Umurmur UDP port "open|filtered" on wan addresses

Hi all, I am trying to setup umurmur server but encountering really curious issue.

For now I am just testing clients running on lan. If I use the lan address of the of the router (either local private IPv4 or GUA IPv6) it works all right. However when I tried to use the wan address (either IPv4 or IPv6) the systems seems only partially functional, I can login into the server but voice communication does not work.

The server definitely does listen on all interfaces:

# on router
netstat -ntupl | grep murmur
tcp        0      0 0.0.0.0:64738           0.0.0.0:*               LISTEN      20807/umurmurd
tcp        0      0 :::64738                :::*                    LISTEN      20807/umurmurd
udp        0      0 0.0.0.0:64738           0.0.0.0:*                           20807/umurmurd
udp        0      0 :::64738                :::*                                20807/umurmurd

I tried to do further testing using nmap, and found interesting difference on UDP port.

# on client machine on lan
nmap -sS -sU -p 64738 "${WAN_IP}"           
PORT      STATE         SERVICE
64738/tcp open          unknown
64738/udp open|filtered murmur

nmap -sS -sU -p 64738 "${LAN_IP}"
PORT      STATE SERVICE
64738/tcp open  unknown
64738/udp open  murmur
# note "open|filtered" vs "open"

THE MOST WEIRD THING
If I set bindaddr/bindaddr6 in /etc/umurmur.conf to listen on a wan address instead the INADDR_ANY then it works! Obviously I do not want to listen explicitly on wan addresses. I do want to use INADDR_ANY.

Any ideas what could be wrong? This does not seem to be a firewall issue since change in umurmur configuration changes behaviour.

I also tried using tcpdump.

It appears that when the umurmur server listens on any then the UDP packet send from server to the client use the lan address as the source which I guess confuses clients.

I guess the server really have no way to know what source address for packet it should use out of the all interfaces available. Unless when both clients are talking at once in the voice chat and the server know the mapping. If only one client is speaking and one is only listening then server do not know that source IP it should use for the strictly listening clients.

I guess I would really have to explicitly listen on singular address.

EDIT: or maybe use hostname that however has multiple A/AAAA records to the all IPs?

Followup question is: how can I listen on wan interface automatically without entering the IP literal? Is that possible?

That does not work with UDP, you need socket per IP address

I believe I have two options:

• Force the umurmur to listen only on the WAN IPs. However I don't know it this can be done dymanically, or if we can only hardcode the IP literals into the config. This may be annoying if the WAN IP is dynamic.
• Clients that are on the lan must use only the lanIPs of the server. This is because the source UDP address is picked to be in the same network as a client.
  See http://linux-ip.net/html/routing-saddr-selection.html

  … or, lacking this hint, the kernel will choose the first address configured on the interface which falls in the same network as the destination address or the nexthop router.

You can add DNAT rule on lan side directing the connections to WAN ip.

Have you tried to use the WAN address, but from a device is the WAN network?

Just tested it now and as expected it works with no problem.

Only lan clients connecting to wan address are an issue because when the server sends UDP packets is auto-select source IP that it closes to the client IP, but client do not expect that and ignore such packets.

You may could set a non loopback IP to the loopback device and use that to reach the service. But maybe then you need two snat rules for wan and lan.