Re: Debian networking - accessing public-side servers from a private network
On Wed, 20 Dec 2017 21:08:21 +0100
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> IIUC, both the public and the private subnets are on the same
> physical LAN ?
Yes, that is correct.
> > If I set up Zoiper to use the FQDN of the Asterisk box, it
> > connects
>
> I guess you mean the public domain name pointing to the public IPv4
> addresse ?
Points to the public IPv6 and IPv4 addresses - most places other than
home do not currently have IPv6, though.
> > just fine when I am not at home. However, when I am at home, it
> > still uses the public IP address (192.0.2.51) of the Asterisk box,
> > which, because it can see the phone directly, then responds using
> > its own private address (192.168.0.4) - this causes Zoiper to fail
> > to register. (it is clear from a tcpdump that this is happening)
>
> That's really bad. I consider that Asterisk is faulty here. In theory
> UDP is not connection-oriented but in practice many client/server
> protocols based on UDP use some form of loose connection and work
> better through stateful firewalls and NATs when the reply packet
> source address is equal to the request packet destination address.
I will try to chase this up further with the Asterisk developers, but
their main answer has been "use the private address when at home". I do
agree it's a fault with Asterisk.
> > At no point does the router get involved in the communication
> > between the phone and the Asterisk box. To do so might make things
> > easier, or could just add an unnecessary layer of complexity.
>
> How does the private client know that the public server address is
> reachable directly on the LAN an not through the router ?
That I couldn't say, but it's plainly the case.
> > The answer to the problem could lie in several places:
> >
> > - If I could somehow get the phone to use the NAT to communicate
> > with the Asterisk box, that would probably work.
>
> You could use SNAT in the POSTROUTING chain on the router you can
> force routing of the public server address from the client through
> the router. Or you could use SNAT on the server (in the INPUT chain
> on recent enough kernels) when the incoming packet has a private
> source address and a public destination address.
> However in either case SIP requires special by netfilter with the
> conntrack and NAT SIP handler.
Indeed, SIP can get mighty complicated with NAT. It's part of the
reason I prefer to use IAX for clients that connect from outside.
> > - If I could get the phone to pick up the private address of the
> > Asterisk box rather than the public one, that would probably
> > work. I have tried setting up to do this with dnsmasq, but the IPv6
> > settings for DNS cause this to be overridden. If I could somehow
> > change the priority of this on the phone, it would help.
>
> All the IPv4 and IPv6 nameservers used by the client must resolve the
> name into the private address. If they also serve the public zone,
> you must set up "split DNS" to server different versions for private
> and public clients.
Unfortunately I have found no way to override the radvd-provided DNS
server addresses - otherwise I would have done this.
--
Phil Reynolds
mail: phil-debian@tinsleyviaduct.com
Web: http://phil.tinsleyviaduct.com/
Reply to: