Topic: Firewall rules for OpenWRT with Siproxd

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

ush

17 Oct 2008, 18:16

Hi all,
I'm trying to use Ekiga as a VOIP softphone and and wanted to use siproxd to avoid NAT problems. This WRT54G(v2.0) is being used as a simple router (default Kamikaze 7.09 set up) for a variable number of wired (LAN) and wireless (WAN) clients and I want any of them to be able to use SIP. If anyone can shed light on my confusion below I'd really appreciate it.

I seem to have two specific problem areas :

1) An explanation of which interfaces I should use for the /etc/siproxd.conf if_inbound and if_outbound. I found an older post[1] on this forum that suggests using if_inbound=br0 . I can't find any "br0" interface in openwrt though, an "#ifconfig -a" does show me a "br-lan" interface on 192.168.1.1 though. Also what should I use as the if_outbound? One of the aliases such as eth0.1 ? I've tried the following:

if_inbound  = br-lan
if_outbound = eth0.1

and also

if_inbound = eth0
if_outbound = eth0.1

Neither seems to produce anything except the "symmetric NAT" message reported towards the bottom of this post.

2) Firewall rules. I've taken a look at the wiki documentation for Kamikaze[2] and assume that I'm supposed to edit /etc/config/firewall to something like this:

config rule                                                                     
        option src      wan                                                     
        option src_dport        5060                                            
        option target   ACCEPT                                                  
        option protocol udp                                                     
config rule                                                                     
        option src      wan                                                     
        option src_dport        7070-7089                                       
        option target   ACCEPT                                                  
        option protocol udp                                                     
config redirect                                                     
        option src      lan                                                     
        option dest     wan                                                     
        option protocol udp                                                     
        option src_dport        5060

Testing out this with Ekiga 2.0 's Druid Configuration tool[3] reports that it sees this as Symmetric NAT and that I need to "forward the required ports to your internal machine to change Symmetric NAT to Cone NAT [...] which should allow Ekiga to be used with STUN support". I'm trying to avoid the need for STUN support, so what should I be doing?

1. http://forum.openwrt.org/viewtopic.php?id=9397
2. http://wiki.openwrt.org/OpenWrtDocs/Kam … figuration
3. http://wiki.ekiga.org/index.php/Ekiga_b … NAT_router

Post #2

ush

18 Oct 2008, 03:24

OK, the following is confirmed as working to allow outgoing calls. I still need to setup dyndns so that I can receive incoming calls at a sip address.

Things I needed to do were to completely restart Ekiga after reconfiguring, restart the firewall and siproxd after configuring as below

#
# /etc/siproxd.conf - siproxd configuration file
#
# !! This is a sample file, adapt it to your needs before using it !!
#
# !! Strings MUST NOT contain spaces !!
#

######################################################################
# The interface names of INBOUND and OUTBOUND interface.
#
#    If siproxd is not running on the host doing the masquerading
#    but on a host within the private network segment, "in front" of
#    the masquerading router: define if_inbound and if_outbound to
#    point to the same interface (the inbound interface). In *addition*
#    define 'host_outbound' to hold your external (public) IP address
#    or a hostname that resolves to that address (use a dyndns address for
#    example).
#
if_inbound  = br-lan
if_outbound = eth0.1
<snip rest of siproxd.conf which is unchanged from default>

root@OpenWrt:~# ipkg info siproxd
Package: siproxd
Version: 0.5.13-1

root@openWrt:~#cat /etc/config/firewall
config rule
        option src      wan
        option src_dport        5060
        option target   ACCEPT
        option protocol udp
config rule
        option src      wan
        option src_dport        7070-7089
        option target   ACCEPT
        option protocol udp
config rule
        option src      lan
        option src_dport        5060
        option target   ACCEPT
        option protocol udp
config rule
        option src      lan
        option src_dport        7070-7089
        option target   ACCEPT
        option protocol udp

Ekiga-2.0.2 > Edit > Preferences > Protocols > NetworkSettings > NetworkInterface-Listen on: eth0
Ekiga-2.0.2 > Edit > Preferences > Protocols > NetworkSettings >  NAT Settings-Nat Traversal Method: None
Ekiga-2.0.2 > Edit > Preferences > Protocols > SIPSettings > MiscSettings-Outbound Proxy: 192.168.1.1
Ekiga-2.0.2 > Edit > Preferences > Protocols > SIPSettings >  DTMFMode-SendDTMF as: RFC2833

The discussion might have continued from here.

Page 1 of 1