[Users] symmetric firewall without nat

Klaus Darilion klaus.mailinglists at pernau.at
Thu Apr 19 18:16:37 CEST 2007



Alexander Bergolth wrote:
> Hi!
> 
> In our organization there are many subnets with public-ip-adresses that
> are behind stateful-firewalls that prevent incoming connections from
> outside. If the clients are in two different protected subnets, they
> won't be able to communicate without an rtpproxy.
> 
> Unfortunately since there is no NAT involved, the nat_uac_test() won't
> be useful. Is there any other way for the server to detect that an
> rtpproxy has to be used? 

No.

 > Is there a way for the clients to detect it and
> report it to the server?

A client is possible to detect a symmetric firewall by use of STUN. But 
AFAIK there is standard based way to inform the SIP proxy about the STUN 
result. There are some clients which report the result of the STUN 
process to the SIP proxy in a proprietary header (I think I have seen 
this with SNOM). These header could be evaluated by the proxy.


The easy way would be to force the RTP proxy for all calls.

You could also check if a call is from and to a suspect IP address range 
and acticvate the RTP proxy for these calls.

regards
klaus




More information about the Users mailing list