VPS installation double NAT does not work with firefox

Cedric_Briner · May 11, 2020, 6:07pm

I’ve setup a Jitsi server on debian buster LXD. When testing it, it works well with 2 chrome clients, 2 chromium clients, but fails with 2 firefox clients.

The installation is really fresh

dpkg -l| grep -i jitsi | awk '{print $2 $3}'
  # jicofo1.0-567-1
  # jitsi-meet2.0.4548-1
  # jitsi-meet-prosody1.0.4074-1
  # jitsi-meet-turnserver1.0.4074-1
  # jitsi-meet-web1.0.4074-1
  # jitsi-meet-web-config1.0.4074-1
  # jitsi-videobridge22.1-197-g38256192-1

I do have a VPS as follow, and I try to use lxd to containerize the application.
to seperate my vhosts

I do have the following setup:

                   |*.logilibres-verts.ch
                   |83.166.150.246
                   |
                   |(NAT)
                   |
                   |10.52.28.100
+------------------+--------------------+
|VPS               |lxdbr0              |
|                  + 10.38.85.1         |
|                 / \                   |
|                /   \ iptables forward |
|   lxd device  /     \ udp 10k-20k     |
|      80,443  /       \ tcp 4443       |
|+------------+          +-------------+|
||    lxd     |          |     lxd     ||
||  traefik   |> 80,443 >|   jitsi     ||
||10.38.85.41 |          |10.38.85.164 ||
|+------------+          +-------------+|
+---------------------------------------+

The main ips are

public ip: 83.166.150.246 (@ *.logilibres-verts.ch)
vps ip: 10.52.28.100
lxd jitsi ip: 10.38.85.164

The traffic is DNATted inside the vps as follow:

iptables -t nat -A PREROUTING -i eth0 \
  -p udp -d 10.52.28.100 --dport 10000:20000 \
  -j DNAT --to-destination 10.38.85.164:10000-20000 \
  -m comment --comment "jitsi udp"

iptables -t nat -I PREROUTING -i eth0 \
  -p tcp -d 10.52.28.100 --dport 4443 \
  -j DNAT --to-destination 10.38.85.164:4443
  -m comment --comment "jitsi 4443"

the /etc/jitsi/videobridge/sip-communicator.properties as:

#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.38.85.164
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=83.166.150.246

I’ve checked that port 10000 and port 4443 are using dnat, and that it work

# on my jitsi server
tcpdump -i eth0 udp port 10000
# on my laptop
echo "toto" | nc -u conf.logilibres-verts.ch 10000
# on my jitsi server the tcpdump shows
20:42:10.496963 IP 217-162-196-50.dynamic.hispeed.ch.49966 > jitsi.lxd.10000: UDP, length 5

I’ve tested also some ports on the range 10k-20 : port 10001, 11000. And it worked also.

I’ve made the same test on port 4443. And it worked.

So what could be wrong ?

I’ve followed:

and

github.com

jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration

# Jitsi Meet quick install

This guide helps you  ___host your own Jitsi server___. If you want to have a video conference without setting up any infrastructure, use https://meet.jit.si instead.

This document describes the required steps for a quick Jitsi Meet installation on a Debian based GNU/Linux system. Debian 9 (Stretch) or later, and Ubuntu 18.04 (Bionic Beaver) or later are supported out-of-the-box.

On Ubuntu systems, Jitsi requires dependencies from Ubuntu's `universe` package repository.  To ensure this is enabled, run `apt-add-repository universe` at the command-line.

_Note_: Many of the installation steps require elevated privileges. If you are logged in using a regular user account, you may need to temporarily increase your permissions (for example, by using `sudo` for individual commands).

## Basic Jitsi Meet install

### Set up the Fully Qualified Domain Name (FQDN) (optional)

If the machine used to host the Jitsi Meet instance has a FQDN (for example `meet.example.org`) already set up in DNS, `/etc/hostname` must contain this FQDN; if this is not the case yet, [change the hostname](https://wiki.debian.org/HowTo/ChangeHostname).

Then add the same FQDN in the `/etc/hosts` file, associating it with the loopback address:

    127.0.0.1 localhost meet.example.org

This file has been truncated. show original