Configuring firewall for meet.jit.si server

Hi,

My company is evaluating jitsi with meet.jit.si server, but we have a problem that our corporate network is blocking port 1000, to STUN server. They are asking us for FQDN so they can open the port, but they do not want to open it or all. STUN does not have FQDN, right? It is just an IP on the oracle cloud…

This is our TURN server: meet-jit-si-turnrelay.jitsi.net:443 note the IP addresses behind it might change, so they’d need to keep that mapping up to date.

Tx, what about STUN and ICE? IT are blocking port 10000, not 443…

The TURN server listens on port 443 UDP too :wink:

There is no FQDN for JVBs which listen on port 10000. You’d end up using TURN over UDP (if they don’t block UDP traffic) which is OK.

It did not help. When we opened the firewall for entire oracle cloud IP range (130.61.x.x ) for port 10000, coming from IPs from two test devices, it worked. I got to this IP range from pcap of the traffic. This FQDN did not. Also, its IP and DNS record point to IP in different range, that is on aws, not oracle cloud.

I find the whole thing very strange, what gets messed up is p2p traffic between two local IPs, both machines connected to the same HUB via ethernet cable. If we open that IP range to the outside, it stops blocking this traffic internaly. Error, when it happens, is “ICMP, destination unreachable, port unreachable” error.
It looks like this (replaced real IPs with device_1_ip and device_2_ip):

20574 51.842685 <device_1_ip> <device_2_ip> UDP 122 34015 ? 41234 Len=80
20579 51.843675 <device_2_ip> <device_1_ip> UDP 84 41234 ? 34015 Len=42
20587 51.863041 <device_1_ip> <device_2_ip> UDP 120 34015 ? 41234 Len=78
20601 51.882182 <device_1_ip> <device_2_ip> UDP 123 34015 ? 41234 Len=81
20612 51.888103 <device_1_ip> <device_2_ip> DTLSv1.2 81 Encrypted Alert
20614 51.888129 <device_2_ip> <device_1_ip> DTLSv1.2 81 Encrypted Alert
20910 52.644157 <device_1_ip> <device_2_ip> STUN 142 Binding Request user: z86S:kg3G
20912 52.646380 <device_2_ip> <device_1_ip> ICMP 170 Destination unreachable (Port unreachable)
22557 58.845567 <device_1_ip> <device_2_ip> STUN 138 Binding Request user: K0Nz:XUxG
22561 58.847486 <device_2_ip> <device_1_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_1_ip>:36826
22565 58.848862 <device_1_ip> <device_2_ip> DTLS 197 Client Hello
22577 58.895168 <device_1_ip> <device_2_ip> STUN 138 Binding Request user: K0Nz:XUxG
22579 58.896157 <device_2_ip> <device_1_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_1_ip>:36826
22580 58.899274 <device_1_ip> <device_2_ip> DTLS 197 Client Hello
22586 58.943328 <device_1_ip> <device_2_ip> STUN 138 Binding Request user: K0Nz:XUxG
22588 58.946053 <device_2_ip> <device_1_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_1_ip>:36826
22598 58.996987 <device_1_ip> <device_2_ip> DTLS 197 Client Hello
22668 59.196787 <device_1_ip> <device_2_ip> DTLS 197 Client Hello
22812 59.595654 <device_1_ip> <device_2_ip> DTLS 197 Client Hello
22862 59.740685 <device_2_ip> <device_1_ip> STUN 142 Binding Request user: XUxG:K0Nz
22863 59.741892 <device_1_ip> <device_2_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_2_ip>:57955
22865 59.743417 <device_2_ip> <device_1_ip> DTLSv1.2 659 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
22868 59.748592 <device_1_ip> <device_2_ip> DTLSv1.2 588 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
22876 59.752474 <device_2_ip> <device_1_ip> DTLSv1.2 612 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
22880 59.762332 <device_1_ip> <device_2_ip> UDP 131 36826 ? 57955 Len=89
22890 59.781561 <device_1_ip> <device_2_ip> UDP 118 36826 ? 57955 Len=76
22901 59.789773 <device_2_ip> <device_1_ip> STUN 142 Binding Request user: XUxG:K0Nz
22903 59.790392 <device_1_ip> <device_2_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_2_ip>:57955
22916 59.802661 <device_1_ip> <device_2_ip> UDP 118 36826 ? 57955 Len=76
22931 59.828937 <device_1_ip> <device_2_ip> UDP 123 36826 ? 57955 Len=81
22940 59.834900 <device_2_ip> <device_1_ip> UDP 84 57955 ? 36826 Len=42
22946 59.838419 <device_2_ip> <device_1_ip> STUN 142 Binding Request user: XUxG:K0Nz
22947 59.843064 <device_1_ip> <device_2_ip> STUN 106 Binding Success Response XOR-MAPPED-ADDRESS: <device_2_ip>:57955
22957 59.849682 <device_1_ip> <device_2_ip> UDP 120 36826 ? 57955 Len=78
22969 59.865478 <device_1_ip> <device_2_ip> UDP 120 36826 ? 57955 Len=78
22986 59.887317 <device_1_ip> <device_2_ip> UDP 121 36826 ? 57955 Len=79

Did not, how? Did you see connection attempts? Did you open port 443 UDP? Yes it’s on AWS, it’s still part of our infrastructure.

Did not, how? Did you see connection attempts? Did you open port 443 UDP? Yes it’s on AWS, it’s still part of our infrastructure.
Yes, I have seen some traffic to it, but very little. Most is p2p between two devices. After that to 130.61.x.x, and little bit to AWS.

I re-ran the tests:
UDP 10000 open on 130.61.0.0-130.61.255.255 - everything works fine and is stable.

UDP ports 10000 and 443 open on meet.jit.si and meet-jit-si-turnrelay.jitsi.net, but closed on 130.61.x.x, we get disconnects from the conference several times a minute.
Tx

meet-jit-si-turnrelay.jitsi.net is on 130.61.x.x.

Yes, IT opened UDP 443 and 10000 to 130.61.x.x and it started working.