NAT Firewall with a backdoor NIC for WebRTC?

[Colin Vander Veen]

Struggling to get new beta to work past the ICE problems. I have a Libvirt/KVM server/machine behind a NAT firewall... passing required ports, but WebRTC still fails. If I build a 'Turn' server, can that be behind a NAT? If not, and I have to put a NIC out front of the FW... why would I not just add a second NIC to the beta server and allow some public ports. Management, via SSH etc, would still be protected behind the private NIC. Anyone else figure this out yet?

[Fred Dixon]

Hi Colin,

Do you have access to a workstation behind the firewall as well?  You could first configure the BigBlueButton server to listen only to internal ports (not the external IP address of the firewall), and confirm that WebRTC audio and video are working with FireFox (FireFox does not require a SSL certificate to use WebRTC).

Once you have confirmed that WebRTC audio and video are working, you can setup the server to bind to the external IP address of your firewall, see

    http://docs.bigbluebutton.org/2.2/configure-firewall.html

and assign a hostname + SSL certificate (so users of Chrome can connect). See

  http://docs.bigbluebutton.org/2.2/install.html#configure-ssl-on-your-bigbluebutton-server

All this is easier if it is an option to setup an external server on the internet.  The TURN server is for helping users who are behind a firewall connect to your BigBlueButton server, not for getting the BigBlueButton server to work behind a firewall.  

Regards,... Fred

On Mon, May 20, 2019 at 9:34 AM Colin Vander Veen <colin.va...@gmail.com> wrote:

Struggling to get new beta to work past the ICE problems. I have a Libvirt/KVM server/machine behind a NAT firewall... passing required ports, but WebRTC still fails. If I build a 'Turn' server, can that be behind a NAT? If not, and I have to put a NIC out front of the FW... why would I not just add a second NIC to the beta server and allow some public ports. Management, via SSH etc, would still be protected behind the private NIC. Anyone else figure this out yet?

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-dev.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/1a6e0233-23e0-4877-8f5c-636304df28a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Colin Vander Veen]

In fact, it works perfect for all users 'behind' the same firewall. Just having issues with other connections from outside of our firewall. This may also include others outside that may also be behind NAT-based firewalls. I have hostname/ssl both registered and configured... as well as all suggested ports.

[Colin Vander Veen]

It works perfect for clients behind the firewall. So do I need to build a STUN server so that external/public can access?

[Chad Pilkey]

The key is the candidate that FreeSWITCH is sending to the clients. If the candidate a local IP then it makes sense that external users can't get their audio connected because they can't access a local IP from outside the firewall. The solution depends on whether or not people from inside the firewall can make requests to the firewall's external IP. If the internal users can access the external IP then the solution should be fairly easy. All that should be required is the steps in http://docs.bigbluebutton.org/2.2/configure-firewall.html#update-freeswitch and the dummy NIC steps so that FreeSWITCH has an adapter to bind to. If the internals users can't access the external IP then the solution gets more complicated because it will need custom nginx configuration and different SIP Profiles in FreeSWITCH.

[Tan Le Nhat]

Hello Chad,

My server bbb has issue with the internals users. They can't access the external IP of my server. But when I test another server (not BBB, this is in my system) it doesn't get this issue. Why has it happened?

Vào 03:47:45 UTC+7 Thứ Sáu, ngày 24 tháng 5 năm 2019, Chad Pilkey đã viết:

[Tan Le Nhat]

And how can I custom ngix configuration to fix the problem??

[Girish Kumar Gupta]

Hi Nhat, 

Have you setup turn server? 

Regards 

Girish 

On Tue, 22 Oct, 2019, 1:28 PM Tan Le Nhat, <lenhat...@gmail.com> wrote:

And how can I custom ngix configuration to fix the problem??

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/edcc73a7-ef77-4915-b5d1-f395661005a5%40googlegroups.com.

[Tan Le Nhat]

Yes I have

Vào 02:29:18 UTC+7 Thứ Hai, ngày 11 tháng 11 năm 2019, Girish Kumar Gupta đã viết:

Hi Nhat, 

Have you setup turn server? 

Regards 

Girish 

On Tue, 22 Oct, 2019, 1:28 PM Tan Le Nhat, <lenhat...@gmail.com> wrote:

And how can I custom ngix configuration to fix the problem??

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bigblueb...@googlegroups.com.