On Wed, 20 Dec 2017 21:08:21 +0100 Pascal Hambourg <pas...@plouf.fr.eu.org> wrote:
> IIUC, both the public and the private subnets are on the same > physical LAN ? Yes, that is correct. > > If I set up Zoiper to use the FQDN of the Asterisk box, it > > connects > > I guess you mean the public domain name pointing to the public IPv4 > addresse ? Points to the public IPv6 and IPv4 addresses - most places other than home do not currently have IPv6, though. > > just fine when I am not at home. However, when I am at home, it > > still uses the public IP address (192.0.2.51) of the Asterisk box, > > which, because it can see the phone directly, then responds using > > its own private address (192.168.0.4) - this causes Zoiper to fail > > to register. (it is clear from a tcpdump that this is happening) > > That's really bad. I consider that Asterisk is faulty here. In theory > UDP is not connection-oriented but in practice many client/server > protocols based on UDP use some form of loose connection and work > better through stateful firewalls and NATs when the reply packet > source address is equal to the request packet destination address. I will try to chase this up further with the Asterisk developers, but their main answer has been "use the private address when at home". I do agree it's a fault with Asterisk. > > At no point does the router get involved in the communication > > between the phone and the Asterisk box. To do so might make things > > easier, or could just add an unnecessary layer of complexity. > > How does the private client know that the public server address is > reachable directly on the LAN an not through the router ? That I couldn't say, but it's plainly the case. > > The answer to the problem could lie in several places: > > > > - If I could somehow get the phone to use the NAT to communicate > > with the Asterisk box, that would probably work. > > You could use SNAT in the POSTROUTING chain on the router you can > force routing of the public server address from the client through > the router. Or you could use SNAT on the server (in the INPUT chain > on recent enough kernels) when the incoming packet has a private > source address and a public destination address. > However in either case SIP requires special by netfilter with the > conntrack and NAT SIP handler. Indeed, SIP can get mighty complicated with NAT. It's part of the reason I prefer to use IAX for clients that connect from outside. > > - If I could get the phone to pick up the private address of the > > Asterisk box rather than the public one, that would probably > > work. I have tried setting up to do this with dnsmasq, but the IPv6 > > settings for DNS cause this to be overridden. If I could somehow > > change the priority of this on the phone, it would help. > > All the IPv4 and IPv6 nameservers used by the client must resolve the > name into the private address. If they also serve the public zone, > you must set up "split DNS" to server different versions for private > and public clients. Unfortunately I have found no way to override the radvd-provided DNS server addresses - otherwise I would have done this. -- Phil Reynolds mail: phil-deb...@tinsleyviaduct.com Web: http://phil.tinsleyviaduct.com/
