On Mon, 19 Nov 2007 10:00:29 +0000, Gavin McCullagh wrote: > Hi, > > On Fri, 16 Nov 2007, Mateus Interciso wrote: > >> I currently using iptables NAT for routing the internet trough 2 >> different sub-networks, and we are having some trouble with the NAT, >> specially for VoIP, > > Is the problem that you can make calls out but you sometimes can't > receive them? Actually, it's possible some VoIP calls wouldn't work the > other way either, if the user at the far end is also behind NAT. > > http://en.wikipedia.org/wiki/ Network_address_translation#Different_types_of_NAT > http://www.it46.se/wsis/show_entry.php?id=12 > >> so I was thinking if it's possible to make a router (like a CISCO IOS) >> using Zebra, that will, in other words, share the Internet trough the >> sub-networks, without using NAT, or in a better way. > > No idea. Sounds vaguely similar to Full Cone NAT. > > I'd say a SIP proxy is probably on the edge of the network is probably > what you want for this. > >> The question for this, is that we had a w2k3 server sharing the >> internet, and the VoIP was fine, since we changed the w2k3 for a Linux >> Box, the VoIP started acting very strangely, and I'm really running out >> of options here to make it fix > > I wonder does the Win2K machine provide a looser type of NAT compared to > your linux firewall? Full cone NAT and Restricted cone NAT can both be > worked around by smart SIP clients using STUN and some other techniques. > > http://en.wikipedia.org/wiki/NAT_traversal > http://ekiga.org/index.php?rub=3&pos=0&faqpage=x161.html > > I think iptables usually does "Port restricted cone NAT" which makes SIP > difficult. If both ends are behind that sort of NAT, I don't think a > TCP connection can be initiated between them. > > I suspect you can probably craft iptables rules to do varying types of > NAT. An explicit port forward to each client would appear to be one way. > > http://lists.netfilter.org/pipermail/netfilter/2007-April/068463.html > > Gavin > > - > To unsubscribe from this list: send the line "unsubscribe linux-net" in > the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info > at http://vger.kernel.org/majordomo-info.html I solved the problem using the windows 2k3 for routing (it uses RRAS), and the Linux firewall as a Bridge, now I'm having trouble with the bridge, of course. I've setted up the bridge normally ifconfig eth0 down ifconfig eth1 down ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 on ifconfig br0 10.100.0.1 netmask 255.255.255.0 up but I can't ping 10.100.0.1. :O Am I missing something? Let me recall that the network setup now is like this: [Internet]--->[Bridge]---->[Windows 2k3]=====[switch]====>computers Thanks. Mateus - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
