[Openh323gk-developer] Why GateKeeper behind NAT wont work
H.323 Gatekeeper for VoIP and videconferencing
Brought to you by:
willamowius
From: Karsten J. <kj...@je...> - 2003-02-25 20:46:14
|
The title is maybe a bit provocative, but after hours of hard wor, I belive it to be true. I think we need a new feature in the main section or in the proxy section called PUBLIC-IP or something like it. I posted this originally in the users section to see if anybody knew a work around. The setup: Node-1, running windows netmeeting ip=192.168.1.11 assigned via DHCP from Site-A, linux NAT running gnuGK, ip=192.168.1.1, ip=aaa.aaa.aaa.aaa(public) connects through the internet to Site-B, Cisco NAT router, ip=192.168.1.1, ip=bbb.bbb.bbb.bbb and Node-2, linux running gnuGK, but NOT NAT, ip=192.168.1.2, fixed addr. Node-3, running windows netmeeting ip=192.168.1.16 assigned via DHCP from Site-B This case is special because usually the gnugk would be on the routing node. This makes both the internal and the external public network visible to gnugk. Gnugk therefore is able to establish that it indeed is running proxy. But here the ports from the public network are passed down to 192.168.1.2 by the Cisco NAT, so gnugk only sees one network - the 192.168.1.0. There is currently no way to to tell gnuGK the public ip it needs. I tried to build a connection from Node-1 to Node-3, but what happened is that Site-A's gatekeeper got confused. Dumping Site-A's cached endpoints showed: ------ printallcached AllCached RCF|192.168.1.2:1721|peter@bbbdomain:h323_ID|terminal|oz_1005_endp Number of Endpoints: 1 ------ Now that is NOT what we want. It should have stated the public address of Site-B (bbb.bbb.bbb.bbb). And the result is of cause that Site-A gatekeeper tells Node-1 that Node-3 in fact is available on his own local network. Proxy? Yes but that only means that the Site-A's gatekeeper proxies the connection to its own internal network. No traffic is routed to the Site-B network. Manual reading time: Section Main, parameter NetworkInterfaces looks promising. I tried but it had no impact. So I think it is safe to say at this point that my statement is correct. No gatekeeper behind a NAT firewall. We need a way to tell the gatekeeper that is has a secret public identity. Configuration identical on both sites: (Site-A is GKK and Site-B:Node-2 is GKP for no reason) [Gatekeeper::Main] Fourtytwo=42 [RoutedMode] GKRouted=1 H245Routed=1 AcceptUnregisteredCalls=1 AcceptNeighborsCalls=1 RemoveH245AddressOnTunneling=1 SupportNATedEndpoints=1 ProxyForNAT=1 [RasSrv::ARQFeatures] CallUnregisteredEndpoints=1 [Proxy] Enable=1 [GkStatus::Auth] rule=allow [RasSrv::Neighbors] GKK=aaa.aaa.aaa.aaa:1719;*; GKE=bbb.bbb.bbb.bbb:1719;*; GKP=ccc.ccc.ccc.ccc:1719;*; Sincerely, Karsten Jeppesen |