Problem with webrtc with firewall and blocked ports

[ThibaultOber]

We are currently building a webrtc application, converting a rtmp flow in a webrtc stream.

The application works well under normal condition but we are encountering problems when running the client app on a corporate environment.

For further testing we are using: https://testrtc.com to check different network configuration.

The tests are running fine under the "No firewall"  configuration but if switch to "Firewall - Only http & https allowed" we don't get any valid stream.

We are using the default ant-media configuration with no turn server and the default stun servers:

iceServers: [{"urls":"stun:stun1.l.google.com:19302"}]

The client is configuring using the WebRTCAdaptor JS library, with the antmedia server address as the "websocket_url"

this.webRTCAdaptor = new WebRTCAdaptor({
    websocket_url : "wss://my-app:443/LiveApp/websocket",
    mediaConstraints : mediaConstraints,
    peerconnection_config : pc_config,
    sdp_constraints : sdpConstraints,
    remoteVideoId : "myRemoteVideo",
    isPlayMode : true,
    callback : (info : string, obj : any) => {
      if (info == "initialized") {
        console.log("initialized " + websocketURL);
        self.play();
      } else if (info == "play_started") {
        console.log("Play started");
        self.videoPlayer.nativeElement.play();
      } else if (info == "play_finished") {
        console.log("play finished");
      }
      else if(info == "pong") {
        self.videoStreamingService.notifyUpdate();
      }
    },
    callbackError : function(error : string, message : string) {
      ...
    },
  });

1) Does it means the antmedia server is the signalling server which maintain the peer 2 peer connection ?

---------------------------------------------------------------------------------------------------------------------

When we look at the chrome://webrtc-internals logs we are missing an onicecandidate events:

When it's working (no firewall):

2023-01-04 09:28:44.281    onicecandidate     candidate: "candidate:4112619227 1 udp 2122260223 172.17.0.2 35950 typ host generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0 2023-01-04 09:28:44.366    onicecandidate     candidate: "candidate:3147983403 1 tcp 1518280447 172.17.0.2 9 typ host tcptype active generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0 2023-01-04 09:28:44.385    onicecandidate     candidate: "candidate:369102903 1 udp 1686052607 35.196.255.115 35950 typ srflx raddr 172.17.0.2 rport 35950 generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0

When it's not working (ports block):

2023-01-04 09:39:34.184	onicecandidate	candidate: "candidate:4112619227 1 udp 2122260223 172.17.0.2 59769 typ host generation 0 ufrag 27hd network-id 1", sdpMid: "0", sdpMLineIndex: 0
2023-01-04 09:39:34.307	onicecandidate	candidate: "candidate:3147983403 1 tcp 1518280447 172.17.0.2 9 typ host tcptype active generation 0 ufrag 27hd network-id 1", sdpMid: "0", sdpMLineIndex: 0

2) I have readen online that a turn server could help on this configuration, can you please clarify this scenario ?

Thank you.

Please find attached the logs we got from: chrome://webrtc-internals & the one from the antmedia console

 

 

FirewallLog.txt noFirewallLog.txt ant-media-error-log.txt ant-media-console-log.txt

[ThibaultOber]

Also I tried, with no success, enabling TCP candidates from <AMS_INSTALLATION_DIR>/webapps/<your_application_name>/WEB-INF/red5-web.properties , with this line there;
settings.webrtc.tcpCandidateEnabled = true

 

[Mohit]

8 hours ago, ThibaultOber said:

We are currently building a webrtc application, converting a rtmp flow in a webrtc stream.

The application works well under normal condition but we are encountering problems when running the client app on a corporate environment.

For further testing we are using: https://testrtc.com to check different network configuration.

The tests are running fine under the "No firewall"  configuration but if switch to "Firewall - Only http & https allowed" we don't get any valid stream.

We are using the default ant-media configuration with no turn server and the default stun servers:

iceServers: [{"urls":"stun:stun1.l.google.com:19302"}]

The client is configuring using the WebRTCAdaptor JS library, with the antmedia server address as the "websocket_url"

this.webRTCAdaptor = new WebRTCAdaptor({
    websocket_url : "wss://my-app:443/LiveApp/websocket",
    mediaConstraints : mediaConstraints,
    peerconnection_config : pc_config,
    sdp_constraints : sdpConstraints,
    remoteVideoId : "myRemoteVideo",
    isPlayMode : true,
    callback : (info : string, obj : any) => {
      if (info == "initialized") {
        console.log("initialized " + websocketURL);
        self.play();
      } else if (info == "play_started") {
        console.log("Play started");
        self.videoPlayer.nativeElement.play();
      } else if (info == "play_finished") {
        console.log("play finished");
      }
      else if(info == "pong") {
        self.videoStreamingService.notifyUpdate();
      }
    },
    callbackError : function(error : string, message : string) {
      ...
    },
  });

1) Does it means the antmedia server is the signalling server which maintain the peer 2 peer connection ?

---------------------------------------------------------------------------------------------------------------------

When we look at the chrome://webrtc-internals logs we are missing an onicecandidate events:

When it's working (no firewall):

2023-01-04 09:28:44.281    onicecandidate     candidate: "candidate:4112619227 1 udp 2122260223 172.17.0.2 35950 typ host generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0 2023-01-04 09:28:44.366    onicecandidate     candidate: "candidate:3147983403 1 tcp 1518280447 172.17.0.2 9 typ host tcptype active generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0 2023-01-04 09:28:44.385    onicecandidate     candidate: "candidate:369102903 1 udp 1686052607 35.196.255.115 35950 typ srflx raddr 172.17.0.2 rport 35950 generation 0 ufrag 4lmt network-id 1", sdpMid: "0", sdpMLineIndex: 0

When it's not working (ports block):

2023-01-04 09:39:34.184	onicecandidate	candidate: "candidate:4112619227 1 udp 2122260223 172.17.0.2 59769 typ host generation 0 ufrag 27hd network-id 1", sdpMid: "0", sdpMLineIndex: 0
2023-01-04 09:39:34.307	onicecandidate	candidate: "candidate:3147983403 1 tcp 1518280447 172.17.0.2 9 typ host tcptype active generation 0 ufrag 27hd network-id 1", sdpMid: "0", sdpMLineIndex: 0

2) I have readen online that a turn server could help on this configuration, can you please clarify this scenario ?

Thank you.

Please find attached the logs we got from: chrome://webrtc-internals & the one from the antmedia console

 

 

FirewallLog.txt 11.52 kB · 1 download noFirewallLog.txt 11.17 kB · 0 downloads ant-media-error-log.txt 1.32 kB · 0 downloads ant-media-console-log.txt 9.5 kB · 1 download

Hi @ThibaultOber,

How are you?

Have you opened the UDP port range 50000-60000 on the security group for webrtc publish and play for corporate network?

--

Best Regards,

Mohit Dubey

[ThibaultOber]

Hello @Mohit,

1) Do you mean opening the port range 50000-60000 on the client side ?

2) Do we need to configure a port forwarding for the range 50000-60000 on our router to our Ant Media server instance (server-side) ?

3) Do you think the use of a TURN server would help resolving the issue ?

Edited January 5 by ThibaultOber

[Mohit]

43 minutes ago, ThibaultOber said:

Hello @Mohit,

1) Do you mean opening the port range 50000-60000 on the client side ?

2) Do we need to configure a port forwarding for the range 50000-60000 on our router to our Ant Media server instance (server-side) ?

3) Do you think the use of a TURN server would help resolving the issue ?

Hi @ThibaultOber,

Yes I meant the second point that is opening the UDP ports on the server side.

If you cannot forward the ports and there are some strict firewall policies like symmetric NAT then ofcourse you can use a TURN server instead of STUN server.

You can refer to following document for TURN server installation and configuration.

--

Best Regards,

Mohit Dubey

[ThibaultOber]

Hi @Mohit,

We opened the port in the 57500:60000 range on the server.

We still encounter issue when port are blocked on the client side.

From the logs I gather we are missing a:

onicecandidate

candidate type srflx

You can find attached the complete client webrtc logs.

 

Thank you.

 

complete-log.txt

Edited January 5 by ThibaultOber

[Mohit]

7 minutes ago, ThibaultOber said:

Hi @Mohit,

We opened the port in the 57500:60000 range on the server.

We still encounter issue when port are blocked on the client side.

From the logs I gather we are missing a:

onicecandidate

candidate type srflx

You can find attached the complete client webrtc logs.

 

Thank you.

 

complete-log.txt 11.17 kB · 0 downloads

Hi @ThibaultOber,

Can you please try these settings on the server https://stackoverflow.com/a/62127594/16496465 as you are using a custom port range.

If it still doesn't work then we can check it together.

[ThibaultOber]

Hi @Mohit,

We tried earlier without success.

[Mohit]

3 hours ago, ThibaultOber said:

Hi @Mohit,

We tried earlier without success.

Hi @ThibaultOber,

OK let's check this together over a call.

You can book a meeting under Free Consultancy and Support from here https://calendly.com/antmedia as per your availability and we can check this together.

--

Best Regards,

Mohit Dubey

[ThibaultOber]

Hi, @Mohit

Thanks for the call yesterday.

 

We added the turn server you provide us in the pc_config, but we keep having the same error.

You can find attached the complete log file.

The service is off for now but we can turn it on if you want to make some test.

I will provide you the js script we run on https://testrtc.com, with the "only http & https allowed" option.

You can upload the script in their application dashboard

Thank you

script.js

Edited January 10 by ThibaultOber

[ThibaultOber]

Hi, @Mohit

Do you have some news regarding our problem or any means that could help us mitigate the issue ?

Thanks.

Edited January 12 by ThibaultOber

[Mohit]

14 hours ago, ThibaultOber said:

Hi, @Mohit

Do you have some news regarding our problem or any means that could help us mitigate the issue ?

Thanks.

Hi @ThibaultOber,
Thank you for your time.
I think there was some issue in the meeting and you weren't able to hear us post the first tests.

As we were checking the console, it was still using STUN and not the TURN.

Please include the TURN server configuration on the player play which play.html and it should work with that.

Thank you

[ThibaultOber]

Hi, @Mohit

I think we switch to the the turn server as you can see on this screenshot:

You can find attached the complete log files on the client side.

This issue is reproductible in https://testrtc.com with the "only http & https allowed" option as explained on the top.

It's important for us to find a solution as most of your clients works under strict networking condition.

We can make ourselves available for any future call.

Thank you

[Mohit]

On 1/13/2023 at 1:26 PM, ThibaultOber said:

Hi, @Mohit

I think we switch to the the turn server as you can see on this screenshot:

You can find attached the complete log files on the client side.

This issue is reproductible in https://testrtc.com with the "only http & https allowed" option as explained on the top.

It's important for us to find a solution as most of your clients works under strict networking condition.

We can make ourselves available for any future call.

Thank you

Hi @ThibaultOber,

OK. Thank you

Let me try to reproduce the issue in a similar environment and we can have another meeting this week to solve the issue at your end.

 

Thank you again