I have an issue with my new ipfire setup. It seems like a NAT or STUN issue. Zoom meetings seem to work with audio, but the remote side cannot see my video. Google meet is much the same. Remote participants can hear my voice, but my video doesn’t display for them. I can see them just fine.
General web browsing and other things work fine.
Before, I was using a common Netgear wireless router and I didn’t have this issue. Any ideas? My hardware is an Acer desktop w/ a dual Intel PCIe NIC.
IPFire version IPFire 2.27 (x86_64) - core173
Pakfire version 2.27-x86_64
Kernel version Linux tubes.moorenet.local 6.1.11-ipfire #1 SMP PREEMPT_DYNAMIC Wed Feb 22 17:07:36 GMT 2023 x86_64 Intel(R) Celeron(R) J4125 CPU @ 2.00GHz GenuineIntel GNU/Linux
Summary
*raw
:PREROUTING ACCEPT [288478229:185031905133]
:OUTPUT ACCEPT [1186058:621842440]
COMMIT
# Completed on Tue Apr 18 20:31:09 2023
*mangle
:PREROUTING ACCEPT [715470:471888981]
:INPUT ACCEPT [32883:2350287]
:FORWARD ACCEPT [682564:469509926]
:OUTPUT ACCEPT [32118:46501213]
:POSTROUTING ACCEPT [714380:515976928]
:NAT_DESTINATION - [0:0]
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -j NAT_DESTINATION
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -j MARK --set-xmark 0x1000000/0xf000000
COMMIT
*nat
:PREROUTING ACCEPT [2318:203563]
:INPUT ACCEPT [127:15434]
:OUTPUT ACCEPT [40:3099]
:POSTROUTING ACCEPT [37:2911]
:CAPTIVE_PORTAL - [0:0]
:CUSTOMPOSTROUTING - [0:0]
:CUSTOMPREROUTING - [0:0]
:IPSECNAT - [0:0]
:NAT_DESTINATION - [0:0]
:NAT_DESTINATION_FIX - [0:0]
:NAT_SOURCE - [0:0]
:OVPNNAT - [0:0]
:REDNAT - [0:0]
:SQUID - [0:0]
-A PREROUTING -j CUSTOMPREROUTING
-A PREROUTING -j CAPTIVE_PORTAL
-A PREROUTING -j SQUID
-A PREROUTING -j NAT_DESTINATION
-A OUTPUT -j NAT_DESTINATION
-A POSTROUTING -j CUSTOMPOSTROUTING
-A POSTROUTING -j OVPNNAT
-A POSTROUTING -j IPSECNAT
-A POSTROUTING -j NAT_SOURCE
-A POSTROUTING -j NAT_DESTINATION_FIX
-A POSTROUTING -j REDNAT
-A NAT_DESTINATION -s 38.X.X.X/32 -d 24.X.X.X/32 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -s 38.X.X.X/32 -d 24.X.X.X/32 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -s 208.X.X.X/32 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -s 208.X.X.X/32 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION_FIX -m mark --mark 0x1000000/0xf000000 -j SNAT --to-source 192.168.X.X
-A REDNAT -o red0 -m policy --dir out --pol ipsec -j RETURN
-A REDNAT -o red0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.8.9
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BADTCP - [0:0]
:BLOCKLISTIN - [0:0]
:BLOCKLISTOUT - [0:0]
:CAPTIVE_PORTAL - [0:0]
:CAPTIVE_PORTAL_CLIENTS - [0:0]
:CONNTRACK - [0:0]
:CTINVALID - [0:0]
:CUSTOMFORWARD - [0:0]
:CUSTOMINPUT - [0:0]
:CUSTOMOUTPUT - [0:0]
:DHCPBLUEINPUT - [0:0]
:DHCPBLUEOUTPUT - [0:0]
:DHCPGREENINPUT - [0:0]
:DHCPGREENOUTPUT - [0:0]
:DHCPINPUT - [0:0]
:DHCPOUTPUT - [0:0]
:FORWARDFW - [0:0]
:GUARDIAN - [0:0]
:GUIINPUT - [0:0]
:HOSTILE - [0:0]
:HOSTILE_DROP - [0:0]
:ICMPINPUT - [0:0]
:INPUTFW - [0:0]
:IPSBYPASS - [0:0]
:IPSECBLOCK - [0:0]
:IPSECFORWARD - [0:0]
:IPSECINPUT - [0:0]
:IPSECOUTPUT - [0:0]
:IPS_FORWARD - [0:0]
:IPS_INPUT - [0:0]
:IPS_OUTPUT - [0:0]
:IPTVFORWARD - [0:0]
:IPTVINPUT - [0:0]
:LOCATIONBLOCK - [0:0]
:LOG_DROP - [0:0]
:LOG_REJECT - [0:0]
:LOOPBACK - [0:0]
:NEWNOTSYN - [0:0]
:OUTGOINGFW - [0:0]
:OVPNBLOCK - [0:0]
:OVPNINPUT - [0:0]
:POLICYFWD - [0:0]
:POLICYIN - [0:0]
:POLICYOUT - [0:0]
:PSCAN - [0:0]
:REDFORWARD - [0:0]
:REDINPUT - [0:0]
:SPOOFED_MARTIAN - [0:0]
:TOR_INPUT - [0:0]
:TOR_OUTPUT - [0:0]
:WIRELESSFORWARD - [0:0]
:WIRELESSINPUT - [0:0]
-A INPUT -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A INPUT -p tcp -j BADTCP
-A INPUT -j CUSTOMINPUT
-A INPUT -j HOSTILE
-A INPUT ! -p icmp -j BLOCKLISTIN
-A INPUT -j GUARDIAN
-A INPUT -i tun+ -j OVPNBLOCK
-A INPUT -m mark --mark 0x0/0xc0000000 -j IPS_INPUT
-A INPUT -j IPTVINPUT
-A INPUT -j ICMPINPUT
-A INPUT -j LOOPBACK
-A INPUT -j CAPTIVE_PORTAL
-A INPUT -j CONNTRACK
-A INPUT -i green0 -j DHCPGREENINPUT
-A INPUT -j TOR_INPUT
-A INPUT -j LOCATIONBLOCK
-A INPUT -j IPSECINPUT
-A INPUT -j GUIINPUT
-A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
-A INPUT -j OVPNINPUT
-A INPUT -j INPUTFW
-A INPUT -j REDINPUT
-A INPUT -j POLICYIN
-A FORWARD -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A FORWARD -p tcp -j BADTCP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j CUSTOMFORWARD
-A FORWARD -j HOSTILE
-A FORWARD ! -p icmp -j BLOCKLISTIN
-A FORWARD ! -p icmp -j BLOCKLISTOUT
-A FORWARD -j GUARDIAN
-A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
-A FORWARD -i tun+ -j OVPNBLOCK
-A FORWARD -o tun+ -j OVPNBLOCK
-A FORWARD -m mark --mark 0x0/0xc0000000 -j IPS_FORWARD
-A FORWARD -j IPTVFORWARD
-A FORWARD -j LOOPBACK
-A FORWARD -j CAPTIVE_PORTAL
-A FORWARD -j CONNTRACK
-A FORWARD -j LOCATIONBLOCK
-A FORWARD -j IPSECFORWARD
-A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
-A FORWARD -j FORWARDFW
-A FORWARD -j REDFORWARD
-A FORWARD -j POLICYFWD
-A OUTPUT -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A OUTPUT -j CUSTOMOUTPUT
-A OUTPUT -j HOSTILE
-A OUTPUT ! -p icmp -j BLOCKLISTOUT
-A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK
-A OUTPUT -m mark --mark 0x0/0xc0000000 -j IPS_OUTPUT
-A OUTPUT -j LOOPBACK
-A OUTPUT -j CONNTRACK
-A OUTPUT -o green0 -j DHCPGREENOUTPUT
-A OUTPUT -j IPSECOUTPUT
-A OUTPUT -j TOR_OUTPUT
-A OUTPUT -j OUTGOINGFW
-A OUTPUT -j POLICYOUT
-A BADTCP -i lo -j RETURN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j PSCAN
-A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j NEWNOTSYN
-A CAPTIVE_PORTAL_CLIENTS -p udp -m udp --dport 53 -m hashlimit --hashlimit-upto 3kb/s --hashlimit-burst 1mb --hashlimit-mode srcip --hashlimit-name dns-filter -j RETURN
-A CAPTIVE_PORTAL_CLIENTS -p tcp -m tcp --dport 53 -m hashlimit --hashlimit-upto 3kb/s --hashlimit-burst 1mb --hashlimit-mode srcip --hashlimit-name dns-filter -j RETURN
-A CAPTIVE_PORTAL_CLIENTS -j DROP
-A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
-A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A CTINVALID -m comment --comment DROP_CTINVALID -j DROP
-A DHCPGREENINPUT -i green0 -j DHCPINPUT
-A DHCPGREENOUTPUT -o green0 -j DHCPOUTPUT
-A DHCPINPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A DHCPINPUT -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A DHCPOUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A DHCPOUTPUT -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A FORWARDFW -s 38.X.X.X/32 -d 192.168.X.X/32 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -s 38.X.X.X/32 -d 192.168.X.X/32 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -s 208.X.X.X/32 -d 192.168.X.X/32 -p udp -m udp --sport 5060 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -s 208.X.X.X/32 -d 192.168.X.X/32 -p udp -m udp --sport 5060 -j ACCEPT
-A GUIINPUT -i green0 -p tcp -m tcp --dport 444 -j ACCEPT
-A HOSTILE_DROP -m limit --limit 10/sec -j LOG --log-prefix "DROP_HOSTILE "
-A HOSTILE_DROP -m comment --comment DROP_HOSTILE -j DROP
-A ICMPINPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A IPSBYPASS -j CONNMARK --save-mark --nfmask 0x7fffffff --ctmask 0x7fffffff
-A LOCATIONBLOCK ! -i red0 -j RETURN
-A LOCATIONBLOCK -s 10.0.0.0/8 -j RETURN
-A LOCATIONBLOCK -s 172.16.0.0/12 -j RETURN
-A LOCATIONBLOCK -s 192.168.0.0/16 -j RETURN
-A LOCATIONBLOCK -s 100.64.0.0/10 -j RETURN
-A LOG_DROP -m limit --limit 10/sec -j LOG
-A LOG_DROP -j DROP
-A LOG_REJECT -m limit --limit 10/sec -j LOG
-A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable
-A LOOPBACK -i lo -j ACCEPT
-A LOOPBACK -o lo -j ACCEPT
-A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
-A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
-A NEWNOTSYN -m limit --limit 10/sec -j LOG --log-prefix "DROP_NEWNOTSYN "
-A NEWNOTSYN -m comment --comment DROP_NEWNOTSYN -j DROP
-A OVPNBLOCK -p icmp -m conntrack --ctstate RELATED -j RETURN
-A OVPNINPUT -i red0 -p udp -m udp --dport 1194 -j ACCEPT
-A POLICYFWD -s 192.168.X.X/24 -i green0 -j ACCEPT
-A POLICYFWD -m policy --dir in --pol ipsec -j ACCEPT
-A POLICYFWD -i tun+ -j ACCEPT
-A POLICYFWD -m limit --limit 10/sec -j LOG --log-prefix "DROP_FORWARD "
-A POLICYFWD -m comment --comment DROP_FORWARD -j DROP
-A POLICYIN -p udp -m udp --dport 514 -j DROP
-A POLICYIN -i green0 -j ACCEPT
-A POLICYIN -m policy --dir in --pol ipsec -j ACCEPT
-A POLICYIN -i tun+ -j ACCEPT
-A POLICYIN -m limit --limit 10/sec -j LOG --log-prefix "DROP_INPUT "
-A POLICYIN -m comment --comment DROP_INPUT -j DROP
-A POLICYOUT -j ACCEPT
-A POLICYOUT -m comment --comment DROP_OUTPUT -j DROP
-A PSCAN -p tcp -m limit --limit 10/sec -m comment --comment "DROP_TCP PScan" -j LOG --log-prefix "DROP_TCP Scan "
-A PSCAN -p udp -m limit --limit 10/sec -m comment --comment "DROP_UDP PScan" -j LOG --log-prefix "DROP_UDP Scan "
-A PSCAN -p icmp -m limit --limit 10/sec -m comment --comment "DROP_ICMP PScan" -j LOG --log-prefix "DROP_ICMP Scan "
-A PSCAN -f -m limit --limit 10/sec -m comment --comment "DROP_FRAG PScan" -j LOG --log-prefix "DROP_FRAG Scan "
-A PSCAN -m comment --comment DROP_PScan -j DROP
-A REDINPUT -s 24.X.X.X/32 -i red0 -j SPOOFED_MARTIAN
-A REDINPUT -i red0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A REDINPUT -i red0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A SPOOFED_MARTIAN -m limit --limit 10/sec -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
-A SPOOFED_MARTIAN -m comment --comment DROP_SPOOFED_MARTIAN -j DROP
COMMIT