On Sun, Jun 19, 2011 at 3:41 PM, Philip Prindeville <philipp_s...@redfish-solutions.com> wrote: > On 6/17/11 1:12 PM, Jonathan Bennett wrote: >> On Fri, Jun 17, 2011 at 1:56 PM, Philip Prindeville >> <philipp_s...@redfish-solutions.com> wrote:
>>> As for Asterisk, it handles NAT fairly well *unless* Asterisk happens to be >>> running on the machine providing NAT mapping itself (i.e. on your firewall >>> appliance). Then... not so well. >> >> Hmm... That's exactly how I have a server set up. I maintain a small >> network at a church, and we have an Asterisk phone system. We use a >> remote Sip provider for incoming and outgoing calls. It works because >> Asterisk can talk to the provider without going through the NAT. It >> has the public IP on one of its ethernet ports. The disadvantage is >> that a bunch of UDP ports are open. I've always seen that as a >> downside of SIP. > > That's what I'm saying. If you look into the INVITE messages (as the > nf_conntrack_sip helper does), you can see the remote address and port # for > the media connection, and plumb an association for that dynamically... you > can also tear it down when you see the associated BYE message). If you do > that, then you don't need to have any ports open. Ah, OK. That would be great. In fact, I wouldn't mind setting up a test platform > > >>> I'd like to see Asterisk punch holes for the media stream via ipt >>> on-the-fly so that the phones don't actually have to be NAT-aware. >> >> As apposed to leaving UDP 10000 through 20000 open in the firewall? >> That *would* be quite useful. > > Indeed. > >> Now, if the phones are routing everything through Asterisk, they don't >> have to be NAT aware. Asterisk makes the connection internally. The >> phones talk to Asterisk, and Asterisk talks to the Remote server. > > Yeah, but I don't necessarily want Asterisk in the media path. Especially > not on some of the slower processors. Considering that we're speaking in the context of openwrt and and embedded platforms, good point. > > >> If the sip stream is going to re-invite, would Asterisk know the >> incoming and outgoing ports to be able to open everything up? > > You leave Asterisk in the SIP stream... just not in the media stream. > >> I'd be very interested in a solution more like this: >> http://www.iptel.org/sipalg/ >> >> It claims to be a connection tracker for sip+rtp. Similar to how >> iptables can handle the FTP issues. This seems like a much better >> solution for most cases. Ideally it's as simple as >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> IPtables should see the rtp stream as related, and let it through. > > That's how nf_conntrack_sip already works. Not sure how I missed that when researching. /me adds it to his bag of tricks I would be very interested in seeing asterisk handle the firewall stuff. Now that I understand exactly what you're describing, it seems it would be the best solution for this particular problem. I'll gladly set up a testbed server for this work. I'll also comment and contribute to the administration side of the project as much as I am able. ~Jonathan Bennett _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
