我为公司网络设置了一个新的 HP MSR2004 路由器。该网络使用内部专用网络并具有一个静态公共 IP 地址。网上冲浪和所有与 tcp 相关的东西似乎都可以正常工作。与通过 udp 的 dns 一样。
但是,所有基于 UDP 的服务都无法正常工作。我们正在使用外部 SIP 提供商,内部网络中的 ip 电话不断失去注册,无法拨打外线电话。
这是(经过清理的)配置文件:
#
version 7.1.064, Release 0605P20
#
sysname gw-1
#
ip icmp source 192.168.100.1
#
nat address-group 0
address xxx.91.227.170 xxx.91.227.170
#
nat mapping-behavior endpoint-independent
#
dhcp enable
#
dns proxy enable
dns server 8.8.8.8
dns server 8.8.4.4
#
password-recovery enable
#
vlan 1
#
vlan 10
name Management VLAN
#
vlan 11
name Internal VLAN
#
vlan 12
name Guest Wifi VLAN
#
vlan 20
name Sublet 1 VLAN
#
qos map-table dscp-lp
import 6 export 6
#
traffic classifier highprio operator and
if-match acl name sip
#
traffic behavior communication
#
traffic behavior highprio
remark local-precedence 7
#
qos policy communication
classifier highprio behavior highprio
#
stp mode rstp
stp global enable
#
dhcp server ip-pool guest
gateway-list 192.168.210.1
network 192.168.210.0 mask 255.255.255.0
address range 192.168.210.10 192.168.210.200
dns-list 192.168.210.1
expired day 0 hour 4
#
dhcp server ip-pool internal
gateway-list 192.168.200.1
network 192.168.200.0 mask 255.255.254.0
address range 192.168.200.10 192.168.201.200
dns-list 192.168.200.1
expired day 0 hour 8
#
controller Cellular0/0
#
interface Aux0
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.100.1 255.255.255.0
#
interface Vlan-interface11
ip address 192.168.200.1 255.255.254.0
packet-filter 3000 inbound
qos apply policy communication inbound
#
interface Vlan-interface12
ip address 192.168.210.1 255.255.255.0
packet-filter 3000 inbound
packet-filter 3001 inbound
qos apply policy communication inbound
#
interface Vlan-interface20
packet-filter 3000 inbound
#
interface GigabitEthernet0/0
port link-mode route
ip address xxx.91.227.170 255.255.255.248
tcp mss 1460
packet-filter name external inbound
nat outbound address-group 0 port-preserved
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface GigabitEthernet0/27
port link-mode route
#
interface GigabitEthernet0/3
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/4
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/5
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/6
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/7
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/8
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/9
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/10
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/11
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/12
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/13
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/14
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/15
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/16
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/17
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/18
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/19
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/20
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/21
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/22
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/23
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/24
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/25
port link-mode bridge
port access vlan 11
#
interface GigabitEthernet0/26
port link-mode bridge
port access vlan 10
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0
user-role network-operator
#
line vty 1
authentication-mode scheme
user-role network-operator
#
line vty 2 63
user-role network-operator
#
ip route-static 0.0.0.0 0 xxx.91.227.169
#
ssh server enable
ssh user admin service-type all authentication-type password
#
ssh2 algorithm cipher aes256-cbc
#
ntp-service unicast-server ptbtime1.ptb.de
#
acl advanced 3000
rule 0 deny tcp destination 192.168.100.0 0.0.0.255
rule 1 deny udp destination 192.168.100.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip destination 192.168.100.0 0.0.0.255
rule 1 deny ip destination 192.168.200.0 0.0.0.255
#
acl advanced name external
rule 0 permit icmp
rule 5 permit tcp established
rule 15 permit udp source-port eq dns
rule 20 permit udp destination-port gt 1024
rule 21 permit udp
rule 25 permit 115
rule 9999 deny ip
#
acl advanced name sip
rule 0 permit tcp destination-port range 5060 5061
rule 5 permit udp destination-port range 5060 5061
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash xxx
service-type ssh telnet terminal http
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
cwmp
cwmp enable
#
return
更新:该设备支持多种协议的 NAT ALG,SIP 就是其中之一。有或没有 ALG 没有区别。但是,查看星号服务器接收到的 sip 数据包,SBC 正确地重写了正文。来电工作正常,包括音频。这使我得出结论,传出的 udp 数据包没有被正确跟踪/PAT'ed 一定有问题。不过我可能完全不在了!
如何调试/解决此问题?