Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Responses to UDP-Traffic are dropped
  •  
bidi

Messages: 3
Karma: 0
Send a private message to this user
Hello!

I'm having the trial of WinRoute 6.5.2 5172. I use it to Connect my Homenetwork to the Internet.

T Interface "WG-Netzwerk" is connected to the switch and "PRIMACOM" is connected to the Cable-Modem. The Cable-Modem provides a public IP via DHCP to this interface.
I'm having a Rule which says:

From WG-Netzwerk to Primacom, Permit, NAT

I'm trying to get my VoIP (SIP)-Phone to work.
First of all: Under Linux with iptables there were no Problems. After some packet-logging and stuff I found the following:

The Phone registers to the server by sending UDP-Packets from Port 5061 (to 5060). So... responses to 5061 should be mapped to the Phone, right?
But this doesn't happen. They are dropped by the default-rule.

Here are some logs:
[10/Mar/2009 13:06:08] PERMIT "Internet" packet from WG-Netzwerk, proto:UDP, len:577, ip/port:192.168.0.200:5061 -> 217.10.79.9:5061, udplen:549
[10/Mar/2009 13:06:08] PERMIT "Internet" packet to PRIMACOM, proto:UDP, len:577, ip/port:192.168.0.200:5061 -> 217.10.79.9:5061, udplen:549
[10/Mar/2009 13:06:12] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:447, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:419
[10/Mar/2009 13:06:16] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:447, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:419
[10/Mar/2009 13:06:20] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:447, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:419
[10/Mar/2009 13:06:25] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:447, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:419


btw: Full cone, which should not be necessary doesn't work either.

Thanks for Help!
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
You can see in the log that the inbound packets are coming from a different port (5060) than the outbound were sent to (5061). Such packets are correctly dropped by the firewall's port-restricted cone NAT. Full cone NAT should help in this case, but I would rather look at the phone's NAT settings.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
bidi

Messages: 3
Karma: 0
Send a private message to this user
Okay, this seems logic to me, but it still doesn't work. I change the previous NAT-Rule to Full cone NAT.

[10/Mar/2009 14:17:12] PERMIT "Internet" packet from WG-Netzwerk, proto:UDP, len:977, ip/port:192.168.0.200:5061 -> 217.10.79.9:5060, udplen:949
[10/Mar/2009 14:17:12] PERMIT "Internet" packet to PRIMACOM, proto:UDP, len:977, ip/port:192.168.0.200:5061 -> 217.10.79.9:5060, udplen:949
[10/Mar/2009 14:17:12] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:477, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:449
[10/Mar/2009 14:17:12] PERMIT "Internet" packet from WG-Netzwerk, proto:UDP, len:574, ip/port:192.168.0.200:5061 -> 217.10.79.9:5060, udplen:546
[10/Mar/2009 14:17:12] PERMIT "Internet" packet to PRIMACOM, proto:UDP, len:574, ip/port:192.168.0.200:5061 -> 217.10.79.9:5060, udplen:546
[10/Mar/2009 14:17:12] DROP "Default traffic rule" packet from PRIMACOM, proto:UDP, len:452, ip/port:217.10.79.9:5060 -> 77.64.163.222:5061, udplen:424
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
I suspect the outgoing port is not 5061. You can log your packets in the debug log (in the right-click menu there) to see this.

My assumption is supported by the fact that it works with iptables. You can make it work with KWF as well by setting the value of PortPreservingEnabled to 2 in the winroute.cfg file. But such solution would only work unless some other workstation uses port 5061 for its communication.

Your phone most probably has NAT settings. My advice is to look there.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
bidi

Messages: 3
Karma: 0
Send a private message to this user
Really great!
The Debug-Log showed what you said. This could be fixed by setting PortPreservingEnabled to 2.

Thank you for this very qualified, quick and best of all: FREE support!! Really outstanding!
Previous Topic: Configuring opendns.com With KWF
Next Topic: KWF and Windows server 2008
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 09:48:40 CEST 2017

Total time taken to generate the page: 0.00428 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.