One problem with SIP ALG (apart from the varying implementations which mean some work much better than others) is that it absolutely cannot work with SIP TLS - for obvious reasons, it can't see inside or rewrite the encrypted data.<div>
<br></div><div>Fair enough if that's the only way you found that worked for you, and if isn't broken don't fix it. :o)</div><div><br></div><div>Still, I do suggest people at least try to get their SIP clients handling NAT traversal correctly first.</div>
<div><br></div><div>Unfortunately there's no one true answer to getting NAT traversal working. The reason is that different SIP clients, NAT, firewall settings and implementations mean what works somewhere might not work elsewhere. That of course makes it harder to manage clients at multiple sites, roaming clients, etc.</div>
<div><br></div><div>The first thing to try would be to disable SIP ALG (if your phone is handling NAT correctly some might then rewrite the correct packet breaking it) and enable STUN on your SIP client.</div><div><br></div>
<div>STUN is a useful mechanism where you can talk to the STUN server from your internal address (IP+port) and it will tell you what your external address (IP+port) is. You can then use a trick called UDP hole punching whereby any server online can send to that external address and the NAT mapping will deliver it to your internal address. So your SIP client can learn its external SIP and RTP addresses and fill in the correct Contact header and SDP values. (Assuming SIP ALG is either disabled or intelligent enough not to then rewrite the correct values and break it). FreeSWITCH then has valid addresses it can send SIP responses and RTP media to.</div>
<div><br></div><div>That makes some assumptions though:</div><div>1) Your SIP client supports STUN (not all do) </div><div>2) Your NAT implementation maps your internal address to the same external port talking to any server. Some don't, mapping to a different port for each server.</div>
<div>3) Your firewall will allow packets to that external port from servers it hasn't spoken to. Personally I have to reduce the security level of my home router's firewall (O2 Broadband) from '' to 'Standard'. I suspect this is why.</div>
<div><br></div><div>This all applies to a number of protocols the same approach to traverse NAT. P2P clients, VoIP, VPNs (tinc), online gaming (eg Call of Duty) etc. If you can get CoD to tell you your NAT type is 'Open' you're probably ok. ;o)</div>
<div><br></div><div>If you can't get the correct IPs in Contact & SDP, you have a few fallback options in FreeSWITCH.</div><div>1) NDLB-connectile-dysfunction will change the Contact to the address the INVITE came from. Probably correct in 99% of cases.</div>
<div>2) FreeSWITCH can auto-adjust its RTP address. It tells the client where to send RTP to, and when it receives it it changes the SDP address to send audio back to there. Again probably correct in 99% of cases, but with an unfortunate but unavoidable sideaffect that the caller will hear absolutely no audio until shortly after they send RTP. That probably won't be until the call is actually answered, so they will never hear ringback and the first second of the call might get lost.</div>
<div><br></div><div>NAT devices have a limited number of ports and memory. As such old/unused mappings get removed from the table. You therefore need to make sure you keep the port mapping active. During a call you'll want to enable SIP keepalives to send a SIP request periodically to keep the port open, so that you can receive call state updates. When registering you'll periodically send REGISTER to keep your registration active, so that'll do it for you. In any case though you want to make sure they're sent frequently enough that your particular NAT router doesn't timeout the mapping. Every 30s should be fine.</div>
<div><br></div><div>If absolutely all else fails, your other option is to use a VPN to bypass the NAT entirely. I find OpenVPN over UDP works very well for that, and is very easy to set up. If you want to save load/bandwidth on the VPN server you could also use bypass_media and tinc which is a P2P VPN - sites join any public node and using UDP hole punching can try to talk directly to one another even behind NAT, but if that fails can still route packets via the public nodes.</div>
<div><br></div><div><div>-Steve</div>
<div><br></div><div><br></div><div><br><br><div class="gmail_quote">On 28 June 2013 17:52, Mario M Guzman <span dir="ltr"><<a href="mailto:mario_fs@mgtech.com" target="_blank">mario_fs@mgtech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">A comment about my experience with ALG. I have dual wan (1 status and 1 dynamic) for balancing and auto fall over. I had many issues getting it all working until I used SIP ALG which solved all my NAT problems. Been perfect for 2 years now. I plan to writeup the setup on the wiki to share my experience since so many people have nat issues at the beginning. Yes know most here hate ALG but for me it is a miracle worker.<div>
<br></div><div>As Avi said, you probably will get more help if you describe what is happening.<span><font color="#888888"><br></font></span><div><span><font color="#888888">Mario</font></span><div>
<div><br><div><br><div><div>On Jun 28, 2013, at 7:37 AM, Avi Marcus <<a href="mailto:avi@avimarcus.net" target="_blank">avi@avimarcus.net</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">There's lots of info on the wiki about NAT.<div>
And lots of automatic things in FreeSWITCH to deal with NAT.</div><div><br></div><div>One common thing: Turn off SIP ALG, it probably gets in the way rather than helping.</div>
<div><br></div><div>If you want anything more, you'll have to ask a much more specific question...</div><div><br clear="all"><div><div dir="ltr"><span style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:small">-Avi</span></div>
</div><div dir="ltr"><span style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:small"><br></span></div><br><div class="gmail_quote">On Fri, Jun 28, 2013 at 2:59 AM, johnthan123 <span dir="ltr"><<a href="mailto:johnthan123@gmail.com" target="_blank">johnthan123@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi All,<br><br><br>I am really having Hard time with NAT, <br></div><br></div>Can any one give me the steps witch already works for them, its Help for Many people who is having issue with NAT.<br>
<br><br></div>Thanks in Advance.<br><br><br> <br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com/" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com/" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org/" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div>
_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div>