How to NAT incomming traffic for certain source and certain port??
-
Hello,
I need to NAT WAN incoming VoIP traffic towards my VoIP client. However for some reason it does not work. I am not at all a NAT expert, so it could be possible that I am doing something wrong.
Up to now I used NAT to forward traffic to my servers. Quite simple traffic with destination port abc to be mapped to address xyz. However what I need now is more complex.
One of the things to be forwarded are the SIP-invite's arriving from the VoIP platform.
The VoIP platfom has address range a.b.0.0/16. The SIP port is 5600 and the voip-client has address 1.2.3.4. SIP is UDP. The Client is in a LAN-vlan.
So I go to Firewall => NAT => Port Forward and create a rule
- interface WAN
- Address Family IPv4
- Protocol UDP
Advanced - Single host or alias; <alias for the voip-platform = a.b.0.0/16>
- source port range other 5600 other 5600
- Destination WAN-address
- Destination port range any (assumed to be the original port number)
- Redirect target IP 1.2.3.4 (the address of the client)
However, this does not work. The incoming packages is not trigger the rule, so the packages are not natted => no VoIP
(using "package capture" the SIP-invite is visible in the WAN but not in the LAN
)Note that I am running 2.7 development. I do not expect that, however there could be a bug. I now there have been some nat related code changes.
As always some help is appreciated
Louis
-
@louis2 said in How to NAT incomming traffic for certain source and certain port??:
The incoming packages is not trigger the rule
So you post lots of details of your port forward. But no mentioned of the rule on your wan? Where this traffic comes in.
Normally when you create a port forward, it defaults to creating the wan rule. But order matters, source actually matters as well if for some reason say that source was rfc1918, which as source is blocked by default on wan, before any of your rules would be evaluated.
Much easier to read if you would post up screen shot of your port forward, and also the rules you have on your wan, and if you have any rules on your floating tab that could also mess with your wan rules. Since floating are normally evaluated before interface rules (if they are marked quick).
You don't actually say where source network is - is it rfc1918? And are you sure the source port is going to be 5060, or just the destination port?
Posting your sniff where you see this traffic come into your wan would be helpful as well.
edit: also btw why screenshot are way better, in you text you say 5600, but sip is 5060..
-
@louis2 said in How to NAT incomming traffic for certain source and certain port??:
source port range other 5600 other 5600
Are you sure that's not the destination port? Normally source ports are randomized. Try allowing any source port.
-
exactly.. And dest port would normally be 5060 for sip.
-
Hello,
I do not know why, perhaps as a consequence of restarts and/or switching on off the wan, whats ever ..... but the nat works .....
For info, in a SIP-invite the source address is 5600 see below
Below a couple of rule I am using to forward some traffic. Of course there are some related auto generated rules in the WAN-interface
There are some more rules required, however ........ I still do not have working telphonie
I assume that is related with registration communication between the providers voip-platform and the Fritsbox.At this moment, despite lots of tests and wireshark-traces, I just do not know the remaining issues are and as a consequence even less how to fix them .....
I even doubt if I will ever get it working .....
Not every thing ..... is documented the way I would like ....... and the fritsbox is not intended to be used as voip access point, in opposite to its intended use as a routerLouis
-
@louis2 So the IP .61 is KPN_IMS? And this is for a new call coming in to your server?
In your second picture those are NAT forwards? What is the column after FritzBoxDect? On a NAT forward that would be "NAT Ports" and I did not think it possible to set that to any/*...?
-
Doesn't the fritzbox shows what ports are needed?
For my SIP Provider (and ISP) I also have to use static port outbound NAT.
And keep alive (30sec) in the fritzbox for telephony but I don't have to open ports.
-
Hi Bob, I used to have a rule like that in the past, however I do not understand the need for such a rule. Let me explain my thinking.
For incoming IPV4-traffic you need a NAT-rule and the related fw-rule to:
a) allow the traffic and
b) to map the the traffic from your external ip towards the local ip of the involved ipv4 machineAnd if i connect the internet from the lan you also need nat to get an global valid IPV4-adress (the IPV4-address assigned to you). However .... that is standard and handled by the default auto generated NAT-rule.
So assuming that that is correct, you only need NAT-rules for incoming traffic.
With that in mind I did create,
- a NAT-rule to map and allow incoming SIP
- a NAT-rule to allow incoming RTP and
- a NAT-rule to allow some additional ports I found (but from I do not know if they are really used and if how)
I also noticed that there are ICMP status messages, so I should probably allow and NAT them as well (I still have to add that).
However I have to admit that it is only partly (not to say not) working at the moment.
- the incoming sip-invites which should pass, do not always pass and verdict I do get perhaps related crash reports (see 2.7 development section)
- the SIP registration process is probably not working as it should
- if the incoming SIP-invite is NAT as expected, than an incoming call / session is started ........ however ....... there is outgoing rtp is not audible at the remote site (despite the fact that there is two way audio in the WAN wireshark trace).
To resume:
- I do not understand the outgoing nat rule (including "static")
- more other aspects to understand and solve :(
-
@louis2 My understanding is, you can open ports all that you want. If the other side expects static outbound NAT then you have to do that anyways, there is no way around that.
-
Hello,
I know that the actual thread title does not reflect the original subject ...... but given previous post here my actual problem.
At this moment I can create an incoming call (from my mobile) towards my fritzbox and I can make a call from my fritzbox towards my mobile.
However, in case of the incoming call, there is no audible sound from the home set present. The mobile can not hear the home side (one way audio).
I case of the outgoing call it works like it should (two way audio).
The strange thing is that wireshark traces of both calls and in both involved vlans (the WAN and the LAN) show that there is two way RTP). I can listen to that using wireshark ....... But a said for in case of the incoming call, the audio from the home set is not audible on the mobile.
I did lot of tests, but I really do not understand the problem. So I really hope someone out there does understand and has the solution.
Below, screenshots of my actual settings
Louis
-
I should have added, that if I directly connect the fritzbox with the glass access point, everything works as expected.
Up to now I did not manage to monitor / log the communication between the fritzbox and the glass access. That is difficult since it is pppoe with at least two vlans (4 and 6). Where the interface spec is ...... not really known.
Trying to connect the glass access and the fritsbox failed and of cause than it is also not possible to capture a wireshark trace using the switch its mirror capacity. -
With the actual settings, that are the settings shown above minus the top and botum NAT-froward rules and the two LAN-rules disabled. There is very low volume audio present.
So to a certain extend it works, however the audio is surrey not passing correctly yet
-
Note,
That working on this issue I encountered three issues:
- a crash report
- strange nat interface behavoir
- an incorrect backup file, probably related to this activity
So, I did open some issues in the development forum, and will wait with further trails up to updates and jimps reaction
