RTSP over TCP (Interleaved) stalls after initial frames when traversing DNAT relay - need WCS NAT/IP advertisement and keep-alive guidance

hyuk

hyuk

Member
Hi,
We’re relaying RTSP through a DNAT-only middle server. Even with RTSP over TCP (interleaved) forced on the client, playback shows a few initial frames then freezes when going through the relay. Direct connection to the WCS host plays smoothly.

1) Environment

  • WCS (Flashphoner) host: 192.168.2.104 (“104”)
  • Relay (DNAT only): 192.168.2.108 (“108”, firewalld)
  • Client: Windows + VLC (forced --rtsp-tcp)
  • Network: same subnet 192.168.2.0/24
  • RTSP port: 5554/tcp
  • RTP port range in WCS config: 30000–33000/udp (not intended to be used when forcing TCP interleaved)

Firewall note (104/WCS host): currently only 5554/tcp is open for RTSP; no UDP 30000-range is open on 104 at the moment.

2) Topology


Client (PC) → 108 (DNAT: 5554/tcp → 104:5554) → 104 (WCS RTSP server)

3) Key WCS settings (flashphoner.properties excerpt)


# Network
ip=192.168.2.108 # advertise relay IP to clients
ip_local=192.168.2.104 # actual WCS bind address

# RTSP server
rtsp_server_enabled=true
rtsp.port=5554
rtsp_server_auth_enabled=false

# Media ports
media_port_from=30000
media_port_to=33000

# Session cleanup
disconnect_after_unpublish=true

# (Global WebRTC bitrate values likely unrelated to this RTSP issue)
webrtc_cc_min_bitrate=500000
webrtc_cc_max_bitrate=3000000
webrtc_sdp_min_bitrate_bps=500000
webrtc_sdp_max_bitrate_bps=3000000

4) Relay (108) configuration summary (firewalld)


# DNAT: 108:5554/tcp → 104:5554/tcp
firewall-cmd --permanent --zone=public \
--add-forward-port=port=5554:proto=tcp:toaddr=192.168.2.104:toport=5554

# Stable return path
firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --reload

# Checks
firewall-cmd --zone=public --list-forward-ports
firewall-cmd --zone=public --query-masquerade
cat /proc/sys/net/ipv4/ip_forward # 1


Notes:


  • On 108, the “open port 5554” rule was removed to avoid conflicts; we keep only forward-port + masquerade.
  • From 108, nc -zv 192.168.2.104 5554 succeeds.
  • From Windows client, Test-NetConnection 192.168.2.108 -Port 5554 succeeds.
5) Reproduction steps

  1. Force RTSP over TCP (interleaved) in VLC
    • GUI: Preferences → Input/Codecs → Live555 stream transport → “Use RTP over RTSP (TCP)”
    • or CLI:

      "C:\Program Files\VideoLAN\VLC\vlc.exe" "rtsp://192.168.2.108:5554/<stream>" --rtsp-tcp --network-caching=500
  2. Open rtsp://192.168.2.108:5554/<stream>
  3. Result: initial frames appear, then playback freezes.

Direct connection to rtsp://192.168.2.104:5554/<stream> is stable.

6) Expected behavior

With RTSP over TCP (interleaved) only, DNAT relaying via 108 should be sufficient for stable playback over 5554/tcp.

7) What we’ve tested / observed

  • DNAT + MASQUERADE + ip_forward=1 on 108 confirmed.
  • 108 uses forwarding only (no local open-port rule).
  • VLC is definitely forcing --rtsp-tcp.
  • Freeze occurs only on the DNAT path; direct path to 104 is fine.

Hypotheses:


  • The IP/port advertised in RTSP SETUP/PLAY (SDP/Transport) may still reference 192.168.2.104, confusing the client that connected to 192.168.2.108.
  • TCP keep-alive / timeout on the server side may be too aggressive for interleaved mode.
8) Questions / requests

  1. Is there a recommended way to force RTSP over TCP (interleaved) on the server side in WCS so the session never attempts anything that could break over DNAT?
  2. In NAT scenarios, what is the exact property (or set of properties) to ensure the client-facing IP (the relay 192.168.2.108) is consistently advertised in Transport/SDP?
  3. What are the recommended keep-alive / timeout values for RTSP over TCP in WCS (e.g., OPTIONS/GET_PARAMETER intervals, session timeouts)?
  4. Firewall on 104: since only 5554/tcp is open right now, should we also open the UDP 30000–33000 range on 104 even when we intend to use RTSP over TCP only? If yes, please confirm the exact ranges/directions you recommend.
 
Max

Max

Administrator
Staff member
Good day
hyuk said:
Is there a recommended way to force RTSP over TCP (interleaved) on the server side in WCS so the session never attempts anything that could break over DNAT?
Click to expand...
WCS support only interleaved RTSP over TCP playback, so it is always forced
hyuk said:
In NAT scenarios, what is the exact property (or set of properties) to ensure the client-facing IP (the relay 192.168.2.108) is consistently advertised in Transport/SDP?
Click to expand...
You should set IP addresses in flashphoner.properties as follows
Code: 
ip=<external_ip_address>
ip_local=<internal_ip_addess>
client_mode=false
rtc_ice_add_local_component=false
You can check what IP is used by traffic dump collection at the server side using tcpdump
Code: 
tcpdump -npi any -B 10240 -w log.pcap
and at client side using Wireshark. Then, filter the dumps by TCP port 5554 and check the traffic for SDP and media data
hyuk said:
What are the recommended keep-alive / timeout values for RTSP over TCP in WCS (e.g., OPTIONS/GET_PARAMETER intervals, session timeouts)?
Click to expand...
There are no such setting at WCS side
hyuk said:
Firewall on 104: since only 5554/tcp is open right now, should we also open the UDP 30000–33000 range on 104 even when we intend to use RTSP over TCP only? If yes, please confirm the exact ranges/directions you recommend.
Click to expand...
You should open media ports if you're publishing/playing WebRTC on the server. For example, if your case is publish WebRTC -> play as RTSP
 
You must log in or register to reply here.
Top