Pfsense jitsi ICE failed

aGeekhere

Hi all,

I have an issue with jitsi for video/audio external calls, get an ICE failed https://jitsi.org/Documentation/FAQ#ice-failed

TCP port is open
UDP port range is open

Anyone have any ideas (as it worked on my old router).

stephenw10

Does it require static port mapping?
https://doc.pfsense.org/index.php/Static_Port

Steve

aGeekhere

will try switching to Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and see if that works

aGeekhere

tried changing to Manual Outbound NAT rule generation, same problem

cmb

Not just manual outbound, with static port.
https://doc.pfsense.org/index.php/Static_Port

aGeekhere

Hi
new outbound rule at top
WAN  192.168.1.0/24 * * * WAN address * YES Auto created rule for LAN to WAN

outbound rule setup

interface wan
protocol any
source network
192.168.1.0/24
Destination unticked

Translation interface address
Static-port ticked
No XMLRPC Sync unticked

still ICE failed

Am i missing something?
chat works just not audio or video calls

stephenw10

Hmm, I've never used jitsi so I can't comment directly but I can't believe it's much different from other video conferencing systems. A quick glance through the FAQs shows it has multiple methods for traversing NAT, I would have thought one of them should be working. I can see no mention of specific ports required so I assume it used dynamic ports. It could be that your previous router had UPnP enabled by default and it was using that. pfSense does not enable it by default so you could try that. Be aware of the security implications of doing so.

Steve

aGeekhere

I have it going through openfire jitsi videobridge with udp ports 50000-60000 tcp port 5222 both are open in nat.

So the setup

Server running openfire with jitsi videobridge
tcp port 5222 open for server's ip
udp ports 50000-60000 open for the server's ip

Chat works and the users are able to connect.

jitsi has a fall back dns (enable parallel DNS resolving)
8.8.8.8
on port 53
Could it be that it wants to connect to the fall back dns but it can't?

How would I allow the above dns?

kejianshi

You will either need to run openfire with a public IP on the machine running openfire.

Or run a stun server with public IPs on that.

kejianshi

FYI - been running openfire chat servers for many years and its only ever worked with RTP video/audio streams for me on public IPs.

I keep my personal server behind pfsense and behind NAT to reduce its exposure to the web but I've had one running with a public IP also and that one has great video/audio and security features of jitsi work great with that also.

aGeekhere

But if i use a standard router I do not get any ICE errors.

I will try using the openfire STUN server plugin and see how that goes

kejianshi

So, you have had success running openfire with audio/video with both clients behind NAT and pfsense behind NAT without STUN?

That would make you smarter than me for sure (-:

kejianshi

The stun plugin requires an interface with public IP on the interface.

aGeekhere

The stun plugin worked :)

Thank you

kejianshi

Anytime.