[jitsi-users] Jitsi-Meet NAT issue

Andrea_Mazzeo · 2015-06-24 15:52:56 UTC

Dear All,

I’ve a virtualized Debian 7.8 where I installed jitsi-meet following quick install instructions:
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

ii jitsi-meet 1.0.547-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.547-1 all Prosody configuration for Jitsi Meet
ii jitsi-videobridge 472-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

The box is connected to Internet via a Cisco router and I’m using NAT to reach the server from Internet.

I modified the file sip-communicator.properties in order to specify internal/external IPs

org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.248
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=46.14.XXX.XXX

I created port forwarding rules on Cisco as following (even if I’m quite sure that forwarding UDP ports is not needed):

!
ip nat pool JITSIFW 192.168.1.248 192.168.1.248 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.248 443 interface FastEthernet0/0 443
ip nat inside destination list 103 pool JITSIFW
!
access-list 103 permit udp any any range 5000 6000
access-list 103 permit udp any any range 10000 20000
access-list 103 permit udp any any range 50000 60000

I’m connecting to application using FQDN and trusted SSL cert.
Name servers for our domain is configured to reply with internal or external IP according to requester location.

From LAN-to-LAN everything is working fine.
From LAN-to-Internet I cannot get remote video/audio and viceversa. Only chat is working.

Do you have any advices ?
Is UDP port forwarding needed on my setup ?

Thank you,
Andrea

Emil_Ivov1 · 2015-06-24 17:07:11 UTC

Hey Andrea,

I don't see anything in your mail that tells your firewall to redirect
UDP ports 10K to 20K to your bridge box.

It should still switch to TCP but have you made sure JVB is listening
on 443 (i.e. running as root) or that you have port forwarding in
place?

Emil

···

On Wed, Jun 24, 2015 at 5:52 PM, Andrea Mazzeo <admin@smallunix.net> wrote:

Dear All,

I’ve a virtualized Debian 7.8 where I installed jitsi-meet following quick install instructions:
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

ii jitsi-meet 1.0.547-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.547-1 all Prosody configuration for Jitsi Meet
ii jitsi-videobridge 472-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

The box is connected to Internet via a Cisco router and I’m using NAT to reach the server from Internet.

I modified the file sip-communicator.properties in order to specify internal/external IPs

org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.248
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=46.14.XXX.XXX

I created port forwarding rules on Cisco as following (even if I’m quite sure that forwarding UDP ports is not needed):

!
ip nat pool JITSIFW 192.168.1.248 192.168.1.248 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.248 443 interface FastEthernet0/0 443
ip nat inside destination list 103 pool JITSIFW
!
access-list 103 permit udp any any range 5000 6000
access-list 103 permit udp any any range 10000 20000
access-list 103 permit udp any any range 50000 60000

I’m connecting to application using FQDN and trusted SSL cert.
Name servers for our domain is configured to reply with internal or external IP according to requester location.

From LAN-to-LAN everything is working fine.
From LAN-to-Internet I cannot get remote video/audio and viceversa. Only chat is working.

Do you have any advices ?
Is UDP port forwarding needed on my setup ?

Thank you,
Andrea
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

Andrea_Mazzeo · 2015-06-24 18:35:32 UTC

Hello Emil,

I don't see anything in your mail that tells your firewall to redirect
UDP ports 10K to 20K to your bridge box.

it’s here:

ip nat inside destination list 103 pool JITSIFW

It should still switch to TCP but have you made sure JVB is listening
on 443 (i.e. running as root) or that you have port forwarding in
place?

JVB is listening on 443 and I can connect from both side (LAN and WAN).

I collected a trace with Wireshark on remote client and I noticed that remote web client it’s trying to send STUN binding request to the private server IP (192.168.1.248) instead of the public one.

I checked again .sip-communicator/sip-communicator.properties, inside the user’s home that is running jvb, and IPs are correct.

I really don’t like NAT, but unfortunately I don’t have other options here.

Br,
Andrea

···

Emil

On Wed, Jun 24, 2015 at 5:52 PM, Andrea Mazzeo <admin@smallunix.net> wrote:

Dear All,

I’ve a virtualized Debian 7.8 where I installed jitsi-meet following quick install instructions:
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

ii jitsi-meet 1.0.547-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.547-1 all Prosody configuration for Jitsi Meet
ii jitsi-videobridge 472-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

The box is connected to Internet via a Cisco router and I’m using NAT to reach the server from Internet.

I modified the file sip-communicator.properties in order to specify internal/external IPs

org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.248
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=46.14.XXX.XXX

I created port forwarding rules on Cisco as following (even if I’m quite sure that forwarding UDP ports is not needed):

!
ip nat pool JITSIFW 192.168.1.248 192.168.1.248 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.248 443 interface FastEthernet0/0 443
ip nat inside destination list 103 pool JITSIFW
!
access-list 103 permit udp any any range 5000 6000
access-list 103 permit udp any any range 10000 20000
access-list 103 permit udp any any range 50000 60000

I’m connecting to application using FQDN and trusted SSL cert.
Name servers for our domain is configured to reply with internal or external IP according to requester location.

From LAN-to-LAN everything is working fine.
From LAN-to-Internet I cannot get remote video/audio and viceversa. Only chat is working.

Do you have any advices ?
Is UDP port forwarding needed on my setup ?

Thank you,
Andrea
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

Emil_Ivov1 · 2015-06-24 18:41:02 UTC

Hey Andrea,

Hello Emil,

I don't see anything in your mail that tells your firewall to redirect
UDP ports 10K to 20K to your bridge box.

it’s here:

ip nat inside destination list 103 pool JITSIFW

OK. I don't understand this line but if you are confident if forwards
ports 10K to 20K then fine.

It should still switch to TCP but have you made sure JVB is listening
on 443 (i.e. running as root) or that you have port forwarding in
place?

JVB is listening on 443 and I can connect from both side (LAN and WAN).

If you are connecting from LAN and WAN then you are mostly likely not
connecting on 443 but on 10K to 20K UDP.

I collected a trace with Wireshark on remote client and I noticed that remote web client it’s trying to send STUN binding request to the private server IP (192.168.1.248) instead of the public one.

There is no public one actually. Jitsi Meet does not use a STUN
server. What you are seeing are the ICE connectivity checks and if
those are not being forwarded to Jitsi videobridge then there is a
problem with your mappings.

Hope this helps,
Emil

···

On Wed, Jun 24, 2015 at 8:35 PM, Andrea Mazzeo <admin@smallunix.net> wrote:

I checked again .sip-communicator/sip-communicator.properties, inside the user’s home that is running jvb, and IPs are correct.

I really don’t like NAT, but unfortunately I don’t have other options here.

Br,
Andrea

Emil

On Wed, Jun 24, 2015 at 5:52 PM, Andrea Mazzeo <admin@smallunix.net> wrote:

Dear All,

I’ve a virtualized Debian 7.8 where I installed jitsi-meet following quick install instructions:
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

ii jitsi-meet 1.0.547-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.547-1 all Prosody configuration for Jitsi Meet
ii jitsi-videobridge 472-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

The box is connected to Internet via a Cisco router and I’m using NAT to reach the server from Internet.

I modified the file sip-communicator.properties in order to specify internal/external IPs

org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.248
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=46.14.XXX.XXX

I created port forwarding rules on Cisco as following (even if I’m quite sure that forwarding UDP ports is not needed):

!
ip nat pool JITSIFW 192.168.1.248 192.168.1.248 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.248 443 interface FastEthernet0/0 443
ip nat inside destination list 103 pool JITSIFW
!
access-list 103 permit udp any any range 5000 6000
access-list 103 permit udp any any range 10000 20000
access-list 103 permit udp any any range 50000 60000

I’m connecting to application using FQDN and trusted SSL cert.
Name servers for our domain is configured to reply with internal or external IP according to requester location.

From LAN-to-LAN everything is working fine.
From LAN-to-Internet I cannot get remote video/audio and viceversa. Only chat is working.

Do you have any advices ?
Is UDP port forwarding needed on my setup ?

Thank you,
Andrea
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org