[SOLVED]Problem with h323 video-conference
-
Hi guys
I have a problem with a video-conference device behind PFSense.
The device is a Aethra X5 and my PFSense version is 2.0.2The network configuration is:
LAN: 192.168.0./24
DMZ: 172.30.30.0/24
WAN: 94.XX.YY.ZZ/29
WAN2: 88.XX.YY.ZZ/29Aethra have a static ip on the LAN.
The customer want video-conference pass through WAN2, buy for this serviceI make a 1:1 NAT with a public IP on the WAN2 and the Aethra's ip. I make two rules that allow all traffic from and to Aethra and Internet, but not works.
If the device open a connection h323 to a test ip (that I now works…) anything comes... Into the log I got only a packet from Aethra's IP (port 60000 /TCP) and the h323 server's Ip (port 1720/TCP) and no other.
Anyone help me?
PS: if I move the NAT over a WAN's Ip anything changes
PS2: I know that if I put a public IP directly on Aethra and bypass the firewall all works, but is not possible. -
Seems like you got it mostly right there. The only thing that's required that's missing is putting the public IP into the video conferencing device. H.323 is a NAT-broken protocol, the real IP has to be defined somewhere in the device.
-
Thanks, but this solution is not available. The customer want the h323 behind the firewall…
-
One solution would be to sponsor the addition of a H.323-proxy package for pfsense, as I suggested a some months ago:
GNU Gatekeeper for H.323 proxy:
http://www.gnugk.org/h323-proxy.html
H.323 remains by far the most popular protocol for video conferencing at companies, but unlike -recent- SIP software, H.323 can't deal with NAT thus requiring a proxy / ALG.
-
The scenario I'm describing lets you put the device behind the firewall, you just have to configure somewhere in that device what its real public IP is. There are NAT config options in basically every H.323 device where you tell it what its NATed IP is so it uses that within packets rather than its private IP.
-
I resolved this issue!
There are a problem in the customer's LAN settings. Now it's all ok.
My working configuration is based on 1:1 NAT between the Aethra and a public IP on the WAN. I also add a rule with all allowed in both directions (this is not a major issue, because the Aethra is normally turned off).
With this setting the h323 connections works fine