You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In this case, it appears conntrack helpers are not triggered correctly (iptables -vnL shows zero matches to helper rule) and connection is not nat'ed properly.
For SIP, this means the call cannot be established, due to media channel addresses not rewritten.
I am able to fix the problem using wide open helper rule in firewall.user:
iptables -t raw -A zone_wan_helper -p udp -m udp --dport 5060 -j CT --helper sip
(..but now I am having problems making fw3 apply the rule consistently, because zone_wan_helper is a built-in chain which is reset by fw3 on each reload.. we would need a similar chain like prerouting_wan_rule (dedicated to user-defined rules), but in raw table..)
arus:
OpenWrt SNAPSHOT, r8978-eb1887be93
Automatically generated rule like the below does not match any connections originating from WAN:
Chain zone_wan_helper (1 references)
pkts bytes target prot opt in out source destination
0 0 CT tcp -- * * 0.0.0.0/0 192.168.1.250 tcp dpt:21 ctstate DNAT /* !fw3: FTP (CT helper) */ CT helper ftp
To have working passive FTP I need to add the following line to /etc/firewall.user (based on rules generated by shorewall):
iptables -t raw -A zone_wan_helper -p tcp --dport 21 -j CT --helper ftp --tcp-flags SYN,ACK,FIN,RST SYN
Either ctstate or destination ip does not match in the original rule.
The text was updated successfully, but these errors were encountered: