freeswitch erroneously trying to use Shared Address Space

[Brent W. Baccala]

Hi -

I'm seeing a problem with freeswitch where it (erroneously) selects a private address in the 100.64.0.0/10 block for its RTP traffic, which (of course) fails.

100.64.0.0/10 was reserved in RFC 6598 for "Carrier-Grade NAT", i.e, my cell phone.

The problem occurs when I'm trying to connect from my cell phone to an BBB server running IPv4.  I don't see this problem with an IPv4/IPv6 dual stack server, probably because the IPv6 addresses are preferred (but I haven't verified this).

The relevant section of the freeswitch log file looks like this:

switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: host addr: 100.102.126.247:46547

switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: srflx addr: 174.196.131.139:3196

switch_core_media.c:4327 Searching for rtp candidate.

switch_core_media.c:4336 Choose rtp candidate, index 0, 100.102.126.247:46547

100.102.126.247 is the phone's private NAT address and 174.196.131.139 is its publicly routeable address.  A laptop connected to the phone via its hotspot works fine, so I'm thinking that its NAT behavior doesn't require a TURN server (which isn't configured) for the phone itself, since it isn't required for the laptop.

I'm thinking that I can fix this by getting freeswitch to select the other address, because that's how the laptop works when it has a NAT address in the 192.168.0.0/16 block:

switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: host addr: 192.168.43.152:

switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: srflx addr: 174.244.225.148:6800

switch_core_media.c:4327 Searching for rtp candidate.

switch_core_media.c:4336 Choose rtp candidate, index 1, 174.244.225.148:6800

Any idea how to fix this?

    agape

    brent

[Lorenz Schori]

Hi,

On Fri, 28 Aug 2020 07:56:06 -0700 (PDT)
"Brent W. Baccala" <cos...@freesoft.org> wrote:

> [...]

> Any idea how to fix this?

You might try to add an apply-candidates-acl param to the external
profile:
https://freeswitch.org/confluence/pages/viewpage.action?pageId=3965687

<param name="apply-candidate-acl" value="wan-without-cgnat"/>

Then you need to define that acl in autoload_configs/acl.conf.xml.

I guess something like this should do the trick:

<list name="wan-without-cgnat" default="allow">
<node type="deny" cidr="0.0.0.0/8"/>
<node type="deny" cidr="10.0.0.0/8"/>
<node type="deny" cidr="172.16.0.0/12"/>
<node type="deny" cidr="192.168.0.0/16"/>
<node type="deny" cidr="169.254.0.0/16"/>
<node type="deny" cidr="fe80::/10"/>
<node type="deny" cidr="100.64.0.0/10"/>
</list>

This is everything from wan.auto plus the cgnat network. The wan.auto
acl is defined in switch_core.c:

https://github.com/signalwire/freeswitch/blob/850b10a86429b4870e1a06b666a6c2ab04219d92/src/switch_core.c#L1480-L1489

Disclaimer: I have not tested whether this actually works. Please verify
by conducting tests and following the logs.

HTH,
Lorenz

[Brent W. Baccala]

Thanks for your quick response!  I'm looking at that now.

Specifically, I'm trying to figure how the freeswitch xml configuration files are built.

If I compare sip_profiles/internal.xml in the bbb github repository vs. the same file in the Debian package from ubuntu.bigbluebutton.org, I get a 400 line diff.

Do you know where the source packages are for the Debian packages?  Changing the apt source from 'deb' to 'deb-src' for the ubuntu.bigbluebutton.org repository doesn't let me pull down a source package with 'apt source', and I'm at a bit of a loss to find them...

    agape

    brent

[Martin Thomas Schrott]

Hi,

I don't think there are deb packages for ubuntu for freeswitch.

see

https://freeswitch.org/confluence/display/FREESWITCH/Installation

to get the source.

at least I could not find an easy way to install freeswitch on ubuntu ...

cheers

Martin

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/18a8ecef-9e09-4da5-992a-b74203a0254dn%40googlegroups.com.

[Brent W. Baccala]

Lorenz's idea worked.  I modified it slightly by constructing a "wan_v4-without-cgnat" list that rejects all IPv6 addresses, just because that's how the existing xml file is written, then replaced "wan_v4.auto" in external.xml with the new list.

So... how to move this along as a bug fix?  The external.xml file in the BBB git repository doesn't have wan_v4.auto in it at all.

Martin, there is a deb package for freeswitch; it's in the ubuntu.bigbluebutton.org repository.  That's what I'm using, and that's where my external.xml file came from.  Yet without the source package, I can't figure out how that external.xml was constructed, or what patches need to be made to fix this.

...and it should probably be filed as an upstream bug report for freeswitch.

    agape

    brent

[Paulo Lanzarin]

That is not an official FreeSWITCH package. That's BigBlueButton's build of FreeSWITCH.

Upstream FreeSWITCH doesn't release packages for Ubuntu.

That's not an issue to be reported in upstream. The ACL settings BBB's build of FreeSWITCH ships with

is intentionally lenient to filter as little as possible. You should alter them to fit your network topology accordingly.

s,

Paulo.

--

You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/7a4dd450-1570-4c05-a877-23804297f75fn%40googlegroups.com.

[Brent W. Baccala]

Paulo,

Is there any chance that you know where the source packages are for the BigBlueButton build?

    agape

    brent

You received this message because you are subscribed to a topic in the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bigbluebutton-dev/-p6T8ZFPUbc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/CADG0wOAdhE4ftoE3nORqiXaTmWe_gXp2L-gBJDsBO9hsACeD%3DA%40mail.gmail.com.

[Lorenz Schori]

Hi,

On Fri, 28 Aug 2020 18:51:22 -0300
Paulo Lanzarin <plan...@gmail.com> wrote:

> The ACL settings BBB's build of FreeSWITCH ships with is
> intentionally lenient to filter as little as possible.

I have the impression that the term acl is not properly used throughout
FreeSWITCH config. In fact every setting which represents some kind of
IP address/network filter is dubbed as an acl. This is probably due to
the fact that they reused the data structure they made for access
control lists for everything else which requires IP filtering.

Nevertheless, it would be great if the FreeSWITCH config shipping with
BBB would be accessible from some public repository. It could be
slimmed down quite a bit. But without access to the source it is
difficult to communicate/test what exactly could be thrown away.

Cheers,
Lorenz

[Jens Elkner]

On Fri, Aug 28, 2020 at 05:53:54PM -0400, Brent W. Baccala wrote:
Hi,

> Is there any chance that you know where the source packages are for the
> BigBlueButton build?

FreeSwitch src repo contains a script, which compiles the stuff and
builds deb packages in Debian style. But Debian style ... =8-(
See https://freeswitch.org/confluence/display/FREESWITCH/Installation

FWIW:
I just build freeswitch the traditional way using the
https://github.com/signalwire/freeswitch/blob/master/bootstrap.sh script
and a little patch, which makes sure, that the opus_file module/support
gets included as well. Finally I do a `make install DESTDIR=${PROTO}` +
some cosmetic things and package the stuff in ${PROTO}/. This way I get
a vanilla/default freeswitch pkg, what is basically the same as what BBB
ships as freeswitch-core with a minor difference (beside the slightly
different tree structure):

To allow one to use it for BBB or as a vanilla/default version, I move
in the "cosmetic step" the default config dir /etc/freeswitch/ to
/usr/share/freeswitch/conf/ and the BBB config set to
/usr/share/freeswitch/conf/bbb/. The user may run the bundled
freeswitch-init script to populate the required /etc/freeswitch/ (same
as /opt/freeswitch/conf/ in BBB) from it - either with the default or
bbb config set. Once in place, the freeswitch-init script will never
touch the config again (unless forced) and is also never run as
postinstall script for obvious reasons. So stable configs, safe
upgrades, the admin keeps/has always the full control.

Just in case you need more details, feel free to download the packages
from https://pkg.cs.ovgu.de/LNF/linux/ubuntu/20.04/ and extract them
e.g. using something like this:
dpkg-deb -R freeswitch-bbb-1.10.3.1-1.deb /tmp/xxx
OR install freeswitch-bbb in a new minimal server zone.

...

> >> On Friday, August 28, 2020 at 2:25:14 PM UTC-4 Brent W. Baccala wrote:
> >>
> >>> Thanks for your quick response! I'm looking at that now.
> >>>
> >>> Specifically, I'm trying to figure how the freeswitch xml configuration
> >>> files are built.
> >>>
> >>> If I compare sip_profiles/internal.xml in the bbb github repository vs.
> >>> the same file in the Debian package from ubuntu.bigbluebutton.org, I
> >>> get a 400 line diff.
> >>>
> >>> Do you know where the source packages are for the Debian packages?
> >>> Changing the apt source from 'deb' to 'deb-src' for the
> >>> ubuntu.bigbluebutton.org repository doesn't let me pull down a source
> >>> package with 'apt source', and I'm at a bit of a loss to find them...

Yepp, having the package make scripts would probably help, but sooner or
later they need adjustments anyway ... ;-)

Have fun,
jel.
--
Otto-von-Guericke University http://www.cs.uni-magdeburg.de/
Department of Computer Science Geb. 29 R 027, Universitaetsplatz 2
39106 Magdeburg, Germany Tel: +49 391 67 52768