[asterisk-users] NAT traversal for mobile app softphones - best strategy?

Kevin Long kevin.long at haloprivacy.com
Thu Feb 4 18:44:15 CST 2016


Greetings,


My asterisk systems sit behind a Meraki mx80 firewall at a data center.  I use static public IPs on the firewall and port forward  5060,5061, and 10,000-20,000 so the clients can connect. Per Meraki support: "Our MX security appliances do not support SIP ALG.  Our NAT is a stateful NAT, so only return traffic will be able to traverse the NAT, unless a port forwarding rule is in place.” Im not sure if this would have any negative impact or if my traversal issues are only client side.  My port forwarding should be good I think.

Especially since testing with asterisk 13.7 and PJSIP (compared with freepbx chan_sip asterisk 11)  I am having more problems with 1-way and no-way audio .

Most of my endpoints are iPhones using the “Bria” soft phone app from Counterpath. This means that their IP address may change often, and whatever kind of NAT they are behind is beyond my control. 

Given this scenario, I’m hoping for advice on the best strategy for configuration of my Asterisk server, and soft phones with ICE/TURN/STUN?  To help with NAT traversal. The Bria app allows multiple options to be turned on for traversal strategy:


For SIP:
RPORT WiFi
RPOR TMobile
Outbound Wifi
Outbound Mobil
STUN WiFi
STUN Mobile

-
STUN/TURN  (server/username/password fields)
-
Media NAT Traversal
STUN WiFi
Stun Mobile
Use ICE Wifi
Use ICE Mobile
Use TURN WiFi
Use TURN Mobile



—


To use ICE on Asterisk, do I need to also set up a separate TURN server, and is one in particular recommended? I’ve looked into "turnserver" and "resiprocate-turn-server" (reTurn) briefly. I’m unclear as to whether I need to run this server on a true public IP or if the server can also run behind a firewall with port forward from the WAN public IP.  I’m also unclear as to whether I truly need 2 separate public IPs for the turn server to work, which I have seen mentioned in some of the documents.


Thank you for your time.

Regards,

Kevin Long



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3587 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160205/06c5706c/attachment.bin>


More information about the asterisk-users mailing list