Re: Config Help as a NAT-Traversal Product

Jack Kolesar <jack.kolesar@xxxxxxxxx> · Wed, 21 Mar 2012 20:53:48 -0400

Ahhaaaa!!!!!  I got it!  This was almost the death of me I figured out what the problem was.  My external NIC was at eth1 and my internal was at eth0.  I wouldn't think this would matter.  However, after adding....

ExternalIP=my.dyndns.account
ExternalIsDynamic=1

everything is good! It seems my Q.931 traffic was going out the wrong card.  I noticed that it was always using and failing on the Q.931 portion and getting rejected at my INTERNAL address on the connect.  Does that make sense? Anyway, thanks again Jan.  Now I can finally start playing with this thing!

:)

Jack

On Mon, Mar 19, 2012 at 9:14 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:

Hi Jack,

if you have a NIC without NAT into the private network, you don't need

firewall traversal protocols, but you should put your gatekeeper in

proxy mode and make sure your iptables rules allow outbound Q.931, RTP

and in- and outbound H.245 connections on all ports, not just 1720. If

you don't want to open all ports, set Q931, H245 and RTPPortRanges and

open those in your iptables rules.

Regards,

Jan

Jack Kolesar wrote:

> Let me add some useful info.  The problem I keep running into is Q.931

> socket connect errors.  This seems to happen with PVX and PacPhone.  GnuGk

> is running on my Ubuntu box which is also my Asterisk Box, DHCP Server, and

> NAT Translator.

>

> My Setup:

>

> Soft-Client --> GnuGK (Server with Dual NICs) --> Internet --> Tandberg-C40

> (Office) or other Direct Connected Codecs

>

> Current Config for GnuGK (But I think I've tried Everything):

>

> [Gatekeeper::Main]

> Fortytwo=42

> Name=GnuGk

>

> [RoutedMode]

> GKRouted=1

> CallSignalPort=1720

> EnableH46017=1

> EnableH46018=1

>

> [GkStatus::Auth]

> rule=allow

>

> My Current IP Tables:

>

> Chain INPUT (policy DROP 0 packets, 0 bytes)

>  pkts bytes target     prot opt in     out     source

> destination

>    26  1910 ACCEPT     all  --  lo     *       0.0.0.0/0

> 0.0.0.0/0

> 13746 2801K ACCEPT     all  --  eth0   *       192.168.1.0/24

> 0.0.0.0/0

>     0     0 REJECT     all  --  eth1   *       192.168.1.0/24

> 0.0.0.0/0            reject-with icmp-port-unreachable

>     0     0 ACCEPT     icmp --  eth1   *       0.0.0.0/0

>  My-Extern-IP

>   695  117K ACCEPT     all  --  eth1   *       0.0.0.0/0

> My-Extern-IP       ctstate RELATED,ESTABLISHED

>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0

> 0.0.0.0/0            tcp spt:68 dpt:67

>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0

> 0.0.0.0/0            udp spt:68 dpt:67

>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0

> 0.0.0.0/0            tcp spt:1720 dpt:1720

>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0

> 0.0.0.0/0            tcp spt:1721 dpt:1721

>     3   180 ACCEPT     tcp  --  eth1   *       0.0.0.0/0

>  My-Extern-IP      ctstate NEW,RELATED,ESTABLISHED tcp dpt:443

>     3   164 ACCEPT     tcp  --  eth1   *       0.0.0.0/0

> My-Extern-IP       ctstate NEW,RELATED,ESTABLISHED tcp dpt:22

>     0     0 ACCEPT     all  --  eth1   *       My-SIP-Provider-IP

>  My-Extern-IP

>     0     0 ACCEPT     all  --  eth1   *       My-Office-IP

>  My-Extern-IP

>  1638  504K REJECT     all  --  *      *       0.0.0.0/0

> 0.0.0.0/0            reject-with icmp-port-unreachable

>

> Chain FORWARD (policy DROP 0 packets, 0 bytes)

>  pkts bytes target     prot opt in     out     source

> destination

>     0     0 ACCEPT     tcp  --  eth1   eth0    0.0.0.0/0

>  Misc-Port-Map-IP        tcp dpt:1319 ctstate NEW,RELATED,ESTABLISHED

>     0     0 ACCEPT     tcp  --  eth1   eth0    0.0.0.0/0

>  Misc-Port-Map-IP-2        tcp dpt:41795 ctstate NEW,RELATED,ESTABLISHED

>   771  430K ACCEPT     all  --  eth1   eth0    0.0.0.0/0

> 0.0.0.0/0            ctstate RELATED,ESTABLISHED

>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0

> 0.0.0.0/0

>   827 96434 ACCEPT     all  --  eth0   eth1    0.0.0.0/0

> 0.0.0.0/0

>     0     0 REJECT     all  --  *      *       0.0.0.0/0

> 0.0.0.0/0            reject-with icmp-port-unreachable

>

> Chain OUTPUT (policy DROP 0 packets, 0 bytes)

>  pkts bytes target     prot opt in     out     source

> destination

>     7   476 DROP       icmp --  *      *       0.0.0.0/0

> 0.0.0.0/0            ctstate INVALID

>    26  1910 ACCEPT     all  --  *      lo      0.0.0.0/0

> 0.0.0.0/0

>     0     0 ACCEPT     all  --  *      eth0    My-Extern-IP

> 192.168.1.0/24

>  4262 1127K ACCEPT     all  --  *      eth0    192.168.1.6

> 192.168.1.0/24

>     0     0 REJECT     all  --  *      eth1    0.0.0.0/0

> 192.168.1.0/24       reject-with icmp-port-unreachable

>  1294  318K ACCEPT     all  --  *      eth1    My-Extern-IP      0.0.0.0/0

>     0     0 ACCEPT     tcp  --  *      eth0    192.168.1.6

>  255.255.255.255      tcp spt:67 dpt:68

>     0     0 ACCEPT     udp  --  *      eth0    192.168.1.6

>  255.255.255.255      udp spt:67 dpt:68

>    78 19898 REJECT     all  --  *      *       0.0.0.0/0

> 0.0.0.0/0            reject-with icmp-port-unreachable

>

>

>

>

> On Fri, Mar 16, 2012 at 9:44 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:

>

> > Hi Jack,

> >

> > what you are trying to do should work fine with GnuGk.

> > If your only gatekeeper is in the DMZ, your endpoints will probably need

> > H.460.18/.19 support.

> >

> > PVX usually works fine with GnuGk, except for the know IP dialing bug

> > and the lack of H.460.18/.19 support.

> >

> > Regards,

> > Jan

> >

> > --

> > Jan Willamowius, Founder of the GNU Gatekeeper Project

> > EMail  : jan@xxxxxxxxxxxxxx

> > Website: http://www.gnugk.org

> > Support: http://www.willamowius.com/gnugk-support.html

> >

> > Jack Kolesar wrote:

> > > Hi, I am just getting started with GnuGk.  My GK is currently on the DMZ

> > > border between my public WAN and LAN.  I would like to have LAN side

> > > clients connect to the Gatekeeper and be able to call unregistered public

> > > IP devices as well as have unregistered IP devices call internal

> > registered

> > > clients.  Basically, I would like GnuGk to work as a combined Polycom VBP

> > > and CMA or Tandber VCS Expressway / Control.  Is that possible? I have

> > been

> > > able to make simple internal calls while registered to the gatekeeper but

> > > can't get outside.  Additionally, I'm trying to use Polycom PVX but I'm

> > > wondering if that will have problems from what I've read.  I also have

> > > Polycom CMA Desktop but am not sure if that will only work with the CMA

> > > server.  Can anyone help with a config example or point me in the right

> > > direction? Thanks!

--

Jan Willamowius, jan@xxxxxxxxxxxxxx, http://www.gnugk.org/

------------------------------------------------------------------------------

This SF email is sponsosred by:

Try Windows Azure free for 90 days Click Here

http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx

Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users

Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users

Homepage: http://www.gnugk.org/

-- 
______________________
Jack Kolesar
AMDPower.com
http://www.amdpower.com

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/