Jitsi in DMZ access from intranet and internet

Hello
I just install docker jitsi on Centos7 in DMZ VM(DMZ IP: 192.168.x.x), and forward public IP(203.64.x.x) TCP port 443, UDP port 10000 to DMZ IP.
By setting
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=172.18.x.x
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=203.64.x.x
Internet user can access jitsi and video works good, but intranet user(IP:10.x.x.x) can’t access public IP(203.64.x.x), they only can access jitsi through DMZ IP(192.168.x.x), I have tried setting
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.x.x
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=203.64.x.x
but not work.
Chrome console log:
[JitsiConference.js] <ee.prototype._init/this.e2eping<>: Failed to send a ping request or response.
[modules/RTC/BridgeChannel.js] : Bridge Channel send: no opened channel.
Our network:


Could somebody pls. give me a hint how to fix the problem?
Thank you very much!

1 Like

Hi,

A couple of questions to make sure I understand the situation correctly:
Does the jitsi-videobridge process bind only on 172.x?
Does the following config work for your intranet case?
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=172.18.x.x
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=192.168.x.x

I think what you need is two NAT harvesters, one to account for the 192.x -> 172.x mapping, and one for 203.x -> 172.x. Unfortunately there’s currently no way to enable such configuration. It should be pretty easy to do by e.g. allowing the config properties to contain lists here:

A contribution would be welcome.

Regards,
Boris

Hi Boris
Thanks for your reply!

Does the jitsi-videobridge process bind only on 172.x?

udp6 0 0 172.18.0.4:10000 :::* 92677/java

It seems like yes, jvb bind on 172.18.0.4:10000.
We install jitsi on docker(https://github.com/jitsi/docker-jitsi-meet)
So, if we make jvb inside docker bind 0.0.0.0:10000, and setting
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.x.x
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=203.64.x.x
this should work both intranet(10.x->192.168.x)) and internet (any ip->203.64.x.x)?
Or if we install jitsi direct on linux 192.168.x, do not use docker-jitsi, above settings should work?

Does the following config work for your intranet case?
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=172.18.x.x
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=192.168.x.x

Yes, but only intranet user can see each other.

If you’re running in docker and only bound on 172.x, this will not work at all.

Yes, if you’re running natively and bound on 192.x the above should work for everyone.

Boris