Hi,
Sorry my english language
de0 - WAN interface
I have a gateway on FreeBSD (FreeBSD 9.0-RELEASE)
I have Video Jabber on the PC (LAN network). It must connect from server in the WAN. It is connected (user can logged on server, make out/in calls), but video/audio is not working.
Technical requirements Video Jabber:
de0 = WAN = 193.14.14.15
de1 = LAN = 192.168.0.0/24
213.10.12.15 (977) - Jabber Video Server
If I understand correct out packets from LAN work fine - 1021, 10230
Then user sends packets from PC (LAN) - ipfw check 1021, add gateway + change interface, check 10230, create string in nat-table, change IP, packets in the WAN (because I have - net.inet.ip.fw.one_pass: 1). Then packets incoming from WAN, I don't understand how that is going. I can add 950 allow all from any to any via de1 - and NAT is down. I can add 950 allow udp/tcp from server to me via de1 - and if I understand correctly packets are allowed, but he is allowed on local (gateway). I do not see packets here. 977 is also not working and I don't understand why (
Sorry my english language
de0 - WAN interface
I have a gateway on FreeBSD (FreeBSD 9.0-RELEASE)
Code:
gateway_enable="YES"
...
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="de0"
firewall_type="/etc/rc.firewall"
firewall_logging="YES"
Code:
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1I have Video Jabber on the PC (LAN network). It must connect from server in the WAN. It is connected (user can logged on server, make out/in calls), but video/audio is not working.
Technical requirements Video Jabber:
- from local PC (Jabber Client) TCP >=1024 to server 5060
- from local PC (Jabber Client) UDP >=1024 to server 5060
- from local PC (Jabber Client) TCP >=1024 to server 5061
- from local PC (Jabber Client) UDP 21000-21900 to server 5060 50000-52399 (in / out )
de0 = WAN = 193.14.14.15
de1 = LAN = 192.168.0.0/24
213.10.12.15 (977) - Jabber Video Server
Code:
00977 0 0 allow log udp from 213.10.12.15 to me via de0
01000 49373257 11334742828 allow udp from any 53 to any
01001 334762 23546919 allow udp from any to any dst-port 53
01002 30 1532 allow tcp from any to 193.14.14.15 dst-port 20,21 in via de0 setup
01003 0 0 allow tcp from 213.232.252.187 5000 to 193.14.14.15 dst-port 5000 keep-state
01003 0 0 allow tcp from 213.232.252.190 5000 to 193.14.14.15 dst-port 5000 keep-state
01003 0 0 allow tcp from 213.232.252.235 5000 to 193.14.14.15 dst-port 5000 keep-state
01010 0 0 allow log udp from me 21000-21900 to 213.10.12.15 dst-port 50000-52399
01011 485650 150318781 allow log udp from any to any
01012 10 480 allow tcp from any to 193.14.14.15 dst-port 21 setup in via de0
01013 1101158 56978808 allow tcp from any to 193.14.14.15 setup in via de0
01018 0 0 allow log udp from any 55777 to any dst-port 55777 in via de1
01021 21692684 16439350772 allow log ip from any to any via de1
01022 688 47997 allow log udp from any to any
01030 1230461 64483504 allow tcp from any to 193.14.14.15 dst-port 25,110,53,3389 setup in via de0
01060 10 400 allow tcp from any to 193.14.14.15 dst-port 53 in via de0
10130 3734796823 2836051773640 nat 1 ip from any to any via de0
10230 0 0 nat 1 log ip from any to any in via de0
65535 2114967 116369160 deny ip from any to any
Code:
ipfw nat 1 config log if de0 reset same_ports deny_in\
redirect_port tcp 192.168.0.109:80 80\
redirect_port tcp 192.168.0.109:22 24\
redirect_port tcp 192.168.0.199:22 888\
redirect_port tcp 192.168.0.69:3389 889
ipfw add 10130 nat 1 ip from any to any via de0If I understand correct out packets from LAN work fine - 1021, 10230
Then user sends packets from PC (LAN) - ipfw check 1021, add gateway + change interface, check 10230, create string in nat-table, change IP, packets in the WAN (because I have - net.inet.ip.fw.one_pass: 1). Then packets incoming from WAN, I don't understand how that is going. I can add 950 allow all from any to any via de1 - and NAT is down. I can add 950 allow udp/tcp from server to me via de1 - and if I understand correctly packets are allowed, but he is allowed on local (gateway). I do not see packets here. 977 is also not working and I don't understand why (