[asterisk-users] NAT solutions
Julio Arruda
jarruda-asterisk at jarruda.com
Fri Jan 26 08:22:18 MST 2007
Gordon Henderson wrote:
> On Thu, 25 Jan 2007, Yuan LIU wrote:
>
>> Thanks for this information. Does this mean two IAX boxes can talk
>> behind their respective NAT's (without any server sitting in voice
>> path)? I'm imagining this:
>>
>> Asterisk1 <--> NAT1 --- { Internet } --- NAT2 <--> Asterisk2
>
> Using IAX, yes. It's quite straightforward to do. You do need to open
> the IAX port on each NAT device though - this may be called
> port-forwarding, depending on the hardware or its configuration
> interface. Essentially, you port-forward port 4569 from the outside to
> the IP address of the asterisk box on the inside on both sides.
>
> Then have a look at:
>
> http://astrecipes.net/index.php?n=204
>
> To get you going.
>
>> Is this the concept of STUN? Does this also create latency (by adding
>> an additional leg in the route), packet loss, even jitter?
>
> STUN doesn't intercept the data. It gives the client device hints as to
> how best to traverse the local NAT firewall.
>
> IAX uses a single port for both commands and data. SIP uses more than
> one and thats when it gets hard as it's easy for a NAT router to track a
> single data stream, but tracking multiple is hard. I have noticed newer
> routers offering SIP NAT traversal though (and the later linux kernels
> claim to be able to do it) I guess, like handling FTP (which also uses
> multiple ports) they are inspecting the SIP packet contents to try to
> work out the RTP ports it's going to use and do the right thing.
>
> I did have issues with a Juniper router recently though - the owner
> claimed it has SIP traversal but it didn't work, but when we turned it
> off and used old fashioned port forwarding it "just worked" ...
My experience with SIP ALG implemented in several routers/modems/NAT
box/fillintheblanks....is not exactly good :-)
I saw many cases where the messing around done by the middlebox break
either authentication+integrity or even the voice path.
I've not tried the SIP ALG in the iptables modules, but, not sure how
much better would be :-)..
More information about the asterisk-users
mailing list