12,274
edits
VoIP NAT: Difference between revisions
m
→Tips for VoIP through NAT
(Add explanation to the NAT problem) |
|||
| (7 intermediate revisions by 2 users not shown) | |||
|
*The Technicolor broadband routers we used to supply with Home::1 provide a full SIP/NAT ALG which means they work such that neither the phone nor our call server know NAT is in use. This appears to be a well implemented ALG and just works.
*Using a FireBrick FB2700 providing NAT has no ALG and does simple dynamic port forwarding of outgoing UDP connections with a default timeout of over 2 minutes. This also just works as the call server recognises the NAT and sends one minute keep-alive packets to hold the NAT session open, as well as sending symmetric RTP response packets.
*Some phones allow the public IP address to be entered in the configuration (e.g. Grandstream products have a "Use NAT IP" option).
*A STUN server enables a phone to be told its public IP address (e.g. ''stun.aa.net.uk).
*Other cases where testing has been done have usually required one or other approach, and in some cases required "NAT assist" to be disabled on phones or routers to allow the correct operation.
*SIP and NAT requires the call server, NAT device and phone to all play nicely and can still mean problems. There are a few specific cases we have tested and found reliable, but we cannot guarantee it will work in all cases or without some specific configuration settings
==Tips and recommendations for VoIP through NAT==
If you do want to use NAT, then here are some tips if you are struggling to get calls working:
*'''Have your broadband with us.''' - we provide public IPs on all our connections.
*'''Disable UPnP''' on routers
*'''Disable SIP ALG''' on the router (or try enabling) See [[Disable SIP ALG]] - ALG can do funky things!
*Reduce the '''registration 'expiry'''' - try '''10 minutes''' (600 seconds) the default on devices us usually an hour. - helps keeps the registration active
*Set '''SIP Keepalive''' (if the phone has this option) to '''30 seconds''' - this helps keep the NAT session live on the router
*If the VoIP phone has a config setting to enter your external/public IP address, then enter the address of your router's WAN port
*
*Enter firewall rules on the router to allow UDP traffic from our VoIP servers to your VoIP phone. See [[VoIP Firewall]] - usually not needed for NAT, but needed if you have public IPs
* '''Avoid ISPs that do CGNAT''' - that is NAT within their own network. - Having multiple levels of NAT between your handset and our service can cause problems in practice. Ask your ISP to provided you with a public IP address and no CGNAT.
If you have
The local SIP port (often 5060) and the local RTP port(s) can't be the same on the 2 phones - if they are the same, you'll
get weirdness on incoming calls.
We supply various equipment. Usually it is equipment made by third parties, such as ZyXEL, Billion, etc. They will often include features such a NAT in the equipment, which you can use. NAT is not something that has a defined standard to which it works - it is a bodge, and so the quality of the NAT features in such equipment is not something we can guarantee. We supply them as is in that respect, and you are welcome to ask the manufacturers for details of what they do with NAT before you purchase (but don't expect a detailed reply). Our recommendation is, as always, not to use NAT at all. Using any sort of NAT, whatever the manufactuters claim, is likely to cause problems with some protocols, especially SIP.
We also supply FireBrick firewall/routers. These do allow basic IP and TCP/
===NAT is evil===
*Working perfectly some of the time, and not others
*Stopping working one day with no apparent reason
*Working when there is only one phone behind NAT but not when more than one. This is caused by muliple phones using the same local SIP port, and/or the same local RTP port. Each phone should use a different local SIP port, and a different local RTP port or non-overlapping local RTP port ranges.
===What is the solution===
| |||