All of lore.kernel.org
 help / color / mirror / Atom feed
* Issues with SIP NAT for SDP/RTP Addresses
@ 2021-11-12 13:37 John Marrett
  2021-11-15 12:39 ` John Marrett
  0 siblings, 1 reply; 3+ messages in thread
From: John Marrett @ 2021-11-12 13:37 UTC (permalink / raw)
  To: netfilter

I am trying to configure a router (OpenWrt, kernel 5.4.154, modules
nf_conntrack, nf_conntrack_sip, nf_nat_sip loaded) to NAT voice
traffic, both SIP and RTP between two different networks. On one side
of the NAT I have an SBC and on the other a SIP server and multiple
SIP endpoints. NAT is working correctly for my SIP traffic, it is not
working, within the SDP portion of the SIP exchange, for RTP
addresses.

In this simplified example I have an SBC in one network, with the IP
address 192.168.1.10. In another network I have a SIP server with IP
192.168.2.10 as well as several SIP endpoints in this network, in this
example we will discuss the SIP endpoint with the IP 192.168.2.20.

At the bottom of this message I have included an ascii diagram showing
the communications between the devices as well as their actual and
NATed IP addresses.

I have configured NAT translating the addresses in the 192.168.2.0/24
network to IPs in an intermediary network, 192.168.3.0/24 which is
sent by an upstream network device to my router performing NAT. The IP
of my SIP server is translated to 192.168.3.2. I wish to dynamically
translate the IPs of all other devices inside the 192.168.2.0/24
network to 192.168.3.1, including the SIP endpoint in my example with
IP 192.168.2.20.

In the other direction SIP servers in the 192.168.2.0/24 network will
reach the SBC at 192.168.1.10 using the address of my router,
192.168.2.2.

In order to achieve these translations I have configured the following
NAT rules.

# SIP NAT
iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport 5060 -j
DNAT --to-destination 192.168.1.10
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -s 192.168.2.20
-p udp --dport 5060 -j SNAT --to 192.168.3.2
iptables -t nat -A PREROUTING -p udp -d 192.168.3.2 --dport 5060 -j
DNAT --to-destination 192.168.2.20
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.20 -s 192.168.1.10
-p udp --dport 5060 -j SNAT --to 192.168.2.2

# Media NAT
iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport
16384:32766 -j DNAT --to-destination 192.168.1.10
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -p udp --dport
16384:32766 -j SNAT --to 192.168.3.2

The SIP portion of this NAT configuration functions correctly. There
are some issues with the media NAT configuration which may NAT other
unintended traffic, I can refine these rules at a later time.

The NAT functions correctly both for the IP packets as well as the SIP
protocol itself, with the OPTIONS methods and other SIP elements being
translated correctly, for instance:

OPTIONS sip:192.168.2.2:5060 SIP/2.0
becomes
OPTIONS sip:192.168.1.10:5060 SIP/2.0

When a call is established between the SIP endpoint and the SBC the
RTP media addresses in the SDP portion of the SIP exchange are not
modified. Because the SIP endpoints are registered with their local
SIP server and not the remote SBC the SIP session is between the SIP
server and the SBC, however the RTP session defined using SDP is
directly between the SIP endpoint and SBC. This is a different and
more complex flow from what you would see with a SIP endpoint
connecting to a SIP remote server using NAT as the RTP addresses are
not the same as those of the SIP server.

Here's an example of a 200 OK response after the SIP/2.0 180 Ringing
exchange where I need the IP 192.168.1.20 to be transformed to
192.168.3.2:

v=0
o=CiscoSystemsCCM-SIP 1274830 1 IN IP4 192.168.1.10
s=SIP Call
c=IN IP4 192.168.1.20
b=TIAS:64000
b=AS:80
t=0 0
m=audio 49048 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtcp:49049 IN IP4 192.168.1.20

I need to have these addresses translated so that the endpoint and SBC
media streams will be sent via the appropriate NAT addresses.

Can netfilter perform this type of NAT, and how do I configure it with
netfilter? I have tried to answer these questions myself but haven't
been able to find much information on how to perform SIP/SDP NAT.

Thank you in advance for any help that you can offer me, please let me
know if you need any additional information, I've tried to be as
detailed as possible in my explanation of the problem.

-JohnF

Here's the diagram of the network, if this doesn't render properly in
your mail client you should be able to view it using a preformatted
font in any text editor.


            ┌──────────────────┐
            │                  │
            │ SBC              │
            │ IP: 192.168.1.10 │
            │ NAT 192.168.2.2  │
            │                  │
            └────────┬─────────┘
                     │ eth1 x.x.x.x
            ┌────────┴─────────┐
            │                  │
            │   Linux Router   │
            │                  │
            │                  │
            └────────┬─────────┘
                     │ eth0 192.168.2.2
        ┌────────────┴───────────┐
        │                        │
┌───────┴──────────┐   ┌─────────┴────────┐
│                  │   │                  │
│ SIP Server       │   │ SIP Endpoint     │
│ IP: 192.168.2.10 │   │ IP: 192.168.2.20 │
│ NAT 192.168.3.2  │   │ NAT 192.168.3.2  │
│                  │   │                  │
└──────────────────┘   └──────────────────┘

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Issues with SIP NAT for SDP/RTP Addresses
  2021-11-12 13:37 Issues with SIP NAT for SDP/RTP Addresses John Marrett
@ 2021-11-15 12:39 ` John Marrett
  2021-11-19 20:01   ` John Marrett
  0 siblings, 1 reply; 3+ messages in thread
From: John Marrett @ 2021-11-15 12:39 UTC (permalink / raw)
  To: netfilter

I have made some more progress since I made this post last week. I set
sip_direct_media to 0 (which indicates NAT should be performed for
media streams which don't come directly from endpoints) and
sip_external_media to 1 (I'm not clear on the purpose of this setting;
reading the description of the git commit
https://github.com/torvalds/linux/commit/a3419ce3 it appears to
prevent NAT for traffic that transits the router and egresses on the
same interface, this shouldn't be needed in my environment). With this
configuration some of the IPs in the SDP traffic were NATed correctly.

Is there any documentation that explains in detail what the
capabilities of netfilter SIP/SDP NAT are and how to configure it? I'm
mainly looking at the source and commit messages which are difficult
for me to understand, I would like to document my findings and share
them with the community.

There are a several errors in the information that I have previously provided:

The IP 192.168.1.10 in the SDP section should actually be 192.168.2.20
The NAT IP for the SIP Endpoint in the diagram should be 192.168.3.1

There are also errors in the IPs in the existing NAT rules, I've
updated them all here:

# SIP NAT
iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport 5060 -j
DNAT --to-destination 192.168.1.10
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -s 192.168.2.10
-p udp --dport 5060 -j SNAT --to 192.168.3.2
iptables -t nat -A PREROUTING -p udp -d 192.168.3.2 --dport 5060 -j
DNAT --to-destination 192.168.2.10
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.10 -s 192.168.1.10
-p udp --dport 5060 -j SNAT --to 192.168.2.2

# Media NAT
iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport
16384:32766 -j DNAT --to-destination 192.168.1.10
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -p udp --dport
16384:32766 -j SNAT --to 192.168.3.1

With the adjustments to the nf_conntrack_sip parameters described
above I observed the following behaviour in the SDP part SIP traffic;
first with the unsuccessful transformation of traffic from
192.168.2.10 to 192.168.1.10

o= 192.168.2.10 was correctly translated to 192.168.3.2
c= 192.168.2.20 was translated, but to 192.168.3.2 instead of the
expected 192.168.3.1; this isn't a major concern presently though it
is surprising
The a=rtcp header a=rtcp:56157 IN IP4 192.168.2.20 was not translated,
and passed unchanged. I notice that the correctly translated SDP
packet does not have an IP address in the a=rtcp header and, I
presume, only makes use of the IP specified in the c= line.

v=0
o=CiscoSystemsCCM-SIP 6732621 1 IN IP4 192.168.2.10
s=SIP Call
c=IN IP4 192.168.2.20
b=TIAS:64000
b=AS:80
t=0 0
m=audio 56156 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtcp:56157 IN IP4 192.168.2.20

and after of the SDP info:

v=0
o=CiscoSystemsCCM-SIP 6732621 1 IN IP4 192.168.3.2
s=SIP Call
c=IN IP4 192.168.3.2
b=TIAS:64000
b=AS:80
t=0 0
m=audio 56156 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtcp:56157 IN IP4 192.168.2.20

Traffic sent from the SBC at 192.168.1.10 was correctly translated
with all three instances of the IPs of 192.168.2.2 being transformed
to 192.168.1.10

v=0
o=SBC 64 1001 IN IP4 192.168.2.2
s=SBC
c=IN IP4 192.168.2.2
t=0 0
m=audio 16520 RTP/AVP 0 101 13
c=IN IP4 192.168.2.2
a=rtpmap:0 PCMU/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:13 CN/8000
a=ptime:20
a=maxptime:40
a=sendrecv
a=rtcp:16521

v=0
o=SBC 64 1001 IN IP4 192.168.1.10
s=SBC
c=IN IP4 192.168.1.10
t=0 0
m=audio 16520 RTP/AVP 0 101 13
c=IN IP4 192.168.1.10
a=rtpmap:0 PCMU/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:13 CN/8000
a=ptime:20
a=maxptime:40
a=sendrecv
a=rtcp:16521

I don't properly understand the RTP behaviour I'm seeing with this
test traffic and I am continuing to test the behaviour; it appears
right now that traffic is being sent for the partially incorrectly
NATed traffic and that the successfully NATed SDP traffic has not
resulted in RTP data being sent correctly.

I'll update the list as my investigations continue. I welcome any
assistance or guidance anyone can offer.

Thanks in advance,

-JohnF

On Fri, Nov 12, 2021 at 8:37 AM John Marrett <johnf@zioncluster.ca> wrote:
>
> I am trying to configure a router (OpenWrt, kernel 5.4.154, modules
> nf_conntrack, nf_conntrack_sip, nf_nat_sip loaded) to NAT voice
> traffic, both SIP and RTP between two different networks. On one side
> of the NAT I have an SBC and on the other a SIP server and multiple
> SIP endpoints. NAT is working correctly for my SIP traffic, it is not
> working, within the SDP portion of the SIP exchange, for RTP
> addresses.
>
> In this simplified example I have an SBC in one network, with the IP
> address 192.168.1.10. In another network I have a SIP server with IP
> 192.168.2.10 as well as several SIP endpoints in this network, in this
> example we will discuss the SIP endpoint with the IP 192.168.2.20.
>
> At the bottom of this message I have included an ascii diagram showing
> the communications between the devices as well as their actual and
> NATed IP addresses.
>
> I have configured NAT translating the addresses in the 192.168.2.0/24
> network to IPs in an intermediary network, 192.168.3.0/24 which is
> sent by an upstream network device to my router performing NAT. The IP
> of my SIP server is translated to 192.168.3.2. I wish to dynamically
> translate the IPs of all other devices inside the 192.168.2.0/24
> network to 192.168.3.1, including the SIP endpoint in my example with
> IP 192.168.2.20.
>
> In the other direction SIP servers in the 192.168.2.0/24 network will
> reach the SBC at 192.168.1.10 using the address of my router,
> 192.168.2.2.
>
> In order to achieve these translations I have configured the following
> NAT rules.
>
> # SIP NAT
> iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport 5060 -j
> DNAT --to-destination 192.168.1.10
> iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -s 192.168.2.20
> -p udp --dport 5060 -j SNAT --to 192.168.3.2
> iptables -t nat -A PREROUTING -p udp -d 192.168.3.2 --dport 5060 -j
> DNAT --to-destination 192.168.2.20
> iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.20 -s 192.168.1.10
> -p udp --dport 5060 -j SNAT --to 192.168.2.2
>
> # Media NAT
> iptables -t nat -A PREROUTING -p udp -d 192.168.2.2 --dport
> 16384:32766 -j DNAT --to-destination 192.168.1.10
> iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -p udp --dport
> 16384:32766 -j SNAT --to 192.168.3.2
>
> The SIP portion of this NAT configuration functions correctly. There
> are some issues with the media NAT configuration which may NAT other
> unintended traffic, I can refine these rules at a later time.
>
> The NAT functions correctly both for the IP packets as well as the SIP
> protocol itself, with the OPTIONS methods and other SIP elements being
> translated correctly, for instance:
>
> OPTIONS sip:192.168.2.2:5060 SIP/2.0
> becomes
> OPTIONS sip:192.168.1.10:5060 SIP/2.0
>
> When a call is established between the SIP endpoint and the SBC the
> RTP media addresses in the SDP portion of the SIP exchange are not
> modified. Because the SIP endpoints are registered with their local
> SIP server and not the remote SBC the SIP session is between the SIP
> server and the SBC, however the RTP session defined using SDP is
> directly between the SIP endpoint and SBC. This is a different and
> more complex flow from what you would see with a SIP endpoint
> connecting to a SIP remote server using NAT as the RTP addresses are
> not the same as those of the SIP server.
>
> Here's an example of a 200 OK response after the SIP/2.0 180 Ringing
> exchange where I need the IP 192.168.1.20 to be transformed to
> 192.168.3.2:
>
> v=0
> o=CiscoSystemsCCM-SIP 1274830 1 IN IP4 192.168.1.10
> s=SIP Call
> c=IN IP4 192.168.1.20
> b=TIAS:64000
> b=AS:80
> t=0 0
> m=audio 49048 RTP/AVP 0 101
> a=rtpmap:0 PCMU/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=rtcp:49049 IN IP4 192.168.1.20
>
> I need to have these addresses translated so that the endpoint and SBC
> media streams will be sent via the appropriate NAT addresses.
>
> Can netfilter perform this type of NAT, and how do I configure it with
> netfilter? I have tried to answer these questions myself but haven't
> been able to find much information on how to perform SIP/SDP NAT.
>
> Thank you in advance for any help that you can offer me, please let me
> know if you need any additional information, I've tried to be as
> detailed as possible in my explanation of the problem.
>
> -JohnF
>
> Here's the diagram of the network, if this doesn't render properly in
> your mail client you should be able to view it using a preformatted
> font in any text editor.
>
>
>             ┌──────────────────┐
>             │                  │
>             │ SBC              │
>             │ IP: 192.168.1.10 │
>             │ NAT 192.168.2.2  │
>             │                  │
>             └────────┬─────────┘
>                      │ eth1 x.x.x.x
>             ┌────────┴─────────┐
>             │                  │
>             │   Linux Router   │
>             │                  │
>             │                  │
>             └────────┬─────────┘
>                      │ eth0 192.168.2.2
>         ┌────────────┴───────────┐
>         │                        │
> ┌───────┴──────────┐   ┌─────────┴────────┐
> │                  │   │                  │
> │ SIP Server       │   │ SIP Endpoint     │
> │ IP: 192.168.2.10 │   │ IP: 192.168.2.20 │
> │ NAT 192.168.3.2  │   │ NAT 192.168.3.2  │
> │                  │   │                  │
> └──────────────────┘   └──────────────────┘

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Issues with SIP NAT for SDP/RTP Addresses
  2021-11-15 12:39 ` John Marrett
@ 2021-11-19 20:01   ` John Marrett
  0 siblings, 0 replies; 3+ messages in thread
From: John Marrett @ 2021-11-19 20:01 UTC (permalink / raw)
  To: netfilter

> I have made some more progress since I made this post last week. I set
> sip_direct_media to 0 (which indicates NAT should be performed for
> media streams which don't come directly from endpoints) and
> sip_external_media to 1 (I'm not clear on the purpose of this setting;
> reading the description of the git commit
> https://github.com/torvalds/linux/commit/a3419ce3 it appears to
> prevent NAT for traffic that transits the router and egresses on the
> same interface, this shouldn't be needed in my environment). With this
> configuration some of the IPs in the SDP traffic were NATed correctly.

With this configuration in place and after removing the additional
"media NAT" entries I had created I have my RTP sessions correctly
NATed. We discovered that a NGFW in another part of the network was
blocking some of the RTP traffic which caused some of our missing
media stream issues.

I'm not certain if sip_external_media should be required, this setting
appears to prevent NAT in a way that shouldn't be required in my
environment, however it didn't work in initial testing. This setting
may not be necessary.

We did encounter some issues with undirectional RTP streams for music
on hold but have seen this with other SIP hardware in the past. I may
document this issue in more detail in the future.

Is there a place I could record information about these settings and
my (limited) understanding of them, to help other people in the
future? It seems like they might be mentioned on this page
https://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
but that doesn't appear to be part of the regular netfilter
documentation.

-JohnF

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-19 20:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-12 13:37 Issues with SIP NAT for SDP/RTP Addresses John Marrett
2021-11-15 12:39 ` John Marrett
2021-11-19 20:01   ` John Marrett

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.