possible NAT Table/IP_Conntrack issue

Discussion in 'Tomato Firmware' started by Dixit, Sep 3, 2008.

  1. Dixit

    Dixit LI Guru Member

    I have Viatalk as my VOIP provider and Ive noticed now that over the past 6-8months, almost every few days (not consistent here like every 3days) the Linksys ATA (the viatalk device) drops my line 1 or 2 or both. I then look at the device and notice that for some reason it thinks it cannot talk to the registration server. If I reboot the ATA it doesnt do anything. Ive noticed if I reboot the WRT54GS v1 (running Tomato 1.21) it then connects.

    With some help from a fellow member on a different forum I tracked the problem to the ip_conntrack log. I notice when the ATA is working fine the NAT tables look normal. When I have the problem where it cant seem to connect to the registration server here is what I see below on my conntrack log.

    udp      17 27 src= dst= sport=5061 dport=5060 [UNREPLIED] src= dst= sport=5060 dport=5061 use=1 mark=257   
    udp      17 27 src= dst= sport=5060 dport=5060 [UNREPLIED] src= dst= sport=5060 dport=5060 use=1 mark=257 
    You will notice for no reason the the second DST is showing the internal NAT address when it should be my normal public address. When its working it shows the correct external/public address.

    So because its showing the wrong address there, the SIP Registration server on the Viatalk side cannot send the notification back since it cannot hit that 192.x.x.x address.

    I got a feeling its something to do with that on Tomato, Ive since moved to DD-WRT and havent seen it happen for over a week now, where normally it wouldve happened by now. I would love to put Tomato back on as I love it and feel comfortable with that then DDWRT. But since I really need to use my phone (I work from home) I cant keep having to reboot my router or know that my phone has been down for 6-12hrs before i notice it.

    So anything someone can think of would help.

    Also last thing, my Conntrack settings are the standard default settings. Which are below
    Maximum Connections       4096   
    TCP Timeout            (seconds)    
    None                    1800   
    Established             14400   
    SYN Sent                120   
    SYN Received            60   
    FIN Wait                120   
    Time Wait               120   
    Close                   10   
    Close Wait              60   
    Last ACK                30   
    Listen                  120   
    UDP Timeout             (seconds)    
    Unreplied               30     
    Assured                 180   
    Tracking / NAT Helpers   
    FTP -           Enabled   
    GRE / PPTP -    Enabled   
    H.323 -         Enabled   
    RTSP -          Enabled   
    TTL Adjust -        None   
    Inbound Layer 7 -   Enabled   
  2. jochen

    jochen Network Guru Member

    I would recommend you DD-WRT-voip version when doing voip, and use the voip router as outbound proxy in your phone.
    It is impossible to get robust voip behind a normal NAT router.
    On Tomato you have to setup at least a port forwarding for the SIP ports (5060-5061) to the phone. Forwarding the RTP ports is also recommended, but thats difficult because you don't know the RTP port in advance.
    STUN ist not working reliable behind restricted cone NAT (as in Tomato and all linux based routers). STUN is only reliable behind full cone NAT. (a rare case)

    The problem you have would be solved if Tomato had the SIP NAT helper module, but that is missing. Tomato only has FTP, GRE, H.323 and RTSP helper module.
  3. Dixit

    Dixit LI Guru Member


    Thanks for the info. I failed to mention that the port forwarding has always been there, I forward the 5060-5061 as well as the 100ports for RTP (you can actually find this by logging into your ATA and you will see what range it is using, this is fixed once the router is provisioned).

    I had the DD-WRT Mega on there before, and just last night in attempt to give Tomato another shot went back to Tomato. (DD-WRT Mega has the SIPath that the VOIP version of the firmware does).

    I would really like to stay on Tomato because I love its interface and logging capabilities such as the Bandwidth logging, the DD-WRT doesnt have anything native like that and you essentially have to put a startup script in to log with BWlog of which that doesnt write to a CIFS, only flash or JIFS. But if I have no choice I guess I will have to go back to DD-WRT if the phone keeps dropping off.

    Is there anyway to clear that conntrack table without rebooting the router, like what if temporarily I just cleared it at say 4am when no one using any computers or anything.

  4. TerminatorHTK

    TerminatorHTK LI Guru Member

    I used to also have this problem. I also use Viatalk as my VoIP provider. After extensive research on the web, I came across this problem, and someone posting that they had forwarded ports 10000-20000 UDP for RTP. In desperation, I tried this, and it worked! I'm not sure why you would need this large range of ports forwarded when the defined RTP range is much smaller, but since it worked, I've left it. I've not had this problem since.

    If you try this, post and let me know if this helps for you...
  5. TerminatorHTK

    TerminatorHTK LI Guru Member

    It would also be nice, as VoIP becomes more and more common, if the SIP NAT helper would be added to the Tomato firmware. Anyone done this, or heard if it might be planned for future versions?
  6. Dixit

    Dixit LI Guru Member

    Yea but you dont need to fwd all those ports. You can actually login to your Viatalk PAP2/ATA and see what the range of 100ports for the RTP is. Most say 10000-20000 because its in that range but doesnt use the whole range. Each PAP2 is basically provisioned for 100, but to know that 100 you need to login to the device to see what its set to. That 100 is always the same as it comes from Viatalk provisioning. Like for me its 16384-16482 and thats all I have fowarded.

    Ive sinced moved back to Tomato (modded version) and will see what happens, I just cant let this firmware go, this is just too good of a firmware.

  7. 325xi

    325xi Addicted to LI Member

    Guys, if anyone can suggest any workaround... please - I don't want to migrate from Tomato!

    I was thinking about possibility to catch an event of public IP change and either restart a router, or to flash NAT tables (if possible). Is it doable with Tomato scripting? How?

    Please help!!!
  8. Dixit

    Dixit LI Guru Member

    I went back to Tomato with the Speedmod firmware and it was good for about 6days and it happened again today. So unfortunately Ive gone back to DD-WRT. Im trying their VOIP based firmware to see if that helps or makes any difference. I think the main problem is just the conntrack table and somehow its throwing the wrong IP in for the DST= for the reply back.

  9. 325xi

    325xi Addicted to LI Member

    In my case it's clearly a result of public IP update by ISP. Rebooting router is the only cure, I can guess it works because it flashes NAT tables among other things.

    I hope guys well familiar with scripts can throw an idea how to reboot/flash NAT automatically on public IP change.
  10. njeske

    njeske Network Guru Member

    not sure why you guys have so much trouble. i've been using a vialtalk PAP2 behind my tomato router since tomato first came out with almost no issues. i got viatalk back when i was still using the original hyperwrt firmware that started it all.
  11. TVTV

    TVTV LI Guru Member

    You can use Tomato's automatic reboot function, if you know when your DHCP lease expires. :)
  12. 325xi

    325xi Addicted to LI Member

    There’s even better way to do it manually – turn off, turn on, and viola! :)

    But I hope to find a way to do it automatically – Tomato is too brilliant not to be able to do such a simple thing
  13. HennieM

    HennieM Network Guru Member

    From the 1st post, it seems that, somehow, the forwarding/routing is bypassing the NAT iptable, and Tomato then treats the attempted connection <-> internet as a locally routed connection. If the connection does not go through NAT PREROUTING/POSTROUTING/MASQ, but just through the FORWARD iptables, the conntrack listings as indicated would be valid.

    I would thus look for something changing/adding/removing iptables rules on Tomato - maybe UPnP, and maybe a phone not knowing that it's going through a NATted router?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice