Hi Arturo, In the config that almost worked, if the external NATed endpoint is not NAT-aware, and if the NAT it is behind is not H.323-aware, then it is necessary to forward ports on that NAT to the endpoint. If you can use fast start and/or H.323 tunneling, it should work to just forward TCP 1720. However, you may also need to forward TCP port(s) for H.245, and/or UDP ports for RTP. See endpoint documentation, or sniff to find out what they are. In your single-GK config, I don't know what's wrong, but IMO using cascaded NATs is just asking for trouble. If you have enough addresses available on 192.168.1.0/24, consider setting up the Linux firewall as a bridge or a pseudo-bridge. If you need to have a separate 192.168.0 network, then set up the Linux firewall as an ordinary (non NAT) router, and add a static route to your main router to forward packets for 192.168.0.0/24 to 192.168.1.3 . Good luck, Stewart ----- Original Message ----- From: "Arturo Sandrigo" <arturo.sandrigo@xxxxxxxxx> To: <openh323gk-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Thursday, March 31, 2005 10:02 AM Subject: Help needed on gnugk config > Hi all, > I'm trying to configure gnugk behind nat, the network situation is > this: > > external endpoint (may be natted) > | > | x.x.x.x > Router (it's doing Nat and firewall) > | 192.168.1.1 > ----------------------------------------- > | | (DMZ) > | 192.168.1.3 | 192.168.1.2 > Linux | > firewall internal > with nat endpoint2. > | 192.168.0.254 > | > |192.168.0.1 > internal > endpoint1 > > Is it possible to use only one gatekeeper on the Linux firewall > machine to connect all the endpoints ? > I tried to do this with gnugk 2.0.9 (the 2.2.1 has more problem or it > look like) and the following configuration: > -------------------------------- > [Gatekeeper::Main] > Fourtytwo=42 > Name=GK1 > ;TotalBandwidth=16777216 > NetworkInterfaces=192.168.0.254/24, 192.168.1.3/24,x.x.x.x/0 > > [RoutedMode] > GKRouted=1 > H245Routed=1 > CallSignalPort=1720 > CallSignalHandlerNumber=1 > AcceptNeighborsCalls=1 > AcceptUnregisteredCalls=1 > RemoveH245AddressOnTunneling=1 > DropCallsByReleaseComplete=1 > SupportNATedEndpoints=1 > Q931PortRange=20000-29999 > H245PortRange=30000-30999 > > [Proxy] > Enable=1 > T120PortRange=40000-40999 > RTPPortRange=50000-59999 > ProxyForNAT=1 > ProxyForSameNAT=0 > > [RasSrv::RRQFeatures] > > [RasSrv::ARQFeatures] > ArjReasonRouteCallToSCN=0 > ArjReasonRouteCallToGatekeeper=1 > CallUnregisteredEndpoints=1 > RemoveTrailingChar=# > > [RasSrv::RRQAuth] > default=confirm > > [GkStatus::Auth] > rule=explicit > 192.168.0.1=1 > 192.168.1.2=1 > 127.0.0.1=1 > 192.168.1.4=1 > default=forbid > ------------------------------------------ > But it's not working. > > I also tried to solve the problem with 2 gnugk configured as neighbors > and almost worked but if the external endpoint is natted I can't call > it from internal endpoint. > The configurations are the following: > ------------------------------------------ > GK1 configuration (on linux firewall) > ------------------------------------------ > [Gatekeeper::Main] > Fourtytwo=42 > Name=GK1 > ;TotalBandwidth=16777216 > > NetworkInterfaces=192.168.0.254/24,192.168.1.3/24 > > [RoutedMode] > GKRouted=1 > H245Routed=1 > CallSignalPort=1720 > CallSignalHandlerNumber=1 > AcceptNeighborsCalls=1 > AcceptUnregisteredCalls=1 > RemoveH245AddressOnTunneling=1 > DropCallsByReleaseComplete=1 > SupportNATedEndpoints=1 > Q931PortRange=20000-29999 > H245PortRange=30000-30999 > > [Proxy] > Enable=1 > T120PortRange=40000-40999 > RTPPortRange=50000-59999 > ProxyForNAT=1 > ProxyForSameNAT=1 > > [RasSrv::Neighbors] > GK2=192.168.1.4 > > [RasSrv::GWPrefixes] > GK2=* > > [RasSrv::RRQFeatures] > > [RasSrv::ARQFeatures] > ArjReasonRouteCallToSCN=0 > ArjReasonRouteCallToGatekeeper=1 > CallUnregisteredEndpoints=1 > RemoveTrailingChar=# > > [RasSrv::RRQAuth] > default=confirm > > [GkStatus::Auth] > rule=explicit > 192.168.0.1=1 > 192.168.1.2=1 > 127.0.0.1=1 > 192.168.1.4=1 > default=forbid > > [RasSrv::RewriteE164] > > [RasSrv::LRQFeatures] > ForwardHopCount=7 > NeighborTimeout=10 > ForwardResponse=1 > AcceptForwardedLRQ=1 > AlwaysForwardLRQ=1 > > > [RasSrv::PermanentEndpoints] > > [Gatekeeper::Auth] > default=allow > > [CallTable] > AcctUpdateInterval=60 > > [Gatekeeper::Acct] > FileAcct=sufficient;stop > default=accept > > [FileAcct] > DetailFile=/var/log/gk/CDR.log > StandardFormat=1 > #Rotate=weekly > > [NATedEndpoints] > > [Endpoint] > > [CTI::Agents] > VirtualQueueAliases=CC > RequestTimeout=10 > > [LogFile] > rotate=Weekly > > ------------------------------------------ > GK2 configuration on Linux in DMZ > ------------------------------------------ > [Gatekeeper::Main] > Fourtytwo=42 > Name=GK2 > #TotalBandwidth=16777216 > ;Home=192.168.1.4 > NetworkInterfaces= 192.168.1.4/24,x.x.x.x/0 > ;x.x.x.x is the public ip of my router > > [RoutedMode] > GKRouted=1 > H245Routed=1 > CallSignalPort=1720 > CallSignalHandlerNumber=1 > AcceptNeighborsCalls=1 > AcceptUnregisteredCalls=1 > RemoveH245AddressOnTunneling=1 > DropCallsByReleaseComplete=1 > SupportNATedEndpoints=1 > Q931PortRange=20000-29999 > H245PortRange=30000-30999 > > [Proxy] > Enable=1 > T120PortRange=40000-40999 > RTPPortRange=50000-59999 > ProxyForNAT=1 > ProxyForSameNAT=1 > > [RasSrv::Neighbors] > GK1=192.168.1.3 > > [RasSrv::GWPrefixes] > GK1=* > > [RasSrv::RRQFeatures] > > [RasSrv::ARQFeatures] > > ArjReasonRouteCallToSCN=0 > ArjReasonRouteCallToGatekeeper=0 > CallUnregisteredEndpoints=1 > RemoveTrailingChar=# > > [RasSrv::RRQAuth] > default=confirm > > [GkStatus::Auth] > rule=explicit > 192.168.0.1=1 > 192.168.1.2=1 > 192.168.1.3=1 > 127.0.0.1=1 > 192.168.1.4=1 > default=forbid > > [RasSrv::RewriteE164] > > [RasSrv::LRQFeatures] > ForwardHopCount=7 > NeighborTimeout=10 > ForwardResponse=1 > AcceptForwardedLRQ=1 > AlwaysForwardLRQ=1 > > [RasSrv::PermanentEndpoints] > > [Gatekeeper::Auth] > default=allow > > [CallTable] > AcctUpdateInterval=60 > > [Gatekeeper::Acct] > FileAcct=sufficient;stop > default=accept > > [FileAcct] > DetailFile=/var/log/gk/CDR.log > StandardFormat=1 > #Rotate=weekly > > [NATedEndpoints] > > [Endpoint] > > [CTI::Agents] > VirtualQueueAliases=CC > RequestTimeout=10 > > [LogFile] > rotate=Weekly > -------------------------------------------- > I spent a lot of time trying to solve this problem (the best solution > is with one gatekeeper) but without reaching the goal :(. > All the ports are open on the router and forwarded to the GK2 ... and > the firewall of GK1 has the necessary ports open. > Can anyone help me please? > Thanks in advance. > Arturo Sandrigo ------------------------------------------------------- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/Info/Sentarus/hamr30 _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
