VoIP applications specific route

Discussion in 'Tomato Firmware' started by IIFrOdOII, Apr 15, 2018.

  1. IIFrOdOII

    IIFrOdOII New Member Member

    I running OpenVPN client on tomato firmware.
    With "Ignore Redirect Gateway (route-nopull)" and "Redirect through VPN" set to true I can easy route the package I want to vpn by mark it 0x137. (Redirect through VPN option will add all required setting to route package with mark 0x137 to VPN)

    I test marking icmp, tcp, udp and it work.

    But I have and issue to find the right way to mark only "Facebook video call" package.
    I use wireshark to capture package sent out while i have a video call turn out facebook use STUN protocol follow by p2p udp for data.

    At first I plan to mark all udp sent out with port range 30000-65535 but that will include other p2p application.
    I don't want to lost the VPN bandwidth a lot, bittorrent will be a main issue it is udp and same port range.

    Try to use a Layer 7 extension.
    Code:
    root@unknown:/# iptables -t mangle -A PREROUTING -p udp -s 192.168.111.13 -m multiport --ports 30000:65535 -m layer7 --l7proto bittorrent -j ACCEPT
    scandir: No such file or directory
    iptables v1.4.14: Couldn't open /etc_ro/l7-protocols
    
    I am out of idea how to mark the package.

    If you are wonder why I need to do this reason "ISP is block all VoIP application".
     
  2. IIFrOdOII

    IIFrOdOII New Member Member

  3. Sean B.

    Sean B. LI Guru Member

    If it's using STUN, then it should initially be contacting a STUN server to get the reply containing it's external IP and port. Can you determine if the same STUN server is being used each time? If so then, in theory, you could use the prerouting chain to SNAT any outgoing connection with a destination matching that server IP to a constant port, say 30000. That way the STUN server will always tell the application it's external port is 30000. Then you can mark based on source as internal addresses using port 30000.
     
  4. IIFrOdOII

    IIFrOdOII New Member Member

    But the actual data for communication are not running sent to STUN server with the fixed port.
    It will send to another end using the information they get from STUN protocol.
    If I route the first STUN package through VPN(to STUN server), another end of call will send the data to my device through VPN but for my end device will send the data to the port and address using information from STUN which will go to WAN.
    WAN external IP and VPN external IP is not the same, device at the end of the line will not received the package if it not match the information from STUN(Not sure about this will it accept or not accept the data).
    Another that should be the problem is STUN protocol will have keep alive package (have all the ip, port information), right now ISP is keep the bandwidth for VoIP call very very low (not usable at all) they may be open the package and read information from STUN then use that information to block, the keep alive STUN package will update to ISP as well then it will blocked out.

    I think that I have two way to success on this.
    1. read STUN package to create dynamic rule. - no idea at all.
    2. Forward all the udp and try to minimize udp data go through VPN, I have one thing on my mind bittorrent. - still stuck on this.
     
    Last edited: Apr 16, 2018
  5. Sean B.

    Sean B. LI Guru Member

    I don't think you understood what I said, nor can I really follow what you're saying. Best of luck.
     
  6. IIFrOdOII

    IIFrOdOII New Member Member

    I understand what you said.
    If I know STUN server and port and set a specific route for that package via VPN. It not going to work.
    After STUN finish
    1. External end device will get my VPN IP and Port (That will NAT to internal end device).
    2. Internal end device will get external device end IP and Port

    Voice Data
    So for incoming package - It will coming through VPN.
    But
    Outgoing package it will not route through VPN cause we put only "STUN Server" to be route on VPN. - or we can detect this package to and route it through VPN?
     
  7. IIFrOdOII

    IIFrOdOII New Member Member

    Is there anyone know how to use layer7 extension on tomato?
    I got this error.
    Code:
    root@unknown:/# iptables -t mangle -A PREROUTING -p udp -s 192.168.111.13 -m multiport --ports 30000:65535 -m layer7 --l7proto bittorrent -j ACCEPT
    scandir: No such file or directory
    iptables v1.4.14: Couldn't open /etc_ro/l7-protocols
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice