[Freeswitch-users] Regarding Freeswicth Nat

Michael Jerris mike at jerris.com
Mon Jul 1 20:22:43 MSD 2013


Can someone get this on the wiki?  Seems comprehensive and useful.

On Jun 29, 2013, at 6:23 PM, Steven Ayre <steveayre at gmail.com> wrote:

> One problem with SIP ALG (apart from the varying implementations which mean some work much better than others) is that it absolutely cannot work with SIP TLS - for obvious reasons, it can't see inside or rewrite the encrypted data.
> 
> Fair enough if that's the only way you found that worked for you, and if isn't broken don't fix it. :o)
> 
> Still, I do suggest people at least try to get their SIP clients handling NAT traversal correctly first.
> 
> Unfortunately there's no one true answer to getting NAT traversal working. The reason is that different SIP clients, NAT, firewall settings and implementations mean what works somewhere might not work elsewhere. That of course makes it harder to manage clients at multiple sites, roaming clients, etc.
> 
> The first thing to try would be to disable SIP ALG (if your phone is handling NAT correctly some might then rewrite the correct packet breaking it) and enable STUN on your SIP client.
> 
> STUN is a useful mechanism where you can talk to the STUN server from your internal address (IP+port) and it will tell you what your external address (IP+port) is. You can then use a trick called UDP hole punching whereby any server online can send to that external address and the NAT mapping will deliver it to your internal address. So your SIP client can learn its external SIP and RTP addresses and fill in the correct Contact header and SDP values. (Assuming SIP ALG is either disabled or intelligent enough not to then rewrite the correct values and break it). FreeSWITCH then has valid addresses it can send SIP responses and RTP media to.
> 
> That makes some assumptions though:
> 1) Your SIP client supports STUN (not all do) 
> 2) Your NAT implementation maps your internal address to the same external port talking to any server. Some don't, mapping to a different port for each server.
> 3) Your firewall will allow packets to that external port from servers it hasn't spoken to. Personally I have to reduce the security level of my home router's firewall (O2 Broadband) from '' to 'Standard'. I suspect this is why.
> 
> This all applies to a number of protocols the same approach to traverse NAT. P2P clients, VoIP, VPNs (tinc), online gaming (eg Call of Duty) etc. If you can get CoD to tell you your NAT type is 'Open' you're probably ok. ;o)
> 
> If you can't get the correct IPs in Contact & SDP, you have a few fallback options in FreeSWITCH.
> 1) NDLB-connectile-dysfunction will change the Contact to the address the INVITE came from. Probably correct in 99% of cases.
> 2) FreeSWITCH can auto-adjust its RTP address. It tells the client where to send RTP to, and when it receives it it changes the SDP address to send audio back to there. Again probably correct in 99% of cases, but with an unfortunate but unavoidable sideaffect that the caller will hear absolutely no audio until shortly after they send RTP. That probably won't be until the call is actually answered, so they will never hear ringback and the first second of the call might get lost.
> 
> NAT devices have a limited number of ports and memory. As such old/unused mappings get removed from the table. You therefore need to make sure you keep the port mapping active. During a call you'll want to enable SIP keepalives to send a SIP request periodically to keep the port open, so that you can receive call state updates. When registering you'll periodically send REGISTER to keep your registration active, so that'll do it for you. In any case though you want to make sure they're sent frequently enough that your particular NAT router doesn't timeout the mapping. Every 30s should be fine.
> 
> If absolutely all else fails, your other option is to use a VPN to bypass the NAT entirely. I find OpenVPN over UDP works very well for that, and is very easy to set up. If you want to save load/bandwidth on the VPN server you could also use bypass_media and tinc which is a P2P VPN - sites join any public node and using UDP hole punching can try to talk directly to one another even behind NAT, but if that fails can still route packets via the public nodes.
> 
> -Steve
> 
> 
> 
> 
> On 28 June 2013 17:52, Mario M Guzman <mario_fs at mgtech.com> wrote:
> A comment about my experience with ALG. I have dual wan (1 status and 1 dynamic) for balancing and auto fall over. I had many issues getting it all working until I used SIP ALG which solved all my NAT problems. Been perfect for 2 years now. I plan to writeup the setup on the wiki to share my experience since so many people have nat issues at the beginning. Yes know most here hate ALG but for me it is a miracle worker.
> 
> As Avi said, you probably will get more help if you describe what is happening.
> Mario
> 
> 
> On Jun 28, 2013, at 7:37 AM, Avi Marcus <avi at avimarcus.net> wrote:
> 
>> There's lots of info on the wiki about NAT.
>> And lots of automatic things in FreeSWITCH to deal with NAT.
>> 
>> One common thing: Turn off SIP ALG, it probably gets in the way rather than helping.
>> 
>> If you want anything more, you'll have to ask a much more specific question...
>> 
>> -Avi
>> 
>> 
>> On Fri, Jun 28, 2013 at 2:59 AM, johnthan123 <johnthan123 at gmail.com> wrote:
>> Hi All,
>> 
>> 
>> I am really having Hard time with NAT, 
>> 
>> Can any one give me the steps witch already works for them, its Help for Many people who is having issue with NAT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130701/787f7f64/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list