[asterisk-bugs] [Asterisk 0013577]: [feature request] Reporter would like an option to ignore src ports in iax2
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Nov 14 15:21:55 CST 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13577
======================================================================
Reported By: ffadaie
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 13577
Category: Channels/chan_iax2
Reproducibility: always
Severity: feature
Priority: normal
Status: new
Asterisk Version: 1.4.21.2
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-09-28 12:56 CDT
Last Modified: 2008-11-14 15:21 CST
======================================================================
Summary: [feature request] Reporter would like an option to
ignore src ports in iax2
Description:
There are two Asterisk servers. One of them is behind a firewall/NAT and
the other one has a public routable IP address. They both have static
public IP addresses.
Here is what I have on Asterisk one(Asterisk-1) in iax.conf:
[GW2]
type=friend
host=public_ip_address_of_GW2
qualify=yes
context=something
and on the second one [behind the firewall] (Asterisk-2):
[GW1]
type=friend
host=ip_address_of_GW1
qualify=yes
context=something_else
External IAX2 port, 4569, is forwarded to the internal 4569 on the
firewall. They however use dynamic source port overwriting which means if
Asterisk-2 tries to contact Asterisk-1 from 4569 on Asterisk-2 to 4569 on
Asterisk-1, then the firewall on Asterisk-2's side will overwrite 4569 to
some random port number.
Using this set up, both peers will be unreachable on the other one (using
a iax2 show peers command).
Now, if you can find out what is the port that is being overwritten to,
you can fix the problem this way:
on Asterisk-1 you can have:
[GW2]
type=friend
host=public_ip_address_of_GW2
qualify=yes
context=something
port=_public_port_of_GW2
Interestingly, you don't even have to port forward this second port on the
firewall. Just do a reload and everything will work!
Now, after it worked, you can come and remove than line and reload iax. It
will still work!
It looks like it does some sort of source port authentication. It expects
to "RECEIVE" packet on the specific port defined in IAX peer definition
section. Technically, this should be just for "SENDING" packets not
receiving.
======================================================================
----------------------------------------------------------------------
(0094915) ffadaie (reporter) - 2008-11-14 15:21
http://bugs.digium.com/view.php?id=13577#c94915
----------------------------------------------------------------------
I know but in many home user case (and development environments) there is
no way out. port=... in the iax.conf should not be ignored when
host=dynamic [This is another issue though not the same as having source
port authentication] for the people (many home users [and development
groups] that can port forward but do not have any control over how their
firewall does the port mapping).
Having that option will make IAX2 more NAT friendly.
I would summarize all the above in:
1- Having an option for disregarding source port authentication when host
!= dynamic
2- Having the option of not ignoring port=... when host = dynamic
Backward compatibility can also be guaranteed in both cases.
BTW, I'd make this a feature request at the beginning if I knew it is not
a bug :). I could not find any formal IAX2 RFC (I know there is no RFC in
the true meaning of the word but something similar) to check if this is a
bug or not.
Issue History
Date Modified Username Field Change
======================================================================
2008-11-14 15:21 ffadaie Note Added: 0094915
======================================================================
More information about the asterisk-bugs
mailing list