From owner-freebsd-current@freebsd.org Tue Sep 26 14:27:14 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6838DE0D1A2; Tue, 26 Sep 2017 14:27:14 +0000 (UTC) (envelope-from damjan.jov@gmail.com) Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CC47867BFF; Tue, 26 Sep 2017 14:27:13 +0000 (UTC) (envelope-from damjan.jov@gmail.com) Received: by mail-lf0-x234.google.com with SMTP id m199so4728157lfe.3; Tue, 26 Sep 2017 07:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U6Nk1dzFPwcJM/CqFUnxO0JibOlKM8qChqzMRRekiKo=; b=Epe44ArCKEQV0KFmiEz5ajTeEWK9VUfT+M+6yihvg3hD3lH9fgQugKm8Nm+/p0T8tC SyfaQzQnQ+O5BxrNZedCGjt+DIcoRm6mnRI+Th6QFkvoKRXe0z2dOHNmecb3OyTfPEhV U1r0UpOvkcuNSS1krWg96Xc+ltOxcnAxoZUk/fcBH+xYBplmEMjpCAhH3Mw/+jFIPfTZ RpUZ1/AiVlV70uVrsU43309dOILgMLl5GTJSuBIpc2dRAwCVKzCyJT/8xGJ7UbCCCGMG epzUsLuuS2UwBp5+uAC3NZBgGMJDIACa7izeBIedcsQrXbdJGMqF2T6ERbVC15xQy2nS 0GmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U6Nk1dzFPwcJM/CqFUnxO0JibOlKM8qChqzMRRekiKo=; b=dyI8oL2QFUHdhmfsqtK40D88qmSmi9Uaup4x9NJ8fBSXjL4q1xFqmexSQ1OMdAsqs/ ZgOxjLYpTGj3Ve4PT1M8tr2NuCEldVi89+6tI9It2v7OL+O+U6kXrDzOEkr4s0oHazVB 1uNq9UHA4pbxgvwiufI+YykkgRP48JmFkDH2UrUY5+j37Nu7NMvmBYpG4QZx+lMJ10AY kArcOlQynx2JOuqV89EFSh8OoZ1/lf4NrQarnhkbaBIODuH9BqpO0g6oA+eJ1E4YUWvd 7TYGd9FZ4T6pT+sWKQYfWfu7MTTpJ0r/cME23EcIN5DW8WIeWEo25vX00JFO5/jx9N+O 3rog== X-Gm-Message-State: AHPjjUg/QTwqcCRST/wwoPiI7au0vTKQeCVBGuRx8mDAfHeolFmmYB97 UtcGcySWsXN7jovPQxQ2QdrkInHZrKt2Pm4o1QvSdQ== X-Google-Smtp-Source: AOwi7QCwSK04ERIBvKDYhdJzEWEdrV6HUoy7Thmg27ppIrdH7+zkkv/nqcGky48GT0qL0gwBmg6hSo6QDgAT1ZtKDJg= X-Received: by 10.46.56.8 with SMTP id f8mr4319481lja.189.1506436031680; Tue, 26 Sep 2017 07:27:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.89.13 with HTTP; Tue, 26 Sep 2017 07:26:51 -0700 (PDT) In-Reply-To: <20170926154429.1c79d842@freyja.zeit4.iv.bundesimmobilien.de> References: <20170926103543.0aa03c7a@freyja.zeit4.iv.bundesimmobilien.de> <20170926154429.1c79d842@freyja.zeit4.iv.bundesimmobilien.de> From: Damjan Jovanovic Date: Tue, 26 Sep 2017 16:26:51 +0200 Message-ID: Subject: Re: FreeBSD, IPFW and the SIP/VoIP NAT problem To: "O. Hartmann" Cc: "O. Hartmann" , freebsd-current , freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 14:27:14 -0000 On Tue, Sep 26, 2017 at 3:44 PM, O. Hartmann wrote: > On Tue, 26 Sep 2017 11:00:45 +0200 > Damjan Jovanovic wrote: > > > On Tue, Sep 26, 2017 at 10:35 AM, O. Hartmann > > wrote: > > > > > Hello, > > > > > > trying to build a FreeBSD based router/PBX (Asterisk 13) appliance, I > ran > > > into > > > several problems. My questions might have a "noobish" character, so my > > > apology, > > > my experiences with IPFW are not as thorough as they should be. > > > > > > Before I'll got into medias res, aquestion about Pine64/AARCH64: > > > > > > - port net/asterisk13 is supposed to build only on armv6, is aarch64 > about > > > coming soon also supported? > > > - would a Pine64 running CURRENT (12) be sufficient as a PBX platform > > > (assumed > > > having 2 GB of RAM)? > > > > > > My main concern is about IPFW (we do not use PF for some reasons, I > have to > > > stay with IPFW). > > > > > > I'm a customer of two ITSPs and my SoHo network is behind NAT and not > yet > > > IPv6. > > > The FreeBSD system acting as a router is supposed to have a jail soon > > > containing the Asterisk 13 IP PBX (at the moment running on the main > > > system). > > > To provide access to the VoIP infrastructure inside/behind the > router/NAT > > > system, the in-kernel NAT facility of FreeBSD is forwarding the > relevant > > > UPD/TCP ports for VoIP to its destination network, and here I have a > > > problem to > > > solve. > > > > > > While it is sumple and easy to forward 5060/udp, 5070/tcp and other > ports, > > > it > > > is a mess and pain in the arse to forward a whole range, say 11000/udp > - > > > 35000/udp, which is a range one of my providers is sending RTP on. A > second > > > provider uses another range for RTP, starting at 5000/udp. So, the > logical > > > consequence would be a union set up UDP range to forward, which exapnds > > > then > > > form 5000/udp to 45000/udp - which is much more a pain ... > > > > > > One of the most disturbing and well known problems is that due to the > > > stateful > > > firewall the RTP session very often is half duplex - it seems one > direction > > > of the RTP connection doesn't make it through IPFW/NAT. As often I > search > > > the > > > net, I always get informed this is a typical problem and solutions are > > > provided by so called ALGs - since SIP protocol's SDP indicates within > the > > > payload of the packets on which UDP ports both ends wish to establish > their > > > RTP session, it would be "easy" to pinhole the IPFW on exactly those > ports > > > for > > > a theoretical large number of sessions, if IPFW could "divert" those > > > packets > > > to an instance inspecting SDP (or whatever is used for the RTP port > > > indication, I'm new to that, sorry for the terminology) and then > pinholing > > > the > > > NAT/IPFW for exactly this purpose without the forwarding mess. I came > along > > > netgraph() while searching for hints and hooks, but it seems a complete > > > Linux > > > domain, when it somes to appliances like VoIP/IP PBX. > > > > > > Either, the problem is that trivial on FreeBSD, so no further > mentioning is > > > necessary (which would explain the vast emptyness of explanations, > hints > > > and > > > so on) or FreeBSD is a complete wasteland on this subject - which I > also > > > suspect, since pfSense and OPNsense must have come along with such > problems > > > and I simply do not know or recognise the software used for those > purposes. > > > > > > So, if someone enlightened in this matter stumbles over my question and > > > could > > > delegate me onto the right way (ports, ng_XXX netgraph ficilities to > look > > > at, > > > some ipfw techniques relevant to the problem apart from the stupid > simple > > > forwarding large ranges of ports) - I'd appreciate this and > > > > > > thanks in advance for patience and help, > > > > > > Oliver > > > > > > > > > Hi > > > > It might be easier if you just enable STUN on Asterisk, and build FreeBSD > > from source with my [largely neglected :( ] patch on > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219918 > > > > That way Asterisk should dynamically discover consistent external > mappings > > for connections, making port forwarding RTP unnecessary. > > > > Damjan > > STUN is enabled, but my providers do not support STUN. > > I try to figure out how SIP works exactly to make my problem more precise. > I > also try to understand the aim of your patch - as far as I know, it does > exactly as it is needed for the IPW/NAT/VoIP case. And I really regret that > there are objections to commit the patch ... > > Firstly, if your providers support NAT, you register to them (as opposed to they register to you, or no registration), and the only VoIP calls are to/from your providers and to/from the same IP:port you register to (as opposed to unknown external addresses), then none of this should be necessary. Just put these on every SIP peer in Asterisk (this is for chan_sip; not sure about chan_pjsip): directmedia=no nat=force_rport,comedia and register to your provider more often than your NAT timeout is (eg. every minute), and you should be good. Why? Every registration opens a NAT mapping that your provider can use to send you calls on. The provider will also send RTP to the source IP:port it received it from, so when you start sending RTP you will get RTP back even if it's arriving from an unexpected IP:port. NAT is not a big problem for SIP clients, only for SIP providers that have receive packets from unknown addresses. Otherwise... Why would your providers need to support STUN? Applications first use STUN to discover the external IP:port of their internal IP:port, and then communicate that IP:port to the other side however they usually would (eg. headers in SIP and SDP packets) - the other side doesn't know or care that they were discovered through STUN. Any STUN server anywhere on the Internet can be used for this and should give the same results; see https://www.voip-info.org/wiki/view/STUN for a list. My patch ensures UDP NAT hole punching logic can be used properly. With it, if a packet was sent from an internal IP:port through an external IP:port (eg. to a STUN server), then any future packet from that internal IP:port to any other external server:port will go out the same external IP:port, and no other internal IP:port will use that external IP:port. It's like the internal IP:port temporarily owns the unique external IP:port and can send and receive through it to and from anywhere. The same source IP:port will be seen by all servers, and they can send back to it.