Behind firewall with two internet providers, one "blocks" Jami - create rules to work around

I am behind a firewall which load balances between two different ISPs (internet service providers). This works well overall, and has consistently done so for years.

However, for Jami it would seem there is a problem. It turns out one ISP seems to “block” Jami.

Under the section, "What ports does Jami use?, the documentation states the following:

  • dht: UDP [4000, 8888]
  • audio: UDP [16384-32766]
  • video: UDP [49152-65534]
  • SIP Control: UDP/TCP randomly bound

Reference: Ports Jami uses

Based on this information, I created a series of outgoing firewall rules which I thought, based on the above, should have resolved the issue by sending all calls to these ports to the “good” ISP.

Here are the rules, which appear at the top of the rules list, therefore they are always processed:

Have I missed something?

All thoughts and ideas will be most gratefully received.

In the meantime, the only sure method of ensuring Jami works consistently on my system is to route everything on the network to the “good” ISP.

Thanks for your help.

1 Like

I don’t have an experience with load balancing, but could it be that you initiate one transaction through one of the ISP, then the balancer tries to continue it via the other one, resulting maybe in a different ‘return address’ of sorts which prevents proper handshake?

Hi Herve5

Thank you so much for your kind input. Much obliged.

You are quite correct in your hypothesis, but it is one I’ve tested. When all traffic is sent to the “bad” ISP, connectivity in Jami fails. When all traffic is sent to the “good” ISP, connectivity in Jami is restored.

Hence my issue, and my search to find out what ports, etc. Jami uses. Having found the documentation regarding this, it feels a bit like Jami is doing something else which I cannot tie down which means even though I have rules in place, something is evading them.

This isn’t a software failure as such, so I’m hesitant to place it on git.jami.net. I’m wondering if the documentation is missing a small something somewhere…

I’m hopeful someone at Savoir-faire Linux might be able to shed some light.

Interestingly, the “bad” ISP also blocks the www.jami.net site. I either have to use Tor or the “good” ISP to view. I really don’t know what the folks at the “bad” ISP think they’re doing. And getting answers from them is like getting blood from a stone.

Thanks again for you input.

1 Like

I think I have it. It was making my response to Herve5 which got me thinking further. Because I have OpenDHT proxy and TURN enabled, Jami is making calls to

So I set the firewall to send all calls to those addresses via the “good” ISP, and everything else to the “bad” ISP.

Now Jami connects and seems to perform OK. It seems that the “bad” ISP is blocking one or more of the above addresses.

Hopefully my system will now allow Jami to perform seamlessly. I shall continue to monitor the position, but will, for now, mark this as solved.

Maybe this information will prove useful to someone else in future, too.

Thank you Herve5 for being the focus for my further thinking of the matter through. This is often the sort of thing which one needs!

1 Like