Hi Arturo and Stewart,
I found out (with stewarts advice) that using a GK behind the nat is the easiest way to make things work.
Set up a GK box behind the nat and connect it as a Endpoint Gateway to the root GK and voilá...it's on! You can have all Natted users behind it local GK and receive and make calls easily. Port forwarding has a time consuming and management complexity that, IMHO, doesn't pay out.
I have already two Natted networks connected to the Root GK with "Slave" GKs and with OpenMcu running up now and I can make calls between all of them and conferences also. Running beautifully now. *8)
Best regards,
------------------------------------------------ Rodrigo Afonso rafonso@xxxxxxxxxxx Gerente TI RITS - Rede de Informações para o Terceiro Setor http://www.rits.org.br +55-21-2527-5494 ------------------------------------------------
Stewart Nelson wrote:
Hi Arturo,
In the config that almost worked, if the external NATed endpoint is not NAT-aware, and if the NAT it is behind is not H.323-aware, then it is necessary to forward ports on that NAT to the endpoint. If you can use fast start and/or H.323 tunneling, it should work to just forward TCP 1720. However, you may also need to forward TCP port(s) for H.245, and/or UDP ports for RTP. See endpoint documentation, or sniff to find out what they are.
In your single-GK config, I don't know what's wrong, but IMO using cascaded NATs is just asking for trouble. If you have enough addresses available on 192.168.1.0/24, consider setting up the Linux firewall as a bridge or a pseudo-bridge. If you need to have a separate 192.168.0 network, then set up the Linux firewall as an ordinary (non NAT) router, and add a static route to your main router to forward packets for 192.168.0.0/24 to 192.168.1.3 .
Good luck,
Stewart
----- Original Message ----- From: "Arturo Sandrigo" <arturo.sandrigo@xxxxxxxxx>
To: <openh323gk-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Thursday, March 31, 2005 10:02 AM
Subject: Help needed on gnugk config
Hi all,
I'm trying to configure gnugk behind nat, the network situation is this:
external endpoint (may be natted)
|
| x.x.x.x
Router (it's doing Nat and firewall)
| 192.168.1.1
----------------------------------------- | | (DMZ)
| 192.168.1.3 | 192.168.1.2
Linux |
firewall internal
with nat endpoint2.
| 192.168.0.254
|
|192.168.0.1
internal
endpoint1
Is it possible to use only one gatekeeper on the Linux firewall machine to connect all the endpoints ?
I tried to do this with gnugk 2.0.9 (the 2.2.1 has more problem or it look like) and the following configuration:
--------------------------------
[Gatekeeper::Main]
Fourtytwo=42
Name=GK1
;TotalBandwidth=16777216
NetworkInterfaces=192.168.0.254/24, 192.168.1.3/24,x.x.x.x/0
[RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1720 CallSignalHandlerNumber=1 AcceptNeighborsCalls=1 AcceptUnregisteredCalls=1 RemoveH245AddressOnTunneling=1 DropCallsByReleaseComplete=1 SupportNATedEndpoints=1 Q931PortRange=20000-29999 H245PortRange=30000-30999
[Proxy] Enable=1 T120PortRange=40000-40999 RTPPortRange=50000-59999 ProxyForNAT=1 ProxyForSameNAT=0
[RasSrv::RRQFeatures]
[RasSrv::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 CallUnregisteredEndpoints=1 RemoveTrailingChar=#
[RasSrv::RRQAuth] default=confirm
[GkStatus::Auth] rule=explicit 192.168.0.1=1 192.168.1.2=1 127.0.0.1=1 192.168.1.4=1 default=forbid ------------------------------------------ But it's not working.
I also tried to solve the problem with 2 gnugk configured as neighbors and almost worked but if the external endpoint is natted I can't call it from internal endpoint.
The configurations are the following:
------------------------------------------
GK1 configuration (on linux firewall)
------------------------------------------
[Gatekeeper::Main]
Fourtytwo=42
Name=GK1
;TotalBandwidth=16777216
NetworkInterfaces=192.168.0.254/24,192.168.1.3/24
[RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1720 CallSignalHandlerNumber=1 AcceptNeighborsCalls=1 AcceptUnregisteredCalls=1 RemoveH245AddressOnTunneling=1 DropCallsByReleaseComplete=1 SupportNATedEndpoints=1 Q931PortRange=20000-29999 H245PortRange=30000-30999
[Proxy] Enable=1 T120PortRange=40000-40999 RTPPortRange=50000-59999 ProxyForNAT=1 ProxyForSameNAT=1
[RasSrv::Neighbors] GK2=192.168.1.4
[RasSrv::GWPrefixes] GK2=*
[RasSrv::RRQFeatures]
[RasSrv::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 CallUnregisteredEndpoints=1 RemoveTrailingChar=#
[RasSrv::RRQAuth] default=confirm
[GkStatus::Auth] rule=explicit 192.168.0.1=1 192.168.1.2=1 127.0.0.1=1 192.168.1.4=1 default=forbid
[RasSrv::RewriteE164]
[RasSrv::LRQFeatures] ForwardHopCount=7 NeighborTimeout=10 ForwardResponse=1 AcceptForwardedLRQ=1 AlwaysForwardLRQ=1
[RasSrv::PermanentEndpoints]
[Gatekeeper::Auth] default=allow
[CallTable] AcctUpdateInterval=60
[Gatekeeper::Acct] FileAcct=sufficient;stop default=accept
[FileAcct] DetailFile=/var/log/gk/CDR.log StandardFormat=1 #Rotate=weekly
[NATedEndpoints]
[Endpoint]
[CTI::Agents] VirtualQueueAliases=CC RequestTimeout=10
[LogFile] rotate=Weekly
------------------------------------------
GK2 configuration on Linux in DMZ
------------------------------------------
[Gatekeeper::Main]
Fourtytwo=42
Name=GK2
#TotalBandwidth=16777216
;Home=192.168.1.4
NetworkInterfaces= 192.168.1.4/24,x.x.x.x/0 ;x.x.x.x is the public ip of my router
[RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1720 CallSignalHandlerNumber=1 AcceptNeighborsCalls=1 AcceptUnregisteredCalls=1 RemoveH245AddressOnTunneling=1 DropCallsByReleaseComplete=1 SupportNATedEndpoints=1 Q931PortRange=20000-29999 H245PortRange=30000-30999
[Proxy] Enable=1 T120PortRange=40000-40999 RTPPortRange=50000-59999 ProxyForNAT=1 ProxyForSameNAT=1
[RasSrv::Neighbors] GK1=192.168.1.3
[RasSrv::GWPrefixes] GK1=*
[RasSrv::RRQFeatures]
[RasSrv::ARQFeatures]
ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=0 CallUnregisteredEndpoints=1 RemoveTrailingChar=#
[RasSrv::RRQAuth] default=confirm
[GkStatus::Auth] rule=explicit 192.168.0.1=1 192.168.1.2=1 192.168.1.3=1 127.0.0.1=1 192.168.1.4=1 default=forbid
[RasSrv::RewriteE164]
[RasSrv::LRQFeatures] ForwardHopCount=7 NeighborTimeout=10 ForwardResponse=1 AcceptForwardedLRQ=1 AlwaysForwardLRQ=1
[RasSrv::PermanentEndpoints]
[Gatekeeper::Auth] default=allow
[CallTable] AcctUpdateInterval=60
[Gatekeeper::Acct] FileAcct=sufficient;stop default=accept
[FileAcct] DetailFile=/var/log/gk/CDR.log StandardFormat=1 #Rotate=weekly
[NATedEndpoints]
[Endpoint]
[CTI::Agents] VirtualQueueAliases=CC RequestTimeout=10
[LogFile]
rotate=Weekly
--------------------------------------------
I spent a lot of time trying to solve this problem (the best solution
is with one gatekeeper) but without reaching the goal :(.
All the ports are open on the router and forwarded to the GK2 ... and
the firewall of GK1 has the necessary ports open.
Can anyone help me please? Thanks in advance.
Arturo Sandrigo
------------------------------------------------------- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/Info/Sentarus/hamr30
_______________________________________________________
List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
------------------------------------------------------- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/Info/Sentarus/hamr30
_______________________________________________________
List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
