Re: Config Help as a NAT-Traversal Product

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jack,

if you have a NIC without NAT into the private network, you don't need
firewall traversal protocols, but you should put your gatekeeper in
proxy mode and make sure your iptables rules allow outbound Q.931, RTP
and in- and outbound H.245 connections on all ports, not just 1720. If
you don't want to open all ports, set Q931, H245 and RTPPortRanges and
open those in your iptables rules.

Regards,
Jan


Jack Kolesar wrote:
> Let me add some useful info.  The problem I keep running into is Q.931
> socket connect errors.  This seems to happen with PVX and PacPhone.  GnuGk
> is running on my Ubuntu box which is also my Asterisk Box, DHCP Server, and
> NAT Translator.
> 
> My Setup:
> 
> Soft-Client --> GnuGK (Server with Dual NICs) --> Internet --> Tandberg-C40
> (Office) or other Direct Connected Codecs
> 
> Current Config for GnuGK (But I think I've tried Everything):
> 
> [Gatekeeper::Main]
> Fortytwo=42
> Name=GnuGk
> 
> [RoutedMode]
> GKRouted=1
> CallSignalPort=1720
> EnableH46017=1
> EnableH46018=1
> 
> [GkStatus::Auth]
> rule=allow
> 
> My Current IP Tables:
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    26  1910 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
> 13746 2801K ACCEPT     all  --  eth0   *       192.168.1.0/24
> 0.0.0.0/0
>     0     0 REJECT     all  --  eth1   *       192.168.1.0/24
> 0.0.0.0/0            reject-with icmp-port-unreachable
>     0     0 ACCEPT     icmp --  eth1   *       0.0.0.0/0
>  My-Extern-IP
>   695  117K ACCEPT     all  --  eth1   *       0.0.0.0/0
> My-Extern-IP       ctstate RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:68 dpt:67
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            udp spt:68 dpt:67
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:1720 dpt:1720
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            tcp spt:1721 dpt:1721
>     3   180 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
>  My-Extern-IP      ctstate NEW,RELATED,ESTABLISHED tcp dpt:443
>     3   164 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
> My-Extern-IP       ctstate NEW,RELATED,ESTABLISHED tcp dpt:22
>     0     0 ACCEPT     all  --  eth1   *       My-SIP-Provider-IP
>  My-Extern-IP
>     0     0 ACCEPT     all  --  eth1   *       My-Office-IP
>  My-Extern-IP
>  1638  504K REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     tcp  --  eth1   eth0    0.0.0.0/0
>  Misc-Port-Map-IP        tcp dpt:1319 ctstate NEW,RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  eth1   eth0    0.0.0.0/0
>  Misc-Port-Map-IP-2        tcp dpt:41795 ctstate NEW,RELATED,ESTABLISHED
>   771  430K ACCEPT     all  --  eth1   eth0    0.0.0.0/0
> 0.0.0.0/0            ctstate RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0
> 0.0.0.0/0
>   827 96434 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
> 0.0.0.0/0
>     0     0 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
> 
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     7   476 DROP       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0            ctstate INVALID
>    26  1910 ACCEPT     all  --  *      lo      0.0.0.0/0
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  *      eth0    My-Extern-IP
> 192.168.1.0/24
>  4262 1127K ACCEPT     all  --  *      eth0    192.168.1.6
> 192.168.1.0/24
>     0     0 REJECT     all  --  *      eth1    0.0.0.0/0
> 192.168.1.0/24       reject-with icmp-port-unreachable
>  1294  318K ACCEPT     all  --  *      eth1    My-Extern-IP      0.0.0.0/0
>     0     0 ACCEPT     tcp  --  *      eth0    192.168.1.6
>  255.255.255.255      tcp spt:67 dpt:68
>     0     0 ACCEPT     udp  --  *      eth0    192.168.1.6
>  255.255.255.255      udp spt:67 dpt:68
>    78 19898 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
> 
> 
> 
> 
> On Fri, Mar 16, 2012 at 9:44 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:
> 
> > Hi Jack,
> >
> > what you are trying to do should work fine with GnuGk.
> > If your only gatekeeper is in the DMZ, your endpoints will probably need
> > H.460.18/.19 support.
> >
> > PVX usually works fine with GnuGk, except for the know IP dialing bug
> > and the lack of H.460.18/.19 support.
> >
> > Regards,
> > Jan
> >
> > --
> > Jan Willamowius, Founder of the GNU Gatekeeper Project
> > EMail  : jan@xxxxxxxxxxxxxx
> > Website: http://www.gnugk.org
> > Support: http://www.willamowius.com/gnugk-support.html
> >
> > Jack Kolesar wrote:
> > > Hi, I am just getting started with GnuGk.  My GK is currently on the DMZ
> > > border between my public WAN and LAN.  I would like to have LAN side
> > > clients connect to the Gatekeeper and be able to call unregistered public
> > > IP devices as well as have unregistered IP devices call internal
> > registered
> > > clients.  Basically, I would like GnuGk to work as a combined Polycom VBP
> > > and CMA or Tandber VCS Expressway / Control.  Is that possible? I have
> > been
> > > able to make simple internal calls while registered to the gatekeeper but
> > > can't get outside.  Additionally, I'm trying to use Polycom PVX but I'm
> > > wondering if that will have problems from what I've read.  I also have
> > > Polycom CMA Desktop but am not sure if that will only work with the CMA
> > > server.  Can anyone help with a config example or point me in the right
> > > direction? Thanks!

-- 
Jan Willamowius, jan@xxxxxxxxxxxxxx, http://www.gnugk.org/

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/


[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux