Re: FW: [Asterisk-Users] Nat & Sip & Pain
Hi Ray, I was wondering if the "qualify" option is used [in sip.conf] to keep a connection (from the SIP phone inside the firewall to the Asterisk server outside the firewall) open then would the firewall not allow two way communication without incoming port mapping/NAT (providing that the SIP phone started "talking" first)? I'm not sure about that - I'm being hopeful though :) STUN would be very acceptable to me if it worked though ;) Derek razza wrote: Derek, I'm not an expert in these area's hence the offer to play, but in answer to your questions to the best of my ability - 1. I don't see any reason the outbound proxy cant be in the public domain although this is where the NAT issues start kicking in (especially if you want incoming calls), depending on the number of clients behind the firewall you would have to do lots of port mapping etc. on the router/firewall, could be done but would be painful. 2. Never played with a STUN server, sorry just another point to break in the chain? ___ Ray ___ -Original Message- From: Derek Conniffe [mailto:[EMAIL PROTECTED] Sent: 13 September 2005 17:50 To: Asterisk Users Mailing List - Non-Commercial Discussion; [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Nat & Sip & Pain Hi Ray, It would be great to find a solution which doesn't need modification of the firewall setup (like if it was a customers firewall rather than your own). There is two things I'm wondering about: - 1) Can a "Outbound SIP Proxy" be a server out on the Internet (i.e. not in the local network this side of the NAT) and does that provide a way to make the SIP via NAT work? * 2) Is STUN a workable solution. There is no problem running a STUN server but can the far side of the STUN connection (Internet) talk with Asterisk and is this a way to make the SIP via NAT work? ** * I would have thought that an "Outbound Proxy" would need to be inside on the local network (a bastion host rather like a squid server for HTTP) but then I read the FWD documentation about setting the Outbound Proxy for a budgetone to make it work with NAT and their server - the Outbound Proxy they specified was out there on the Internet. ** I've read that Asterisk doesn't currently have STUN support but I'm not sure what that means exactly: I'm not sure if that means "Asterisk doesn't have an STUN server built-in" or if it means "Asterisk is not compatible with an STUN server". Thanks, Derek razza wrote: Derek, You said - Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). SIP is not NAT friendly (unlike IAX) and yes your device will try to send its local IP (in SIP packets), unless in the case of a budgetone phone you set the 'Use NAT IP' to your external IP addr. You will also have to NAT the public ip for the SIP port (5060?) and RTP ports (whatever) to your phones private IP. Must admit not tried it myself, but happy to jointly experiment if you like? ___ Ray ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Conniffe Sent: 13 September 2005 12:44 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [Asterisk-Users] Nat & Sip & Pain Hi everyone, I decided to have a look at SIP & NAT again and I've been at it for a [quite a] few hours but typically nothing is working for me. Actually I'm not sure if SIP and NAT can ever work but some emails on this list do suggest that someone has got it working, once, maybe. I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports "Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP". I'm using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to the Internet. I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of course. In my experiments the only thing that seems to allow me to make a call is to enter the [public Internet] IP address of my * server into the "Outbound Proxy" setting in the SIP phone - then it registers and I can make a call but no audio, either direction, is heard. I would have thought that the "Outbound Proxy" should be inside the NAT gateway but then I read the settings for a Budgetone BEHIND nat on the FWD webpage (http://www.freeworlddialup.com/support/configuration_guide/confi
Re: [Asterisk-Users] Nat & Sip & Pain
Hi Ray, It would be great to find a solution which doesn't need modification of the firewall setup (like if it was a customers firewall rather than your own). There is two things I'm wondering about: - 1) Can a "Outbound SIP Proxy" be a server out on the Internet (i.e. not in the local network this side of the NAT) and does that provide a way to make the SIP via NAT work? * 2) Is STUN a workable solution. There is no problem running a STUN server but can the far side of the STUN connection (Internet) talk with Asterisk and is this a way to make the SIP via NAT work? ** * I would have thought that an "Outbound Proxy" would need to be inside on the local network (a bastion host rather like a squid server for HTTP) but then I read the FWD documentation about setting the Outbound Proxy for a budgetone to make it work with NAT and their server - the Outbound Proxy they specified was out there on the Internet. ** I've read that Asterisk doesn't currently have STUN support but I'm not sure what that means exactly: I'm not sure if that means "Asterisk doesn't have an STUN server built-in" or if it means "Asterisk is not compatible with an STUN server". Thanks, Derek razza wrote: Derek, You said - Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). SIP is not NAT friendly (unlike IAX) and yes your device will try to send its local IP (in SIP packets), unless in the case of a budgetone phone you set the 'Use NAT IP' to your external IP addr. You will also have to NAT the public ip for the SIP port (5060?) and RTP ports (whatever) to your phones private IP. Must admit not tried it myself, but happy to jointly experiment if you like? ___ Ray ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Conniffe Sent: 13 September 2005 12:44 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [Asterisk-Users] Nat & Sip & Pain Hi everyone, I decided to have a look at SIP & NAT again and I've been at it for a [quite a] few hours but typically nothing is working for me. Actually I'm not sure if SIP and NAT can ever work but some emails on this list do suggest that someone has got it working, once, maybe. I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports "Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP". I'm using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to the Internet. I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of course. In my experiments the only thing that seems to allow me to make a call is to enter the [public Internet] IP address of my * server into the "Outbound Proxy" setting in the SIP phone - then it registers and I can make a call but no audio, either direction, is heard. I would have thought that the "Outbound Proxy" should be inside the NAT gateway but then I read the settings for a Budgetone BEHIND nat on the FWD webpage (http://www.freeworlddialup.com/support/configuration_guide/configure_yo ur_fwd_certified_phone/grandstream_budgetone/outbound_proxy) where they suggest that the Outbound Proxy should be an external Internet public proxy server ? Then I was reading about STUN and what a nice sounding solution it is - so I downloaded and installed the Vivida STUN server - compilation & installation was nice and easy and I set the STUN primary IP address & port into the SIP phones STUN servers settings. I could see that the SIP phone communicated with the STUN server (lots of stuff about mapping between my local NAT gateway's public IP address and the secondary IP address of the STUN server)... but no registration or [apparent] communication with the * server. I didn't try to do anything with the "Fake WAN address.." settings or try to redirect incoming UDP ports from the firewall to the SIP phone because I'm trying to see if its possible to setup a deploy-anywhere SIP phone solution. Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). Does anyone know how to get NAT & SIP working where the SIP phone is behind a NAT server talking to a publicly accessible * server
RE: [Asterisk-Users] Nat & Sip & Pain
Derek, You said - Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). SIP is not NAT friendly (unlike IAX) and yes your device will try to send its local IP (in SIP packets), unless in the case of a budgetone phone you set the 'Use NAT IP' to your external IP addr. You will also have to NAT the public ip for the SIP port (5060?) and RTP ports (whatever) to your phones private IP. Must admit not tried it myself, but happy to jointly experiment if you like? ___ Ray ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Conniffe Sent: 13 September 2005 12:44 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [Asterisk-Users] Nat & Sip & Pain Hi everyone, I decided to have a look at SIP & NAT again and I've been at it for a [quite a] few hours but typically nothing is working for me. Actually I'm not sure if SIP and NAT can ever work but some emails on this list do suggest that someone has got it working, once, maybe. I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports "Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP". I'm using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to the Internet. I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of course. In my experiments the only thing that seems to allow me to make a call is to enter the [public Internet] IP address of my * server into the "Outbound Proxy" setting in the SIP phone - then it registers and I can make a call but no audio, either direction, is heard. I would have thought that the "Outbound Proxy" should be inside the NAT gateway but then I read the settings for a Budgetone BEHIND nat on the FWD webpage (http://www.freeworlddialup.com/support/configuration_guide/configure_yo ur_fwd_certified_phone/grandstream_budgetone/outbound_proxy) where they suggest that the Outbound Proxy should be an external Internet public proxy server ? Then I was reading about STUN and what a nice sounding solution it is - so I downloaded and installed the Vivida STUN server - compilation & installation was nice and easy and I set the STUN primary IP address & port into the SIP phones STUN servers settings. I could see that the SIP phone communicated with the STUN server (lots of stuff about mapping between my local NAT gateway's public IP address and the secondary IP address of the STUN server)... but no registration or [apparent] communication with the * server. I didn't try to do anything with the "Fake WAN address.." settings or try to redirect incoming UDP ports from the firewall to the SIP phone because I'm trying to see if its possible to setup a deploy-anywhere SIP phone solution. Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). Does anyone know how to get NAT & SIP working where the SIP phone is behind a NAT server talking to a publicly accessible * server? Thanks for any help! When I run FWD's "netcheck" on my local PC (also behind the NAT) I get: Internet Connection: Connected, Direct/NAT: Using NAT, NAT type: Port Restricted Nat, NAT UPnP enabled: No, Local IP Address: 192.168.5.10, WAN IP Address: XXX.XXX.XXX.XXX (public IP address), Port 5060: Blocked, port 5082: Blocked. [Maybe] useful Links that I've found on my Nat & SIP travels:- http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions - Here VOIP INFO claim that "Asterisk as a SIP server outside nat, clients on the inside connecting to Asterisk" is "solved" with "with nat =yes and qualify =xxx in sip.conf for the client in most cases. Some clients (X-lite) assist themselves by using STUN and sending UDP keep-alive packets. Qualify sends keep-alive packets from Asterisk to the client on the inside." - however I can't get it to work http://www.asteriskguru.com/tutorials/sip_nat_oneway_or_no_audio_asteris k.html --- Here there is some detail about the NAT= option in sip.conf and firewall NAT types plus some understandable diagrams of why SIP & NAT is so much
Re: [Asterisk-Users] Nat & Sip & Pain
Mensaje citado por: Derek Conniffe <[EMAIL PROTECTED]>: Hi, > Does anyone know how to get NAT & SIP working where the SIP phone is > behind a NAT server talking to a publicly accessible * server? Have you tried sip-conntrack-nat for netfilter?. May be could help you. Get pom-ng from www.netfilter.org. Cheers. __ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] Nat & Sip & Pain
Hi everyone, I decided to have a look at SIP & NAT again and I've been at it for a [quite a] few hours but typically nothing is working for me. Actually I'm not sure if SIP and NAT can ever work but some emails on this list do suggest that someone has got it working, once, maybe. I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports "Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP". I'm using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to the Internet. I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of course. In my experiments the only thing that seems to allow me to make a call is to enter the [public Internet] IP address of my * server into the "Outbound Proxy" setting in the SIP phone - then it registers and I can make a call but no audio, either direction, is heard. I would have thought that the "Outbound Proxy" should be inside the NAT gateway but then I read the settings for a Budgetone BEHIND nat on the FWD webpage (http://www.freeworlddialup.com/support/configuration_guide/configure_your_fwd_certified_phone/grandstream_budgetone/outbound_proxy) where they suggest that the Outbound Proxy should be an external Internet public proxy server ? Then I was reading about STUN and what a nice sounding solution it is - so I downloaded and installed the Vivida STUN server - compilation & installation was nice and easy and I set the STUN primary IP address & port into the SIP phones STUN servers settings. I could see that the SIP phone communicated with the STUN server (lots of stuff about mapping between my local NAT gateway's public IP address and the secondary IP address of the STUN server)... but no registration or [apparent] communication with the * server. I didn't try to do anything with the "Fake WAN address.." settings or try to redirect incoming UDP ports from the firewall to the SIP phone because I'm trying to see if its possible to setup a deploy-anywhere SIP phone solution. Needless to say when I don't have any NAT settings on the SIP phone I don't get any registration with the * server (this confuses me too - I'm not sure why I only get registration when I set the * server to be the outbound proxy? Maybe its because the SIP phone sends its local IP in the RTP packets?). Does anyone know how to get NAT & SIP working where the SIP phone is behind a NAT server talking to a publicly accessible * server? Thanks for any help! When I run FWD's "netcheck" on my local PC (also behind the NAT) I get: Internet Connection: Connected, Direct/NAT: Using NAT, NAT type: Port Restricted Nat, NAT UPnP enabled: No, Local IP Address: 192.168.5.10, WAN IP Address: XXX.XXX.XXX.XXX (public IP address), Port 5060: Blocked, port 5082: Blocked. [Maybe] useful Links that I've found on my Nat & SIP travels:- http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions - Here VOIP INFO claim that "Asterisk as a SIP server outside nat, clients on the inside connecting to Asterisk" is "solved" with "with nat =yes and qualify =xxx in sip.conf for the client in most cases. Some clients (X-lite) assist themselves by using STUN and sending UDP keep-alive packets. Qualify sends keep-alive packets from Asterisk to the client on the inside." - however I can't get it to work http://www.asteriskguru.com/tutorials/sip_nat_oneway_or_no_audio_asterisk.html --- Here there is some detail about the NAT= option in sip.conf and firewall NAT types plus some understandable diagrams of why SIP & NAT is so much bother. http://www.voip-info.org/wiki-STUN -- The VOIP INFO page about STUN - I don't think I learned much here - except the link to the Vovida STUN server software Asterisk Users - Email from [EMAIL PROTECTED] - 02/July/2005 23:49 Thierry claims that you need to put special MASQUERADE POSTROUTING rules into iptables to make it NAT UDP properly - tried it but didn't work for me Asterisk Users - Email from [EMAIL PROTECTED] - 16/Aug/2005 10:29 Kamran Ahmad sounds like someone who [might have] had SIP & NAT working - until it wasn't working BTW My Current SIP sip.conf entry that I'm using for testing (which doesn't work of course!): - [0035314401789] context=PublicSip type=friend port=5060 username=0035314401789 password= callerId=0035314401789 nat=route; assume a NAT connection (note: route doesn't seem to make any difference compared to "yes") qualify=yes; keep-alive packets to keep NAT SIP open insecure=yes; insecure and auth don't seem to make things work any better/worse! auth=plaintext
