Multiple subnet NAT problem
Submitted by cavallad on Thu, 01/08/2009 - 10:26am.
I have recently amended a working Trixbox setup to add an extra subnet, and incurred some audio problems.
Previously, I had a single server with two NICs, one WAN (eth0) and one LAN (eth1). There were 3 extensions working off the LAN side and three trunks working through the WAN interface. All the extensions could talk to eath other and could dial out or receive incoming traffic from each trunk. The server also operated a Linux firewall with exceptions for incoming traffic through eth0 on UDP ports 5004-5081 and 10001-20000.
I had some LAN congestion issues so I needed to separate the phone and data traffic. I started this by migrating one of the extensions to a new subnet on a new NIC (eth2). The other extensions are left on eth1.
Trixbox uses a sip_nat.conf file that includes both the eth1 and eth2 subnets:
externip=86.xx.xx.xx
localnet=192.168.2.0/255.255.255.0 ; eth2
localnet=192.168.1.0/255.255.255.0 ; eth1
nat=yes
The two subnets can talk to each other (ping etc) but I only get audio to work from eth2 to eth1. There is no audio from eth1 to eth2. The phones ring OK in either direction. Similarly, external calls into eth2 make the phone ring but no incoming audio. Using tcpdump, I can show that the lack of audio corresponds with the lack of rtp traffic.
I can change the situation if I change the nat line in each extension's configuration (which are set to nat=never in the original set up). If I change an extension in the eth2 subnet so that nat=route, I can now get audio on calls from that extension to another extension within the eth1 subnet (where nat is still set to 'never'). But calls from the eth1 extension to the eth2 extension do not give audio in either direction, even though the phone rings.
I should also point out the rtp situation. I have Trixbox set to use rtpstart=10001 and rtpend=20000, but the phone on the eth2 subnet is a Panasonic Globarange hardwired to use rtp ports 8000-55998. However, changing the rtp.conf file to suit the Globarange ports range, makes no difference.
Any suggestions very gratefully received.
David
 
Did you remember to amend
Thu, 01/08/2009 - 10:50am
Did you remember to amend your firewall settings to allow unrestricted traffic from your new subnet??
-Chris
 
Amended firewall rules
Thu, 01/08/2009 - 10:59am
Oh, yes, that's all taken care of. As I said, I can ping back and forth between the subnets.
David
 
Unless you're using your
Thu, 01/08/2009 - 11:03am
Unless you're using your trixbox as a router, being able to ping back and forth doesn't mean your firewallwall rules are setup correctly. I have several subnets and localnet entries in my box and don't have any issues with audio. can you post your iptables config here so we can take a look?
 
Firewall rules
Thu, 01/08/2009 - 11:25am
I am using the Trixbox server also as a router, but here are therules anyway:
*mangle
:PREROUTING ACCEPT [291:105480]
:INPUT ACCEPT [144:20856]
:FORWARD ACCEPT [147:84624]
:OUTPUT ACCEPT [196:109206]
:POSTROUTING ACCEPT [319:192678]
-A POSTROUTING -p udp -m udp --sport 4569 -j DSCP --set-dscp 0x2e
-A POSTROUTING -p udp -m udp --sport 10001:20000 -j DSCP --set-dscp 0x2e
-A POSTROUTING -p udp -m udp --sport 5060 -j DSCP --set-dscp 0x2e
COMMIT
# Completed on Thu Jan 8 18:07:54 2009
# Generated by iptables-save v1.2.11 on Thu Jan 8 18:07:54 2009
*nat
:PREROUTING ACCEPT [42:8214]
:POSTROUTING ACCEPT [2:216]
:OUTPUT ACCEPT [7:2710]
-A PREROUTING -d 213.137.73.140 -p udp -m udp --dport 23768 -j REDIRECT --to-ports 5060
-A PREROUTING -d 213.137.73.74 -j REDIRECT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jan 8 18:07:54 2009
# Generated by iptables-save v1.2.11 on Thu Jan 8 18:07:54 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [50:52565]
:OUTPUT ACCEPT [19:1292]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67:69 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5004:5082 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 6901:6920 -j ACCEPT
The rule for 213.137.xx.xx were to get around the Joip provisining of the Globarange (http://www.darkskiez.co.uk/index.php?page=Use_The_Panasonic_Globa...).
David
 
Trix as router
Thu, 01/08/2009 - 11:37am
Are you using trix to act as your total network router or are you using something esle as your default gateway. It sounds like a routing issue. The firewall rules look okay from what I can tell. You're not blocking any outbound traffic correct?
-Chris
 
Trix as a router
Thu, 01/08/2009 - 2:25pm
The trixbox server also acts as a router and firewall. Thanks for your help.
 
Quote:
The trixbox server
Thu, 01/08/2009 - 7:46pm
Quote:
The trixbox server also acts as a router and firewall.
This is the exact reason why you should not use your phone system as a router.
Just when exactly did you plan on telling us this? What firewall did you install on the system?
Surely you have an issues with your rules.
--
Scott
aka "Skyking"
 
Member Since:
2008-09-16