Media hairpinning, 9 media hairpinning – Kerio Tech Firewall6 User Manual

Chapter 7

Traffic Policy

100

Figure 7.40

Enabling Full cone NAT in the traffic rule

7.9 Media hairpinning

WinRoute allows to “arrange” traffic between two clients in the LAN which “know each other”

only from behind the firewall’s public IP address. This feature of the firewall is called hairpin-

ning (with the hairpin root suggesting the packet’s “U-turn” back to the local network). Used

especially for transmission of voice or visual data, it is also known as media hairpinning.

Example: Two SIP telephones in the LAN

Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at

a SIP server in the Internet. The parameters may be as follows:

•

IP addresses of the phones: 192.168.1.100 and 192.168.1.101

•

Public IP address of the firewall: 195.192.33.1

•

SIP server: sip.server.com

For the telephones, define corresponding traffic rules — see chapter

7.8

(as apparent from

figure

7.39

, simply specify Source of the Full cone NAT traffic rule by IP address of the other

telephone).

Both telephones will be registered on SIP server under the firewall’s public IP address

(195.192.33.1). If these telephones establish mutual connection, data packets (for voice

transmission) from both telephones will be sent to the firewall’s public IP address (and to the

port of the other telephone). Under normal conditions, such packets would be dropped. How-

ever, WinRoute is capable of using a corresponding record in the NAT table to recognize that