[jitsi-users] How to make use of dnat


#1

I do know that there is this wonderful feature called ICE but
apparently it does not make use of any kind of dnat so whenever I call
somebody (or somebody calls me) it either fails or makes use of a
media relay which is complete nonsense as i am perfectly reachable on
ALL of the ports in UDP and TCP.

This drives me mad, hope somebody can help me with it.
- --
Yannik V�lker


#2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do know that there is this wonderful feature called ICE but
apparently it does not make use of any kind of dnat

How is one supposed to actually use DNAT? If you are forwarding ports,
then you've taken it up upon yourself to make things work and in that
case it's up to you to make sure that they are.

Have you tried to look at the traffic?

so whenever I call
somebody (or somebody calls me) it either fails or makes use of a
media relay which is complete nonsense as i am perfectly reachable on
ALL of the ports in UDP and TCP.

This drives me mad, hope somebody can help me with it.

Keep in mind that ICE isn't magic. It simply takes your addresses,
sends them to your peer and then tries all of them. If ICE switches to
use of a relay, this means that the attempts to use any other
addresses have failed.

Emil

P.S. I assume all this on XMPP? We don't currently have ICE with SIP.

···

On Sat, Jun 1, 2013 at 3:50 AM, Yannik Völker <yannikv@yahoo.de> wrote:


#3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I do know that there is this wonderful feature called ICE but
apparently it does not make use of any kind of dnat

How is one supposed to actually use DNAT?

Probe for my external IP using STUN and try connecting to that IP from
outside (that works, I have tested that a lot of times using netcat,
you can reach my computer on every port when you try to contact my
public ip)

If you are forwarding ports, then you've taken it up upon yourself
to make things work and in that case it's up to you to make sure
that they are.

well: how?

Have you tried to look at the traffic?

Which traffic exactly? I have looked at the traffic of an ongoing call
and it uses a relay, I am unable to view the signalling traffic as the
connection to the server is encrypted

so whenever I call somebody (or somebody calls me) it either
fails or makes use of a media relay which is complete nonsense as
i am perfectly reachable on ALL of the ports in UDP and TCP.

This drives me mad, hope somebody can help me with it.

Keep in mind that ICE isn't magic. It simply takes your addresses,
sends them to your peer and then tries all of them. If ICE switches
to use of a relay, this means that the attempts to use any other
addresses have failed.

Does it Include my public IP address? If it does I have no idea why it
would not work.

It would be really nice to have a pidgin-like xmpp-monitor to make
debugging such issues easier.

P.S. I assume all this on XMPP? We don't currently have ICE with
SIP.

Yes, XMPP

- --
Yannik V�lker

···

On 01.06.2013 07:03, Emil Ivov wrote:

On Sat, Jun 1, 2013 at 3:50 AM, Yannik V�lker <yannikv@yahoo.de> > wrote:


#4

It would be really nice to have a pidgin-like xmpp-monitor to make
debugging such issues easier.

It's not live, but you can investigate all XMPP-traffic by opening the .pcap
files in the log directory.

Ingo


#5

Hey Yannik,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I do know that there is this wonderful feature called ICE but
apparently it does not make use of any kind of dnat

How is one supposed to actually use DNAT?

Probe for my external IP using STUN and try connecting to that IP from
outside (that works, I have tested that a lot of times using netcat,
you can reach my computer on every port when you try to contact my
public ip)

ICE does that. (Note that use of STUN outside ICE is not recommended).

If you are forwarding ports, then you've taken it up upon yourself
to make things work and in that case it's up to you to make sure
that they are.

well: how?

You need to make sure that these ports are also properly allocated when connections originate from the inside. Some NATs would keep them for incoming connections only. Of course, this would require traffic analysis during Jitsi call setup.

Have you tried to look at the traffic?

Which traffic exactly?

The STUN requests and the STUN connectivity checks that are part of ICE.

I have looked at the traffic of an ongoing call
and it uses a relay, I am unable to view the signalling traffic as the
connection to the server is encrypted

Ingo has already explained that this is part of our pcap-s. However, most of the trouble shooting should focus on STUN and that's plain UDP.

so whenever I call somebody (or somebody calls me) it either
fails or makes use of a media relay which is complete nonsense as
i am perfectly reachable on ALL of the ports in UDP and TCP.

This drives me mad, hope somebody can help me with it.

Keep in mind that ICE isn't magic. It simply takes your addresses,
sends them to your peer and then tries all of them. If ICE switches
to use of a relay, this means that the attempts to use any other
addresses have failed.

Does it Include my public IP address?

It includes any address that it can find. In addition to the address that it discovers via STUN it would also try UPnP and IPv6 and Jingle Nodes and TURN.

If it does I have no idea why it
would not work.

That's where analysing traffic would be important. Maybe your NAT does not behave exactly like you want it to. Or maybe it just applies some level of endpoint dependent filtering on inbound connections, which would not be a problem in normal situations. However if the remote party is behind a NAT with endpoint dependent mapping (a.k.a. symmetric) then it could cause traffic to go through a relay.

Hope this helps,
Emil

···

On 01.06.13, 16:34, Yannik Völker wrote:

On 01.06.2013 07:03, Emil Ivov wrote:

On Sat, Jun 1, 2013 at 3:50 AM, Yannik Völker <yannikv@yahoo.de> >> wrote:

It would be really nice to have a pidgin-like xmpp-monitor to make
debugging such issues easier.

P.S. I assume all this on XMPP? We don't currently have ICE with
SIP.

Yes, XMPP

- --
Yannik Völker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJRqfhUAAoJEDqk81AiCyXKRzIP/jad+7tIdLyl8V4KnH1fTxEG
h9tDXwA9+uD0P583Wsph/y3O2tiEYy8HmROzCCRh8dtwQm+W0HdJd6NlD0ScD9Pp
yDqmjS7ulxvOZYvFJ0x81ImiF/vZUM1bAdxqwOQ+gdzcwl2Ank3P6riFxAR0eQWE
ZNejvNlXk0Er7O9MicqvTJGtS/LGB8foshIjVTu71M8+50WRiIHGgfrETwMD2eew
m5Wvp/s6EPX2nt6pc0G5JcA+8n1Y3yExBJ78qjkAgDN7jCFcY8mwEDntw8cTEgWD
8BEsitSWt9SW2gbgwBxD2dPK71ShgbHAh/abbcLh2B5LZ4evYarP0DQC7znOVuLW
g9wGLLBkecPMfq3aaWTlXOxrmxqlfQSRTvI/2h2tVB/yTZQnJ/94NUIQ3AKhwT3v
6F+p821x1p5z1TgeQG6T7yeFUgQZoePTr4CkhEYx/a1yFqwtkfqBLqqbRky/9Rs3
MLRfPIjKKpgZn/9+K/jowsdFUeSLNgoVSGsfLKqtzFUs4IATLpRpV7OTEv/kSo02
3BEDkOyWdY6w36q11PL8Y9wMuOZIt7pVUrTctQfzCL8tMdXi4VAxHpa0He2QnoBU
DDXXiD4TttoY0sjkevEkdc/RxigpA9KHxDwnA7oriGHcdBW4nA32RzUCn22ZMZwZ
siDfbIg/xXpqpXBkCedy
=43Sa
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#6

that could come in handy, thanks

- --
Yannik V�lker

···

On 01.06.2013 15:59, Ingo Bauersachs wrote:

It's not live, but you can investigate all XMPP-traffic by opening
the .pcap files in the log directory.


#7

ok, after looking into this file: jisi uses port 5000 and 5001 and my
local ipv4 and ipv6 addresses as candidates.
stun stunserver.org -v finds my real IP as "MappedAddress"
I can connect to any PC in the internet,
tested via running
  nc -l 6000
on my pc and
  nc myip 6000
on different remote pcs
why exactly does jitsi ignore the possibility of a direct connection I
just do not understand it, it would be so much easier?
It is possible to host any kind of server on my computer and its
reachable from the internet.

- --
Yannik V�lker


#8

Hey Yannik,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ok, after looking into this file: jisi uses port 5000 and 5001

Right, it can use between 5000 and 6000 by default.

and my
local ipv4 and ipv6 addresses as candidates.

Are you saying that those are the only addresses that Jitsi sends as
candidates?

stun stunserver.org -v finds my real IP as "MappedAddress"
I can connect to any PC in the internet,
tested via running
  nc -l 6000
on my pc and
  nc myip 6000
on different remote pcs
why exactly does jitsi ignore the possibility of a direct connection I
just do not understand it,

If it really isn't announcing it, the only possible reason is that it could
not discover it. Did you disable STUN? Can you see the STUN binding
requests from Jitsi to a STUN server?

Emil

--sent from my mobile

···

On Jun 1, 2013 6:34 PM, "Yannik Völker" <yannikv@yahoo.de> wrote:

it would be so much easier?
It is possible to host any kind of server on my computer and its
reachable from the internet.

- --
Yannik Völker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJRqhRyAAoJEDqk81AiCyXKzcIQAJp9DkJZj8UMjetuzQQrNYrx
qzvbWk6FaIvB17TD2fVjDT3yvbIWVeUeK/fv9T/x+h8SFnffniPo/V5bym2BR8XB
x3nlRhulxyREya6u0ZGqgARzRt5MmcjztwRtPt43xCR1pVtjxFMUnqxJosolZS+a
n0M24bUqGyTMl0qsbCqAr0ZLI4bEmMAbMlopv+ofFLU3tNw/p/ET1oAZyJC0C5eB
urW9iLmVL0vHY/sfNMcW5Ouuvl8W3WVFXeEgnJKbdde/veO96Dy86hbVdrCHZ1hG
NbG3wqxktsdxzQ+wtslj0RYdVTD8Y5PljMYp/ZkJx0e8OleyWusSrNueiXMaxUrc
5cSguyV6g7Yfm0J2OFrq6Co4bAZFazg5e6KKbJFYzCnoixaAc8S5nLo4pG3g6iCg
vosuEfpC5hK44vJMNk1lYwq/tshh5VC23X4I9P6+45/hOgeNLN67Vwy2ETUusGtg
kY/svTGkioXMSmnLiAseUj3OZyGuqtum6LzMhfI5U7d/wWZvo1eaEWcVxLaRJevt
0IrVPDs7UEIGa2g1d0i4gZoyJuZVS4KC+kQ7NiOZoLh7voeZjVqdXX37mSh2dQTf
zS3W0DGb79mo/jLdjASquG4xN7BoZV4Uz6DvEox3yMWc2lZPpmEgLTlJJVO2gxMU
FBsVJEJ5Sitsjz6kOb9X
=Vtca
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

Hey Yannik,

ok, after looking into this file: jisi uses port 5000 and 5001

Right, it can use between 5000 and 6000 by default.

and my local ipv4 and ipv6 addresses as candidates.

Are you saying that those are the only addresses that Jitsi sends
as candidates?

Exactly, 4 candidates:
ipv4+port1
ipv6+port1
ipv4+port2
ipv6+port2

stun stunserver.org <http://stunserver.org> -v finds my real IP as

"MappedAddress"

I can connect to any PC in the internet, tested via running nc -l
6000 on my pc and nc myip 6000 on different remote pcs why exactly
does jitsi ignore the possibility of a direct connection I just do
not understand it,

If it really isn't announcing it, the only possible reason is
that it could not discover it. Did you disable STUN? Can you see
the STUN binding requests from Jitsi to a STUN server?

i can see STUN binding requests, 4 to be precise.
atached a screeshot of the ICE tab of the settings window, it is
german but i assume that you know the layout.

- --
Yannik V�lker

jitsi-ice.png.sig (543 Bytes)

···

On 01.06.2013 17:55, Emil Ivov wrote:

On Jun 1, 2013 6:34 PM, "Yannik V�lker" <yannikv@yahoo.de > <mailto:yannikv@yahoo.de>> wrote:


#10

If it really isn't announcing it, the only possible reason is
that it could not discover it. Did you disable STUN? Can you see
the STUN binding requests from Jitsi to a STUN server?

i can see STUN binding requests, 4 to be precise.

Can you share that dump? Do you see any responses? Is it possible that your NAT could be blocking them?

Cheers,
Emil

···

On 01.06.13, 19:12, Yannik Völker wrote:

atached a screeshot of the ICE tab of the settings window, it is
german but i assume that you know the layout.

- --
Yannik Völker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJRqh10AAoJEDqk81AiCyXKg74QAJh/GaCZ07PdGMV1WIFUROiT
2fWJhtBPhPNjMkAoorelBWlNch0F2u52wIGTAvw5QIzw1UnUiSdiG9RV+6KdQ3YF
M6P9WrgwHsNjoRATSlXH6brHrEHH0OjhFrGsXhz/YWQTd0zV0k9tkjn4XAC/0eSN
C2Nexh2ATQWMiPvTaLelTSRY8FRavIWjeXFzXMt4ERyfWEdx4eMh621akiq9ZkBM
4u11BPo9aeybtdrvbhg8MgeYDlBwcqz8kEKjnqCeghB6tWnfufU5nhzcmyE89iYd
jTRFlYSYBCu7MBfsgBw5ZhrbHb5w3SCZQmhZgvQ8ZlW4BpePGhzcjCU9oHta4xQj
EK7THcVC3XfpxG1aHVVanNQSTN/c7x/j99vRrXkk84cZEQuY3oRV5J9VpB6yZgq7
OhH9iiXmat+uFuG0oMRstQkeaofYSqBcm7UjdP5iDi8Y0miDAVe09VwiXtYhnho9
DfK7usjIDFy3Y0xizMui/CW8L3gFhkdhE2mIyCBZakexd8ZZSG8I7/kkqmOzbooc
24/UPUR2NkhuvYkGx8e9l1nlsU/jT+cKPQAZj78LpCoMQAUzul4c8pA4/jCd+cZx
u6Q6HGKzbsFa3GGAy/biMrbgXGeobYHpxlCFro6Sf1bwFln9tmBwKASEv/0QwpSB
p+QG+pOb9tCqOkgueosX
=uxzd
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org