H.323 NAT for video conference

djsmith · October 20, 2011, 3:42am

Have had a request to enable functionality to help H.323 (from polycom video conferencing systems) traverse NAT running on routerOS. The cisco commands they’ve asked for are:

H.323 awareness

Due to the nature of the protocol used by Polycom equipment, one of the
following commands should be deployed in the configuration based on the
equipment used. ( assuming that you are using Cisco gear )

ip inspect h323 h225 ( for cisco router )
ip inspect h323 ras ( for cisco router )
fixup protocol h323 h225 1720 ( for cisco pix )
fixup protocol h323 ras 1718-1719 ( for cisco pix )
policy map + h323 ON ( for cisco ASA )

For testing there is a video device in Sydney and another in the USA.

I see there’s a h323 setting under /ip firewall service-port but I’m having trouble getting to to work. Aparently, the NAT needs to rewrite part of the H.323 header and change the source address of the stream to be the external (NAT) address. Currently the other VC device (in the USA) is trying to respond to the connection using the private internal address of the local VC device.

Are there any details on what the routerOS h323 helper does and how to correctly configure it? Do I require multiple NAT rules? What makes the helper kick in?

If anyone has a sample NAT rule that does this then that would be fantastic.

I’m currently running routerOS v4.17 on x86.

janisk · October 20, 2011, 11:59am

first try to set up NAT rules. NAT helper should work without any additional configuration (it does not have any additional configuration).

Also, it is not NAT-T so there might be some problem if both destinations are behind nat.

djsmith · October 21, 2011, 4:27am

I’m not certain if the other end is also using NAT. There’s about 20 sites they need to communicate with. But, you’re saying that it won’t work if both are NAT’d?

I have already set up the NAT rules but the remote end is still trying to use the local/privat IP for my Video device which would suggest that the helper didn’t kick in. Sample NAT rules:

add action=dst-nat chain=dstnat comment=“Video Conf Perth” disabled=no dst-address=xx.xx.xx.xx src-address-list=JFoodsVC to-addresses=192.168.84.215
add action=src-nat chain=srcnat comment=“Video Conf Perth” disabled=no dst-address-list=JFoodsVC src-address=192.168.84.215 to-addresses=xx.xx.xx.xx

Each of the 3 VC devices has a unique public IP on the NAT. I just forward all traffic and don’t have any port based rules.

The h323 service port is enabled but has no ports:

/ip firewall service-port
set h323 disabled=no

otgooneo · November 2, 2011, 5:31am

Hi MT guys. Please provide us or do it in the Wiki, what is the mechanism of ROS NAT helpers? How to understand what is NAT helper? If possible please provide us some examples and cases to use NAT helpers. Thank you.

otgooneo · November 24, 2011, 8:49am

???

fewi · November 24, 2011, 2:21pm

RouterOS is Linux based, and thus uses Netfilter.
Whenever you need details on the RouterOS firewall look up Netfilter and how it does it.

Very simple explanation, you can of course find much more technical detail:
http://en.wikipedia.org/wiki/Netfilter#Connection_Tracking
http://en.wikipedia.org/wiki/Netfilter#NAT_helpers

So in short: helpers are code that inspects the content of packets (not just the IP header, but for example the layer 7 FTP commands within an FTP packet) to learn more about the connection.

otgooneo · November 28, 2011, 8:23am

Thanks Fewi.