More than likely, the hotels are using a service that uses proxies, not
just a NAT firewall. This being the case, they may very well block UDP
traffic. Since UDP is a stateless protocol, there is the very good
chance that they block incoming UDP to deter people from using streaming
services/p2p services for bandwidth control or to deter DoS attacks.
Would not be the first time i have seen that happen. It would have a
detrimental effect on IAX protocol since it uses UDP. SIP TCP would fix
your problem but Asterisk doesn't support that yet.
Rich Adamson wrote:
Brian Capouch wrote:
I am travelling this week and have had to buy connectivity from a
hotel and at a couple of airports.
For the first time ever, I have had problems (twice out of four
connections) with IAX traffic going through firewalls.
I'm almost certain I'm looking at a broken firewall, and if it's a
commercial one that's in use by hotspot/hotel-type operations, I
would like to follow up and see if I can figure out how to convince
them to fix it.
In both cases I have been on a NAT connection.
In both cases I have been able trace and see the following behavior,
identical in both:
1. My packets leave a private IP asking for a UDP connection to my
home Asterisk server, port 4569.
2. Asterisk reports "<Unregistered>" when I do an iax2 show registry.
3. Sniffing at my home server shows tons of traffic similar to this
snippet:
21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp:
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp:
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
I'd like to ask the list two things: first, is this indeed a broken
firewall? It seems like the NAT mapping that sends traffic out
should accept the return traffic on the port it uses (4569 in this
case) as its *source* port.
Probably not. If it were broken, then dns and other udp services would
fail as well.
Second, and more important, anything I can do beyond beating my head
against doltish ISP customer service reps, who in both cases told me
that I had something broken "on my end?"
Guess you could try changing the iax port (from 4569) to see if that
works. If it does, there might be an access list applied somewhere
that is blocking 4569.
A more complete/detailed sniffer trace might be helpful since the
above snippet only shows one-way traffic and not much of the actual
packet.
R.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
