know or recognise the software used for those
> > > purposes.
> > > > >
> > > > > So, if someone enlightened in this matter stumbles over my
> question and
> > > > > could
> > > > > delegate me onto the right way (ports, ng_XXX netgraph ficilities
> to
> > > look
> > > > > at,
> > > > > some ipfw techniques relevant to the problem apart from the stupid
> > > simple
> > > > > forwarding large ranges of ports) - I'd appreciate this and
> > > > >
> > > > > thanks in advance for patience and help,
> > > > >
> > > > > Oliver
> > > > >
> > > >
> > > >
> > > > Hi
> > > >
> > > > It might be easier if you just enable STUN on Asterisk, and build
> FreeBSD
> > > > from source with my [largely neglected :( ] patch on
> > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219918
> > > >
> > > > That way Asterisk should dynamically discover consistent external
> > > mappings
> > > > for connections, making port forwarding RTP unnecessary.
> > > >
> > > > Damjan
> > >
> > > STUN is enabled, but my providers do not support STUN.
> > >
> > > I try to figure out how SIP works exactly to make my problem more
> precise.
> > > I
> > > also try to understand the aim of your patch - as far as I know, it
> does
> > > exactly as it is needed for the IPW/NAT/VoIP case. And I really regret
> that
> > > there are objections to commit the patch ...
> > >
> > >
> > Firstly, if your providers support NAT, you register to them (as opposed
> to
> > they register to you, or no registration), and the only VoIP calls are
> > to/from your providers and to/from the same IP:port you register to (as
> > opposed to unknown external addresses), then none of this should be
> > necessary. Just put these on every SIP peer in Asterisk (this is for
> > chan_sip; not sure about chan_pjsip):
>
>
>
> My providers do support NAT, I suppose, I'm sure with one. Not so
> sure about the iberian Telefonica/O2 - they claim, but they are a kind of
> not
> willing to provide substantial informations as they want to force
> customers to
> use the (crap) equipment they offer.
>
> Very often, calling from the outside through the NAT/firewall to the PBX, I
> have this half-duplex phenomenon well described in many palces regarding
> NAT.
> In most cases I can hear the answering machine/voicemail from the PBX, but
> I
> can not send an audio stream inside.
>
> When my PBX register to its provider, how is the RTP port port for the
> ingress
> media stream (from the view of my PBX) opened? As I understand stateful
> IPFW,
> someone from the inside needs first to punchhole the firewall. I must
> confess,
> I have a bit of an understanding problem here since I do know know the
> protocol. Is there anything on the net explaining this scenario? RFC3261 is
> describing SIP, but not the registration ...
>
>
Both sides usually send RTP to each other. When you send RTP through your
NAT to a provider supporting NAT, it should see where you are externally
sending from, and send its future RTP packets back there, even if that
isn't the (internal) IP:port you previously said you would use in your SDP.

This can obviously break in some cases:
- If the voice is intentionally one-way throughout the call, such as
phoning out into an announcement service that intentionally says "sendonly"
in its SDP, so you aren't sending any RTP to it and its RTP can't route
back to you.
- If you use out of band ringback and transfer out an inbound call before
it's answered, so the call hairpins from the provider through you and back.
You have to send RTP to open NAT mappings, but you have nothing to send, as
you first need to receive it, but can't as the NAT mappings aren't open: a
cycle you can't exit.

For those cases, NAT traversal can't be transparent, you have use some kind
of software negotiated NAT traversal: static port forwarding and set
Asterisk's external signaling and media addresses, use STUN with cone NAT
(my patch + STUN/ICE settings in Asterisk's rtp.conf, sip.conf, etc.), or a
NAT traversal protocol such as UPNP or NAT-PMP with supporting software
(which Asterisk currently isn't).


> >
> > directmedia=no
> > nat=force_rport,comedia
>
> In chan_pjsip, I  found these settings important for NAT on peers in
> avrious
> places on the net:
>
> rtp_symmetric=                  yes
> ;rtp_keepalive=                  30 (not sure about
> ;                               the timing here, I use this
> value)
> force_rport=                    yes
> rewrite_contact=                yes
> timers=                         yes
> direct_media=                   no
> disable_direct_media_on_nat=    yes
>
> >
> > and register to your provider more often than your NAT timeout is (eg.
> > every minute), and you should be good. Why? Every registration opens a
> NAT
> > mapping that your provider can use to send you calls on. The provider
> will
> > also send RTP to the source IP:port it received it from, so when you
> start
> > sending RTP you will get RTP back even if it's arriving from an
> unexpected
> > IP:port. NAT is not a big problem for SIP clients, only for SIP providers
> > that have receive packets from unknown addresses.
>
> I tried to find lifetime settings or timeout, the only (documented) values
> I
> founf were located in ipfw(8):
>
>      net.inet.ip.fw.dyn_ack_lifetime: 300
>
>      net.inet.ip.fw.dyn_syn_lifetime: 20
>
>      net.inet.ip.fw.dyn_fin_lifetime: 1
>
>      net.inet.ip.fw.dyn_rst_lifetime: 1
>
>      net.inet.ip.fw.dyn_udp_lifetime: 10
>
>      net.inet.ip.fw.dyn_short_lifetime: 5
> >
> > Otherwise...
> >
> > Why would your providers need to support STUN? Applications first use
> STUN
> > to discover the external IP:port of their internal IP:port, and then
> > communicate that IP:port to the other side however they usually would
> (eg.
> > headers in SIP and SDP packets) - the other side doesn't know or care
> that
> > they were discovered through STUN. Any STUN server anywhere on the
> Internet
> > can be used for this and should give the same results; see
> > https://www.voip-info.org/wiki/view/STUN for a list.
>
> I can use the STUN of an other provider, but not sure this is necessary,
> since
> both providers I'm consumer do not offer STUN themselfes.
>
> >
> > My patch ensures UDP NAT hole punching logic can be used properly. With
> it,
> > if a packet was sent from an internal IP:port through an external IP:port
> > (eg. to a STUN server), then any future packet from that internal IP:port
> > to any other external server:port will go out the same external IP:port,
> > and no other internal IP:port will use that external IP:port. It's like
> the
> > internal IP:port temporarily owns the unique external IP:port and can
> send
> > and receive through it to and from anywhere. The same source IP:port will
> > be seen by all servers, and they can send back to it.
>
>
> That sounds plausible, but implies that, say the PBX behind the NAT at
> IP1:port, is not guaranteed to send exclusively via external IP2:port?
>
>
With my patch, every packet from IP1:port1 will be routed out of IP2:port2,
no matter what the destination. Of course software must be written to
detect IP2:port2 for every new socket using something like STUN, and report
IP2:port2 to other parties it wants traffic from.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAJm2B-kr90UtMKxTK1sntUfPSKq7aZXOT-aQriKK2DbeumoHPA>