FreeBSD, IPFW and the SIP/VoIP NAT problem

O. Hartmann ohartmann at walstatt.org
Thu Sep 28 20:26:51 UTC 2017


Am Wed, 27 Sep 2017 14:17:14 +0200
Damjan Jovanovic <damjan.jov at gmail.com> schrieb:

> On Wed, Sep 27, 2017 at 1:16 PM, O. Hartmann <o.hartmann at walstatt.org>
> wrote:
> 
> > On Tue, 26 Sep 2017 16:26:51 +0200
> > Damjan Jovanovic <damjan.jov at gmail.com> wrote:
> >  
> > > On Tue, Sep 26, 2017 at 3:44 PM, O. Hartmann <o.hartmann at walstatt.org>
> > > wrote:
> > >  
> > > > On Tue, 26 Sep 2017 11:00:45 +0200
> > > > Damjan Jovanovic <damjan.jov at gmail.com> wrote:
> > > >  
> > > > > On Tue, Sep 26, 2017 at 10:35 AM, O. Hartmann <  
> > ohartmann at walstatt.org>  
> > > > > wrote:
> > > > >  
> > > > > > Hello,
> > > > > >
> > > > > > trying to build a FreeBSD based router/PBX (Asterisk 13)  
> > appliance, I  
> > > > ran  
> > > > > > into
> > > > > > several problems. My questions might have a "noobish" character,  
> > so my  
> > > > > > apology,
> > > > > > my experiences with IPFW are not as thorough as they should be.
> > > > > >
> > > > > > Before I'll got into medias res, aquestion about Pine64/AARCH64:
> > > > > >
> > > > > > - port net/asterisk13 is supposed to build only on armv6, is  
> > aarch64  
> > > > about  
> > > > > >   coming soon also supported?
> > > > > > - would a Pine64 running CURRENT (12) be sufficient as a PBX  
> > platform  
> > > > > > (assumed
> > > > > >   having 2 GB of RAM)?
> > > > > >
> > > > > > My main concern is about IPFW (we do not use PF for some reasons, I  
> > > > have to  
> > > > > > stay with IPFW).
> > > > > >
> > > > > > I'm a customer of two ITSPs and my SoHo network is behind NAT and  
> > not  
> > > > yet  
> > > > > > IPv6.
> > > > > > The FreeBSD system acting as a router is supposed to have a jail  
> > soon  
> > > > > > containing the Asterisk 13 IP PBX (at the moment running on the  
> > main  
> > > > > > system).
> > > > > > To provide access to the VoIP infrastructure inside/behind the  
> > > > router/NAT  
> > > > > > system, the in-kernel NAT facility of FreeBSD is forwarding the  
> > > > relevant  
> > > > > > UPD/TCP ports for VoIP to its destination network, and here I have  
> > a  
> > > > > > problem to
> > > > > > solve.
> > > > > >
> > > > > > While it is sumple and easy to forward 5060/udp, 5070/tcp and other  
> > > > ports,  
> > > > > > it
> > > > > > is a mess and pain in the arse to forward a whole range, say  
> > 11000/udp  
> > > > -  
> > > > > > 35000/udp, which is a range one of my providers is sending RTP on.  
> > A  
> > > > second  
> > > > > > provider uses another range for RTP, starting at 5000/udp. So, the  
> > > > logical  
> > > > > > consequence would be a union set up UDP range to forward, which  
> > exapnds  
> > > > > > then
> > > > > > form 5000/udp to 45000/udp - which is much more a pain ...
> > > > > >
> > > > > > One of the most disturbing and well known problems is that due to  
> > the  
> > > > > > stateful
> > > > > > firewall the RTP session very often is half duplex - it seems one  
> > > > direction  
> > > > > > of the RTP connection doesn't make it through IPFW/NAT. As often I  
> > > > search  
> > > > > > the
> > > > > > net, I always get informed this is a typical problem and solutions  
> > are  
> > > > > > provided by so called ALGs - since SIP protocol's SDP indicates  
> > within  
> > > > the  
> > > > > > payload of the packets on which UDP ports both ends wish to  
> > establish  
> > > > their  
> > > > > > RTP session, it would be "easy" to pinhole the IPFW on exactly  
> > those  
> > > > ports  
> > > > > > for
> > > > > > a theoretical large number of sessions, if IPFW could "divert"  
> > those  
> > > > > > packets
> > > > > > to an instance inspecting SDP (or whatever is used for the RTP port
> > > > > > indication, I'm new to that, sorry for the terminology) and then  
> > > > pinholing  
> > > > > > the
> > > > > > NAT/IPFW for exactly this purpose without the forwarding mess. I  
> > came  
> > > > along  
> > > > > > netgraph() while searching for hints and hooks, but it seems a  
> > complete  
> > > > > > Linux
> > > > > > domain, when it somes to appliances like VoIP/IP PBX.
> > > > > >
> > > > > > Either, the problem is that trivial on FreeBSD, so no further  
> > > > mentioning is  
> > > > > > necessary (which would explain the vast emptyness of explanations,  
> > > > hints  
> > > > > > and
> > > > > > so on) or FreeBSD is a complete wasteland on this subject - which I  
> > > > also  
> > > > > > suspect, since pfSense and OPNsense must have come along with such  
> > > > problems  
> > > > > > and I simply do not know or recognise the software used for those  
> > > > purposes.  
> > > > > >
> > > > > > So, if someone enlightened in this matter stumbles over my  
> > question and  
> > > > > > could
> > > > > > delegate me onto the right way (ports, ng_XXX netgraph ficilities  
> > to  
> > > > look  
> > > > > > at,
> > > > > > some ipfw techniques relevant to the problem apart from the stupid  
> > > > simple  
> > > > > > forwarding large ranges of ports) - I'd appreciate this and
> > > > > >
> > > > > > thanks in advance for patience and help,
> > > > > >
> > > > > > Oliver
> > > > > >  
> > > > >
> > > > >
> > > > > Hi
> > > > >
> > > > > It might be easier if you just enable STUN on Asterisk, and build  
> > FreeBSD  
> > > > > from source with my [largely neglected :( ] patch on
> > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219918
> > > > >
> > > > > That way Asterisk should dynamically discover consistent external  
> > > > mappings  
> > > > > for connections, making port forwarding RTP unnecessary.
> > > > >
> > > > > Damjan  
> > > >
> > > > STUN is enabled, but my providers do not support STUN.
> > > >
> > > > I try to figure out how SIP works exactly to make my problem more  
> > precise.  
> > > > I
> > > > also try to understand the aim of your patch - as far as I know, it  
> > does  
> > > > exactly as it is needed for the IPW/NAT/VoIP case. And I really regret  
> > that  
> > > > there are objections to commit the patch ...
> > > >
> > > >  
> > > Firstly, if your providers support NAT, you register to them (as opposed  
> > to  
> > > they register to you, or no registration), and the only VoIP calls are
> > > to/from your providers and to/from the same IP:port you register to (as
> > > opposed to unknown external addresses), then none of this should be
> > > necessary. Just put these on every SIP peer in Asterisk (this is for
> > > chan_sip; not sure about chan_pjsip):  
> >
> >
> >
> > My providers do support NAT, I suppose, I'm sure with one. Not so
> > sure about the iberian Telefonica/O2 - they claim, but they are a kind of
> > not
> > willing to provide substantial informations as they want to force
> > customers to
> > use the (crap) equipment they offer.
> >
> > Very often, calling from the outside through the NAT/firewall to the PBX, I
> > have this half-duplex phenomenon well described in many palces regarding
> > NAT.
> > In most cases I can hear the answering machine/voicemail from the PBX, but
> > I
> > can not send an audio stream inside.
> >
> > When my PBX register to its provider, how is the RTP port port for the
> > ingress
> > media stream (from the view of my PBX) opened? As I understand stateful
> > IPFW,
> > someone from the inside needs first to punchhole the firewall. I must
> > confess,
> > I have a bit of an understanding problem here since I do know know the
> > protocol. Is there anything on the net explaining this scenario? RFC3261 is
> > describing SIP, but not the registration ...
> >
> >  
> Both sides usually send RTP to each other. When you send RTP through your
> NAT to a provider supporting NAT, it should see where you are externally
> sending from, and send its future RTP packets back there, even if that
> isn't the (internal) IP:port you previously said you would use in your SDP.
> 
> This can obviously break in some cases:
> - If the voice is intentionally one-way throughout the call, such as
> phoning out into an announcement service that intentionally says "sendonly"
> in its SDP, so you aren't sending any RTP to it and its RTP can't route
> back to you.
> - If you use out of band ringback and transfer out an inbound call before
> it's answered, so the call hairpins from the provider through you and back.
> You have to send RTP to open NAT mappings, but you have nothing to send, as
> you first need to receive it, but can't as the NAT mappings aren't open: a
> cycle you can't exit.
> 
> For those cases, NAT traversal can't be transparent, you have use some kind
> of software negotiated NAT traversal: static port forwarding and set
> Asterisk's external signaling and media addresses, use STUN with cone NAT
> (my patch + STUN/ICE settings in Asterisk's rtp.conf, sip.conf, etc.), or a
> NAT traversal protocol such as UPNP or NAT-PMP with supporting software
> (which Asterisk currently isn't).
> 
> 
> > >
> > > directmedia=no
> > > nat=force_rport,comedia  
> >
> > In chan_pjsip, I  found these settings important for NAT on peers in
> > avrious
> > places on the net:
> >
> > rtp_symmetric=                  yes
> > ;rtp_keepalive=                  30 (not sure about
> > ;                               the timing here, I use this
> > value)
> > force_rport=                    yes
> > rewrite_contact=                yes
> > timers=                         yes
> > direct_media=                   no
> > disable_direct_media_on_nat=    yes
> >  
> > >
> > > and register to your provider more often than your NAT timeout is (eg.
> > > every minute), and you should be good. Why? Every registration opens a  
> > NAT  
> > > mapping that your provider can use to send you calls on. The provider  
> > will  
> > > also send RTP to the source IP:port it received it from, so when you  
> > start  
> > > sending RTP you will get RTP back even if it's arriving from an  
> > unexpected  
> > > IP:port. NAT is not a big problem for SIP clients, only for SIP providers
> > > that have receive packets from unknown addresses.  
> >
> > I tried to find lifetime settings or timeout, the only (documented) values
> > I
> > founf were located in ipfw(8):
> >
> >      net.inet.ip.fw.dyn_ack_lifetime: 300
> >
> >      net.inet.ip.fw.dyn_syn_lifetime: 20
> >
> >      net.inet.ip.fw.dyn_fin_lifetime: 1
> >
> >      net.inet.ip.fw.dyn_rst_lifetime: 1
> >
> >      net.inet.ip.fw.dyn_udp_lifetime: 10
> >
> >      net.inet.ip.fw.dyn_short_lifetime: 5  
> > >
> > > Otherwise...
> > >
> > > Why would your providers need to support STUN? Applications first use  
> > STUN  
> > > to discover the external IP:port of their internal IP:port, and then
> > > communicate that IP:port to the other side however they usually would  
> > (eg.  
> > > headers in SIP and SDP packets) - the other side doesn't know or care  
> > that  
> > > they were discovered through STUN. Any STUN server anywhere on the  
> > Internet  
> > > can be used for this and should give the same results; see
> > > https://www.voip-info.org/wiki/view/STUN for a list.  
> >
> > I can use the STUN of an other provider, but not sure this is necessary,
> > since
> > both providers I'm consumer do not offer STUN themselfes.
> >  
> > >
> > > My patch ensures UDP NAT hole punching logic can be used properly. With  
> > it,  
> > > if a packet was sent from an internal IP:port through an external IP:port
> > > (eg. to a STUN server), then any future packet from that internal IP:port
> > > to any other external server:port will go out the same external IP:port,
> > > and no other internal IP:port will use that external IP:port. It's like  
> > the  
> > > internal IP:port temporarily owns the unique external IP:port and can  
> > send  
> > > and receive through it to and from anywhere. The same source IP:port will
> > > be seen by all servers, and they can send back to it.  
> >
> >
> > That sounds plausible, but implies that, say the PBX behind the NAT at
> > IP1:port, is not guaranteed to send exclusively via external IP2:port?
> >
> >  
> With my patch, every packet from IP1:port1 will be routed out of IP2:port2,
> no matter what the destination. Of course software must be written to
> detect IP2:port2 for every new socket using something like STUN, and report
> IP2:port2 to other parties it wants traffic from.


Stupid question here:

is this patch some kind of similar to that what the Linux folks call "CONNTRACK"?

Whenever I read about SIP and NAT in conjunction with Linux, this "conntrack" module is
always a kind of requisite.

On a quick search, I found this page :

https://voipmagazine.wordpress.com/2015/03/14/linux-nat-using-conntrack-and-iptables/

and in some places I had the impression that your patch is exactly what "conntrack" is in
the Linux world.

-- 
O. Hartmann

Ich widerspreche der Nutzung oder Übermittlung meiner Daten für
Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20170928/c1d07aa6/attachment.sig>


More information about the freebsd-current mailing list