Messages

I am running jitsi (based on webRTC) on a VM behind an OPNsense (20.1.3) firewall and it works 100%

This is inbound WebRTC, which has predictable ports to map. My problem is with outbound (or really peer-to-peer) WebRTC, where the ports at the STUN server are not predictable.

I have OPNsense 20.1.3 running in a VM with a dedicated Intel dual-port ethernet to serve as my home router. Because my ISP (AT&T Uverse) has broken modem firmware, I'm also running a double-NAT instead of a bridge, with all ports forwarded to OPNsense. This has worked OK for a year or more.

The current shelter-in-place for my region has led to a lot of new video conferencing software in use, and I seems like everyone insists on using a different service. Of the browser-based solutions, several do not work in my network. This includes the Roll20 gaming service, as well as various services used by other businesses (ConexEd, etc.).

A fair amount of poking around leads me to believe that the failures are because the service appears to attempt peer-to-peer WebRTC connectivity which then fails. Services that both have a relay server and choose to use it seem to work fine.

I'm aware that webRTC through a symmetric NAT is problematic, but these same services work when connected to other routers. In particular, OpenWRT in its default firewalling configuration connected to the same ISP modem (double NAT) works fine.

I see one historical post on this problem (https://forum.opnsense.org/index.php?topic=9225.0), with no responses.

Is there a way to get this working in OPNSense? Things I've tried:

- Setting affected machines to "static port" NAT rules, as is already required for game consoles on my network.
- Temporarily removing the double-NAT using the not-really-a-bridge mode on the modem.

Is there anything else I should look at?