UDP Packets Blocked

We have several Subscribers that are having problems connecting to to game servers when the SM is NAT’ed. Also, 2 insurance companies cannot connect to secure servers when NAT is enabled. Puting the SM in bridge mode fixes the problem, but then requires a router. I would like to maintain the NAT setup for easier network maintenance, as well as security. It appears to be certain UDP trafic is being blocked by the SM on the return trip.
Has anyone found this to be a problem?


I have the same problem. I’m testing VoIP currently, using STUN, SIP and RTP. These are all UDP ports (STUN=3478, SIP=5060, RTP=8000).
STUN is blocked on the return path, I see the packets on my router/firewall interface, but they do not make it through the NATed SM.

I sent a support request to Canopy Technical support, here’s their answer :

Thank you for your inquiry.

A NATed SM will only block ports you configure it to block. It does not support nor stop STUN. SIP does not work well through a NAT and needs a NAT transversal protocol like STUN. This will most likely be an issue with your STUN configuration.

I am 100% sure that this is not a STUN problem, but rather a NATed SM problem.

Here’s a link to another thread discussing the same problem :
http://www.canopywireless.com/community … =nat+apple

So it is obviously a problem, Canopy should do some testing on this issue.

Best regards
Thomas Luzio

Have you tried “DMZ mode”?

Yes, DMZ mode works better, at least I can log in to VoIP provider’s proxy.
When I make a call either from cell-phone->VoIP client, or from VoIP client->cell-phone, there’s only one-way traffic (I can hear sound from the softphone->cell-phone, but not in the opposite direction).
I see the packets going out and coming into my central firewall’s interface. I have not verified that the packets are actually receieved on the SM, but they should be, since I have allowed all UDP high ports (1025-65535) to and from my central firewall.

So yes, DMZ mode is better, but there is still an issue with traffic in both directions, a far as I can see.

PS! I have not been able to capture on the SM, I find it hard to understand the GUI. If you have any input on how to capture packets, I would appreciate that. Do I have to fill in all the parameters in the “Capture configuration” GUI to be able to sniff packets at the SM ?

Shaman666 wrote:
Have you tried “DMZ mode”?

Best regards
Thomas Luzio

I have seen the same thing today. I have a customer using Server 2003 as a VPN host and trying to access it using Windows XP VPN client. Sm is set up for NAT and nothing is filtered. The SM will pass everything TO the wireless side (the customer can VPN out) but it will block VPN stuff coming FROM the wireless side (n one can VPN in). Once NAT is turned off at the SM, everything works flawlessly - customer is happy.

Makes no sense to me.