On one particular site with an XServe (10.4.4 Server),
the XServe is acting as the DHCP server and NAT gateway for the LAN.
en0 is the WAN interface on a public IP.
en1 is the LAN interface on a private IP.
Everything works fine in that clients pull private IPs from the XServe's DHCP service, and the
XServe routes their internet traffic over its NAT service.
All client services seem to work fine over NAT except for VoIP (SIP) softphones. Specifically,
outbound packets reach the destination, but inbound packets make it to the XServe, but not to the
clients.
The traffic is UDP and the ports vary, but range between 10000 and 30000 or so.
These softphones work fine over a cheapo Linksys NAT router in a test scenario, so I know this
traffic can work over NAT. It just doesn't seem to work with the XServe as the NAT gateway.
Here is a tcpdump sample from en0 (the public interface) showing that this traffic flows fine in
both directions through the public interface:
17:47:25.378382 IP 64.81.XXX.XXX.31198 > voip-gw01. XXX.com.19254: UDP, length: 172
17:47:25.394576 IP voip-gw01.XXX.com.19254 > 64.81.XXX.XXX.31198: UDP, length: 172
17:47:25.394772 IP 64.81.XXX.XXX.31198 > voip-gw01. XXX.com.19254: UDP, length: 172
17:47:25.408629 IP voip-gw01.XXX.com.19254 > 64.81.XXX.XXX.31198: UDP, length: 172
17:47:25.414760 IP 64.81.XXX.XXX.31198 > voip-gw01. XXX.com.19254: UDP, length: 172
17:47:25.428987 IP voip-gw01.XXX.com.19254 > 64.81.XXX.XXX.31198: UDP, length: 172
17:47:25.434096 IP 64.81.XXX.XXX.31198 > voip-gw01. XXX.com.19254: UDP, length: 172
17:47:25.449744 IP voip-gw01.XXX.com.19254 > 64.81.XXX.XXX.31198: UDP, length: 172
And a tcpdump sample from en1 (the private interface) showing that only the outbound traffic is
passing over this interface:
17:45:43.692905 IP computer-137.XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
17:45:43.713033 IP computer-137.XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
17:45:43.732973 IP computer-137 XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
17:45:43.752985 IP computer-137.XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
17:45:43.772918 IP computer-137.XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
17:45:43.792946 IP computer-137.XXX.private.31190 > voip-gw01.XXX.com.10854: UDP, length:
172
And by the way, ipfw rules are pretty non-restrictive. All outbound traffic from en1 is allowed to
pass, and that is all that should be needed for these softphones to work.
Are there some natd/ipfw issues in Tiger Server of which I should be aware? Is there any natd
tweaking I might need to do? Does anyone have any ideas on this?
Thanks.