On 10/11/14 01:17, Yann Hamon wrote: > Synopsis: <Natted keep-alive UDP connections not killed on PPPoE address > change> > Category: <system> > Environment: > System : OpenBSD 5.5 > Details : OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > > Description: > > Hello! I've encountered this issue while trying to get a SIP phone to > work behind an OpenBSD router. The SIP phone is in its own network, and > is natted. > > I have configured the SIP phone to use UDP and to register with the SIP > server every 50 seconds. My understanding is this establishes a > permanent bidirectional UDP connection with the SIP server (UDP hole > punching, please correct me if I'm wrong) > This is the pf directive I use to allow the phone to communicate with > the sip server: > > pass out quick on pppoe0 from em1:network to any nat-to (pppoe0) > > And this is the corresponding connection I find in my state table: > > all udp 78.55.192.3:63740 (192.168.2.2:5060) -> 217.10.79.9:5060 > MULTIPLE:MULTIPLE > > The problem happens when pppoe0 gets a new IP address. Even with the () > around pppoe0, it doesn't look like this connection gets killed. Several > hours after the IP change on pppoe, I will still see this UDP connection > alive, and still natted to the old IP address. > > While this connection is kept alive, the phone will not be able to > register again and will therefore be non-working. > > > Hot-to-repeat: > Setup a persistent, natted UDP connection over an interface with a > dynamic IP address. Change IP address on this interface, observe > connection in state table still natted to old IP address. > > Workaround: > > Flushing the state table whenever an IP changes. > > > Thanks! > > Yann Hamon >
Hi, I use the same registration server as Yann and I can attest that something funky is going on with either the registration server, the sip phone[1] or the firewall inbetween as my sip phone loses the ability to re-register or something and loses the channel (and misses calls). However I have a second sip phone[2] to a different registration server going through the same firewall and it doesn't seem to have these problems. [1] is a Grandstream GXP 2100, loses channels [2] is an Aastra 6755i, seems to be OK I force my firewall to do nightly 4AM disconnects by cycling the pppoe0 interface per crontab. This process is done because in Germany the Deutsche Telekom used to cycle DSL connections after 24 hours and I'd rather this happens late at night, I don't know if they still do that. So I'M unable to see the pf state as Yann is seeing as I sleep during that time. I have in the past done a syslog capture of my grandstream phone and it's still ongoing, however I lack the expertise to read the next to cryptic syslog in order to tell what really happens with the phone. Yann what brand and model of sip phone are you using? Also I seem to remember that when I started restricting the Grandstream phone with firewall rules that it started behaving bad, almost like the ghost is in the sip phone and wants access to the entire network! Let me give you the relevant pf rules I have for this phone: block drop out on ! em2 inet from 192.168.180.0/24 to any pass in on em2 proto udp all keep state (pflow) pass in on em2 proto tcp all flags S/SA keep state (pflow) pass out on em2 proto udp all keep state (pflow) pass out on pppoe0 inet from 192.168.180.0/24 to any flags S/SA keep state (pflow) I believe these firewall rules should allow the phone to speak out pppoe0 but no other ports than em2 which is its own port. When I put these rules in place I noticed the disconnect of channels more frequently. Also I'm not disputing that there _could_ be something wrong with openbsd's pf, just my second phone doesn't have these symptoms. Regards, -peter > > > > Attaching full /etc/pf.conf: > > # > # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ > # > # See pf.conf(5) for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > block drop all > set skip on lo0 > match in all scrub (no-df random-id max-mss 1440) > > # Bridge and SIP phone are both natted > pass out quick on pppoe0 from em1:network to any nat-to (pppoe0) > pass out quick on pppoe0 from vether0:network to any nat-to (pppoe0) > pass out on pppoe0 > > # SSH port on router is 2208 > pass in quick on pppoe0 proto tcp to port 2208 > # Forwarding SIP and RTP ports > pass in quick on pppoe0 proto udp from any to any port 5004:5020 rdr-to > 192.168.2.2 > pass in quick on pppoe0 proto udp from any to any port 5060 rdr-to > 192.168.2.2 > > pass in quick on em1 from em1:network > pass out quick on em1 from em1:network to em1:network > # Allow connecting to admin interface from Sip phone > pass out quick on em1 proto tcp from vether0:network to em1:network port > www > > pass in quick on em2 > pass out quick on em2 > pass in quick on em3 > pass out quick on em3 > pass in quick on vether0 from vether0:network > pass out quick on vether0 to vether0:network > # DHCP > pass quick on vether0 inet proto tcp from any port 67:68 to any port 67:68 > pass quick on vether0 inet proto udp from any port 67:68 to any port 67:68 >
