[jitsi-dev] Duplicate NAT mapping?


#1

Hiya,

Could you advice me on the following?

I've got a JVB / Jicofo / Meet environment that's behind a gateway. This
gateway performs NAT.

Using org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS and
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS, we're able to allow
users on the public internet to make use of the environment. So far, so
good.

However, the same gateway also provides a VPN service. People on the VPN
address the gateway with a different "public" IP address. Their webrtc
fails.

What's the best course of action here? Would allowing more than one
NAT_HARVESTER_PUBLIC_ADDRESS make sense in this scenario (which would
probably require code changes)?

Regards,

  Guus


#2

Hi Guus,

Hiya,

Could you advice me on the following?

I've got a JVB / Jicofo / Meet environment that's behind a gateway. This
gateway performs NAT.

Using org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS and
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS, we're able to allow
users on the public internet to make use of the environment. So far, so
good.

However, the same gateway also provides a VPN service. People on the VPN
address the gateway with a different "public" IP address. Their webrtc
fails.

What's the best course of action here? Would allowing more than one
NAT_HARVESTER_PUBLIC_ADDRESS make sense in this scenario (which would
probably require code changes)?

Yeah, I think that makes sense. We already have a list of mapping harvesters, so you'd only need to extend the code which configures it: https://github.com/jitsi/ice4j/blob/master/src/main/java/org/ice4j/ice/harvest/MappingCandidateHarvesters.java#L127

I would suggest parsing the two properties (NAT_HARVESTER_LOCAL_ADDRESS and NAT_HARVESTER_PUBLIC_ADDRESS) as ;-separated lists, because we already do this elsewhere (e.g. ALLOWED_INTERFACES), and it would keep the properties backward compatible.

Regards,
Boris

···

On 12/05/2017 12:38, Guus der Kinderen wrote: