I guess so. I somehow expected rtpengine to create input rules on the fly for the specific ports advertised via SDP.
Am I right, this is not the case?
I see:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ip protocol udp counter packets 94648 bytes 27896633 jump rtpengine
But then, created by UFW
chain ufw-before-input { counter packets 30 bytes 1320 jump ufw-logging-deny
iifname "lo" counter packets 43594 bytes 1023976921 accept
ct state related,established counter packets 90236 bytes 34466871 acceptes 0 accept
ct state invalid counter packets 30 bytes 1320 jump ufw-logging-denyccept
ct state invalid counter packets 30 bytes 1320 dropr packets 0 bytes 0 accept
So I guess if traffic originates from a unknown IP as happens in NAT situation, this 'before input' is dropping them with state invalid, preventing rtpengine from learning the correct source.
I added an accept rule towards the port range used by rtpengine and now NAT detection works as expected.