한국어

소프트스위치

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유
    
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app


http://kb.smartvox.co.uk/


sbc-in-enterprise.png


Using SIP Devices behind NAT

by SMARTVOX on AUGUST 23, 2010

SIP Devices behind NAT: What solutions are available?

When an IP phone is installed behind NAT, problems can be created by the NAT device itself, by the phone’s inability to correctly understand its own networking environment or from a combination of the two. Because it is such a common problem, most IP Phones have built-in facilities designed to help them analyse their own networking environment and to help overcome the problems of NAT traversal. Probably the most useful and effective of these is the so-called STUN mechanism. STUN is explained in more detail below. Another facility that some IP phones can use is ICE. ICE usually operates in conjunction with STUN, allowing the phone to offer several possible contact addresses to a remote SIP server. When the remote SIP device wants to connect to your phone it can try each contact address one at a time until it finds one that works.

STUN and ICE alone may not be enough. As mentioned above, the problem is not just that your IP phone needs to know it is behind NAT. It may also need some help getting through the NAT device or even maintaining a connection that has already been made through the NAT device. In particular, the NAT device may be blocking all inbound IP connections to your phone and thereby preventing a two-way audio path being established. To overcome this, you may have to use port forwarding on the NAT/firewall device. Port forwarding is a little tricky to implement, especially if you have several IP phones behind the same NAT/firewall device. However, it can sometimes be the key that unlocks the problem so give it serious consideration and remember it influences the outcomes of the STUN tests described below. Resolving your NAT traversal problems may therefore require configuration changes to the NAT device and to the IP phone.

STUN – Simple Traversal of UDP through NAT

STUN – Simple Traversal of UDP through NAT
STUN is an industry standard approach for traversal of NAT and the technical details are published as RFC 3489. It requires that your IP phone has access to a STUN server somewhere on the Internet. Your VoIP service provider should be able to give you the address details of their STUN server, but don’t despair if they cannot. See the section below that explains how to make your phone use STUN.

A simple explanation of how STUN works
Before you can use STUN, your IP phone has to be told the address (or URL) of a STUN server somewhere on the Internet. Now, when your phone is switched on and before making any attempt to register, it sends a number of queries to the specified STUN server. The STUN server carries out a few simple tests to determine things like: Is the IP phone behind a NAT device? What is the external IP address of the NAT device? How tightly does the NAT device enforce rules for blocking inbound UDP connections? Does it make a difference to inbound connections if an outbound connection has already been established to that remote address? It then reports the results back to the IP phone. The IP phone is now able to use this information to modify the SIP messages it sends when it registers and, if you are lucky, everything will now work perfectly.

So how do I make my IP phone use STUN?
Let’s assume your IP phone is STUN capable. Most IP phones have a configurable parameter for the URL (or IP address) of the STUN server. Often, all you need to do is fill in a valid address in this box, perhaps tick a check box, reboot the phone and that’s it. You are perhaps wondering what address to use in this box. The answer is you should use the STUN server recommended by your VoIP Service Provider. However, here is a tip: STUN does not include an authentication dialogue so generally any phone can use any STUN server. Here are some addresses that might work with your phone: stun.xten.com, stun.sipgate.net, stunserver.org.

The address of the service provider’s STUN server can sometimes be found from a special DNS lookup. Usually, IP phones have a configurable address for the STUN server, but if you cannot see one in your phone’s configuration menus it may still be able to use STUN by automatically getting the address from a public DNS server. You would have to consult the phones manuals and specifications to check if it supports STUN in this way.

Port Forwarding

Port Forwarding
Port forwarding is where you configure your NAT/firewall device to deliberately allow some inbound connections through to specific designated servers or host devices on the LAN (or in the DMZ). You would usually do this by adding a rule that specifies the port number, or service type, on the external WAN interface and the IP address of the target server on the LAN. In some cases the rule may also specify the port number to be used when the connection is passed through to the host on the LAN – this allows Port Address Translation or PAT. Most NAT/firewall devices allow port forwarding. However, the feature may not necessarily be called “port forwarding”. Sometimes, it is just a firewall rule; sometimes it requires a firewall rule and a NAT rule. Some firewalls allow the inbound port on the external interface to be mapped to a different port on the target host device on the LAN – so-called PAT. Others will only allow the same port number to be used for both – on Draytek routers this option is called “Open Ports”. You therefore need to be reasonably proficient with your firewall’s configuration options before attempting to set up port forwarding.

When working with SIP devices behind NAT, the ports that you may need to set forwarding for are:
1. The main SIP connection port – usually this is port 5060. The protocol is nearly always UDP
2. The RTP media port or ports – often a range of higher port numbers. UDP protocol.

You will need to find out which ports your IP phone uses for RTP media. The actual port number(s) are usually configurable. You should set the range of port numbers to as few as necessary. For a single line IP phone you may only need a range of 4 ports. You should enable port forwarding for all the RTP ports plus one more in addition because RTP connections normally use the port one numerically above for information feedback (RTCP). Allow 4 ports for each simultaneous call on a device – separate connections may be used for transmit and receive; also each connection may use one port for RTP and another for RTCP.

If possible, try not to use any port address translation. Unfortunately, if you have more than one IP phone behind the same NAT device then you may find that port address translation is almost unavoidable. One alternative would be if you have several static IP addresses configured on the external WAN port of the NAT device, in which case you could use one-to-one NAT for each phone. Another possibility is to reset the default SIP port 5060 on each phone to a different number – i.e. no two IP phones should use the same SIP port. Furthermore, you must ensure that no two IP phones use the same RTP ports. You may then be able to configure your firewall/NAT device to do port forwarding for each phone while retaining the same port numbers on the external WAN port of the firewall as those on each phone. I’ve never tried this so cannot guarantee it will work.

One-to-one NAT: One-to-one NAT can be a very useful solution for VoIP NAT traversal. The reason it helps is because it does not require any port address translation. If your IP phone specifies in the SIP INVITE that it will be listening for RTP on Port 10005 then it is easy to set up the NAT device to forward Port 10005 to the IP phone. Typically, most User Agents (IP phones) can be configured to use a preset range of port numbers for the RTP Media session. The same applies to SIP servers behind NAT – e.g. Asterisk – where you can specify the range of port numbers to be used for media sessions. Once you have defined that range of port numbers, you simply have to set the firewall/NAT device to forward that range of ports to the IP phone or server. This should work provided the external IP address is also substituted either by the UA that is behind the NAT device or by the host server operating a far-end NAT traversal strategy.

What other mechanisms allow IP Phones to work behind NAT?

Keep-alive packets: Many SIP phones make use of “keep-alive” packets to maintain the connection that is first established during registration of the phone. Registration involves an outbound connection through the NAT device and so it generally works without any problems (because NAT firewalls generally allow outbound connections and only block inbound ones). Look on your IP phone’s configuration menus to see if there is a “keep alive” option. If there is, try setting it to an interval of about 1 minute. This is usually enough to fool the NAT device into keeping the connection open and this allows the host server to send SIP requests directly to the registered phone. However, it does not solve the problem of media sessions being unable to come in through NAT so you may find your IP phone rings, but there is no audio or there is 1-way audio when you answer the call.

Tip: Do not confuse the “keep-alive” interval with the “Re-registration” interval. The latter is the time the phone will wait before it sends another registration request to the Registrar server. You should set this to a much longer time interval – for example 30 or even 60 minutes – to avoid flooding the service provider’s servers with unnecessary registration attempts. The host server will ignore surplus registration requests but it puts an unnecessary burden on their equipment.

Far-end NAT Traversal: It is possible for a well designed SIP Proxy and Registrar server to recognise that a remote IP phone trying to connect or make calls is actually behind NAT and to compensate for it automatically. This is called “far end NAT traversal” and it is generally supported by most, but not all, of the big VoIP Service Providers. It involves manipulation of the SIP headers when they arrive at the server and also requires something called a Media Proxy. If your provider operates far-end NAT traversal on its servers then it is possible that you will have to disable STUN on your phone to allow the host server to work properly. If the host server is really well designed then it will cope with most phones behind NAT irrespective of whether they are using STUN or not.

Setting up your own VoIP service Proxy and Registrar servers with far-end NAT traversal
Smartvox Limited has a wealth of experience setting up the open source SIP telephony server SER (or OpenSER). SER stands for SIP Express Router and it runs on Linux. It must be connected directly to the Internet on a static IP address (it must not be behind a NAT device itself) so that it can be configured to provide far-end NAT traversal.

Yet more solutions to NAT

Manual setting of external IP address: Some VoIP devices – User Agents and SIP Servers including Asterisk -have configurable parameters that include an option to specify the IP address of the external interface on your NAT device. So, for example, if your Asterisk PBX is behind NAT and you are having trouble making SIP calls to external peers, it is likely that you can help to solve the problem by specifying the external IP address in your SIP.CONF file – the parameter is calledexternip. Port forwarding may also be necessary.

VPN: Some users find it convenient to use a VPN connection to overcome the problems of NAT traversal. This makes sense for a home worker who needs the VPN connection for other reasons and wants to use an IP phone that registers with the office PBX. However, operating SIP across VPN can also create problems because the VPN mechanism encrypts all the packets at one end and decrypts them at the other end. This process is quite demanding of your computer’s resources or perhaps of the CPU resources in the firewall that is terminating the VPN at the office. When your IP phone streams audio media (speech) back and forth between home and office it is having to encrypt and decrypt a lot of data. This can cause delays and CPU bottlenecks which in turn cause a degradation of the speech quality so some care is needed. Of course, it does bring the benefit of greater security for your voice calls.

SIP aware firewalls: Some firewalls are designed to be SIP aware. This means they can be configured to inspect packets as they pass through and actually substitute the IP addresses or port numbers embedded in the SIP messages to match the IP address and port number it is opening on the external WAN interface of the firewall. A great idea, if it works! Regrettably, my experience of such devices has not been good and I usually disable the feature and manually open the required ports.

UPnP: If the firewall and the SIP device behind the firewall are both able to use UPnP then it may be the right solution – they can talk to each other and hopefully agree which ports need to be opened to allow SIP through. Again, this is a great idea if it works, but don’t assume that UPnP is the solution to all NAT traversal problems. Worth a try if available on the equipment you are using.

List of Articles
번호 제목 글쓴이 날짜 조회 수
160 Busy Lamp Field (BLF) feature on Opensips 2.4.0 with Zoiper configuration admin 2018-05-29 151
159 Documentation -> Tutorials -> WebSocket Transport using OpenSIPS admin 2018-05-17 175
158 List of SIP response codes admin 2017-12-20 1464
157 opensips/modules/event_routing/ Push Notification Call pickup admin 2017-12-20 1163
156 opensips push notification How to detail file admin 2017-12-20 1122
155 OpenSIPS routing logic admin 2017-12-12 1183
154 OpenSIPS example configuration admin 2017-12-12 1144
153 opensips log output admin 2017-12-11 1140
152 opensips complete configuration example admin 2017-12-10 1194
151 Opensips1.6 ebook detail configuration and SIP signal and NAT etc file admin 2017-12-10 1279
150 dictionary.opensips radius admin 2017-12-09 1669
149 what is record_route() in opensips ? admin 2017-12-09 1648
148 what is loose_route() in opensips ? file admin 2017-12-09 1671
147 in opensips what is lookup(domain [, flags [, aor]]) admin 2017-12-09 1658
146 in opensips db_does_uri_exist() what is admin 2017-12-09 1581
145 in opensips what is has_totag() admin 2017-12-09 1654
144 opensips exec module admin 2017-12-08 1684
143 opensips push notification How to admin 2017-12-07 1632
142 OpenSIPS Module Interface admin 2017-12-07 1681
141 opensips configuration config explain easy basic 오픈쉽스 컨피그레이션 기본 설명 file admin 2017-12-07 1720
140 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 2017-09-14 2663
139 Documentation -> Tutorials -> TLS opensips.cfg admin 2017-09-14 2671
138 Using TLS in OpenSIPS v2.2.x admin 2017-09-14 2611
137 opensips tls cfg admin 2017-09-14 2772
136 How to setup a Jabber / XMPP server on Debian 8 (jessie) using ejabberd admin 2017-09-13 3029
135 SIP to XMPP Gateway + SIP Presence Server opensips admin 2017-09-13 2630
134 OpenSIPS command line tricks admin 2017-09-13 2625
133 Fail2Ban Freeswitch How to secure admin 2017-09-12 2783
132 opensips.cfg. sample admin 2017-09-12 2612
131 Advanced SIP scenarios with Event-based-Routing admin 2017-09-11 2742
130 PUSH SERVER 푸시서버 안드로이드 애플 admin 2017-09-11 2863
129 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅(리눅스 기준) admin 2017-09-09 4414
128 rtpengine config basic and opensips configuration and command admin 2017-09-06 2795
127 WebSocket Transport using OpenSIPS configuration 웹 소켓 컨피그레이션 기본 admin 2017-09-06 2685
126 OpenSIPS basic configuration script 기본 컨피그 admin 2017-09-05 2732
125 rtpengine install and config admin 2017-09-05 2759
124 Installing RTPEngine on Ubuntu 14.04 admin 2017-09-05 2851
123 compile only the textops module make modules=modules/textops modules admin 2017-09-05 2770
122 opensips command /sbin/opensipsctl detail admin 2017-09-04 2796
121 2017 08 31 opensips 2.32 install debian8.8 module install compile err modules admin 2017-09-04 2812
120 Build-Depends debian 8.8 opensips 2.3 admin 2017-09-04 2730
119 What is new in 2.3.0 opensips admin 2017-09-04 3057
118 ubuntu 安装配置opensips,rtpproxy,mediaproxy admin 2017-09-04 3061
117 How to install Mediaproxy 2.5.2 on CentOS 6 64 bit admin 2017-09-04 3085
116 Using TLS in OpenSIPS v2.2.x configuration admin 2017-09-04 2875
115 How to 2.3 download , OpenSIPS new apt repository. DEBs for Debian / Ubuntu admin 2017-09-02 2844
114 You can install CDRTool in the following ways: admin 2017-09-01 3006
113 How to Install OpenSIPS 2.1.2 Server on Ubuntu 15.04 admin 2017-09-01 2960
112 Opensips 2.32 download admin 2017-09-01 2823
111 OpenSIPS 2.3 install admin 2017-09-01 3023
110 JsSIP: The JavaScript SIP Library admin 2017-09-01 2950
109 WebSocket Transport using OpenSIPS admin 2017-09-01 3036
108 A2Billing and OpenSIPS – Part 1 admin 2017-08-29 2883
107 A2Billing and OpenSIPS – Part 2 admin 2017-08-29 2841
106 A2Billing and OpenSIPS – Part 3 admin 2017-08-29 2968
105 OpenSIPS 2.3 philosophy admin 2017-08-17 3311
104 The timeline for OpenSIPS 2.3 is admin 2017-08-17 3507
103 OpenSIPS Control Panel and Homer integration admin 2017-08-17 3114
102 Opensips sip capture re designed admin 2017-07-16 3169
101 WebRTC with OpenSIPS WebSocket is a protocol provides full-duplex admin 2015-04-04 7955
100 WebSocket Support in OpenSIPS 2.1 admin 2015-04-04 8453
99 OpenSIPS 2.1 (rc) is available, download now! admin 2015-03-22 7937
98 Service Provision Using Asterisk & OpenSIPS - AstriCon 2014 admin 2015-02-25 9510
97 SIP Signaling-Messages OpenSIPS Running On Multicore Server file admin 2014-11-02 17211
96 opensips.cfg for Asterisk admin 2014-10-20 19402
95 A2Billing and OpenSIPS config admin 2014-10-20 18724
94 Jitsi Videobridge meets WebRTC admin 2014-10-18 18921
93 A Survey of Open Source Products for Building a SIP Communication Platform admin 2014-10-18 18397
92 Script Function , Module Index v1.11 함수 모듈 opensips admin 2014-10-14 18592
91 Opensips TM module enables stateful processing of SIP transactions admin 2014-10-04 16293
90 kamailio.cfg configuration Example admin 2014-10-04 18463
89 opensips NAT Traversal Module admin 2014-10-02 17814
88 UAC Registrant Module admin 2014-09-28 19495
87 MediaProxy 2.3.x & OpenSIPS 1.5.x Integration admin 2014-08-24 18492
86 RTPPROXY Admin Guide admin 2014-08-24 18906
85 CANCEL MESSAGE not handled correctly admin 2014-08-23 18727
84 [Sipdroid] SIP data collection study tour admin 2014-08-23 19323
83 [OpenSIPS-Users] Opensips 1.10 NAT radius aaa admin 2014-08-23 19301
82 OpenSIPS Consultancy Pricing module install Server 판매 또는 설치및 컨설팅 가이드 admin 2014-08-23 19190
81 ICE: The ultimate way of beating NAT in SIP admin 2014-08-23 18867
80 Many OPENSIPS Configuration Examples This will Help you admin 2014-08-23 18537
79 Real-time Charging System for Telecom & ISP environments admin 2014-08-23 19154
78 OPENSIPS EBOOK admin 2014-08-21 19278
77 Opensips Documentation Function admin 2014-08-21 19303
76 Presence Tutorial OpenXCAP setup admin 2014-08-18 18441
75 Opensips Modules Documentation admin 2014-08-18 19304
74 A lightweight RPC library based on XML and HTTP admin 2014-08-18 18749
73 opensips Nat script with RTPPROXY - English Good perfect admin 2014-08-15 16895
72 OpenSIPS Control Panel (OCP) Installation Guide Good admin 2014-08-13 16816
71 Installation and configuration process record opensips opensips-cp admin 2014-08-13 38534
70 OpenSIPS as Homer Capture server admin 2014-08-13 16565
69 OpenSIPS , default script , Types of Routs , Routing in SIP, Video lecture admin 2014-08-13 18583
68 Configuracion de Kamailio 3.3 con NAT Traversal y XCAP. admin 2014-08-12 19039
67 Under RHEL6.5 install OpenSIPS 1.11.1 tls admin 2014-08-12 18002
66 OpenSIPS/OpenSER-a versatile SIP Server cfg admin 2014-08-11 19288
65 Kamailio Nat Traversal using RTPProxy admin 2014-08-11 18844
64 MediaProxy wiki page install configuration admin 2014-08-11 18865
63 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅 admin 2014-08-11 29155
62 MediaProxy Installation Guide admin 2014-08-10 18471
61 RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x admin 2014-08-10 19624
60 Opensips Installation, How to. Good guide wiki page admin 2014-08-10 16508
59 OpenSIPS Installation Notes admin 2014-08-09 15798
58 Installation and configuration process record opensips 1.9.1 admin 2014-08-09 19586
57 opensips 1.11.2 install Good Giide admin 2014-08-09 19038
56 fusionPBX install debian wheezy admin 2014-08-09 18691
55 opensips 1.11.2 install guide good 인스톨 가이드 admin 2014-08-09 18417
54 SigIMS IMS Platform admin 2014-05-24 19441
53 2013 2012년 분야별 최고의 오픈소스 소프트웨어 124선 admin 2014-04-05 21720
52 Video conference server OpenMCU-ru - Introduction admin 2014-04-01 21710
51 SIPSorcery admin 2014-03-18 19746
50 Ekiga (formely known as GnomeMeeting) is an open source SoftPhone admin 2014-03-12 20112
49 telepresence: Open Source SIP Telepresence/MCU admin 2014-03-12 25057
48 SIP PBX - OpenSIPS and Asterisk configuration admin 2014-03-12 20030
47 Conference Support in Kamailio (OpenSER) admin 2014-03-12 21436
46 OpenSIPS configuration for 2 or more FreeSWITCH installs admin 2014-03-12 17822
45 The Impact of TLS on SIP Server Performance file admin 2014-03-12 19908
44 book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki admin 2014-03-12 18955
43 Where to check OpenSIPS does not start? admin 2014-03-09 19297
42 opensips-1.10.0_src.tar.gz experimental source code documentation admin 2014-03-09 20216
41 Kamailo OpenSIPs installation on Debian admin 2014-03-09 19701
40 Using the openSIPS Registrant Module admin 2014-03-09 20415
39 RTPproxy Frequentry Asked Questions (FAQ) ¶ admin 2014-03-07 18593
38 Building Telephony Systems with OpenSIPS 1.6 RTPProxy + OpenSIPS 1.7 admin 2014-03-07 19777
37 Installing RTPproxy Start RTPproxy in Bridged mode very good admin 2014-03-07 25661
36 OpenSIPS Control Panel (OCP) Installation Guide admin 2014-03-06 18154
35 OpenSIPS Control Panel install guide admin 2014-03-06 19149
34 rtpproxy Module admin 2014-03-06 19780
33 MediaProxy Installation Guide admin 2014-03-06 21770
32 How to install OpenSIPS on CentOS debian module add xcap admin 2014-03-06 20401
31 Problem with presence_xml module Opensips 1.9 admin 2014-03-06 19877
30 Building Telephony Systems with OpenSIPS 1.6 books file admin 2014-03-06 20796
29 Multimedia Service Platform admin 2014-03-06 19211
28 How to install OpenSIPS on CentOS Debian etc admin 2014-03-05 20167
27 Opensips Installation, How to. admin 2014-03-05 16610
26 100% CPU usage opensips admin 2014-03-05 19508
25 A2Billing and OpenSIPS admin 2014-03-04 20427
24 Opensips_1.9 install guide this is great I like this admin 2014-03-04 25247
23 Opensips install debian admin 2014-03-03 20477
22 Open Source VOIP applications, both clients and servers. admin 2013-11-20 20901
21 OfficeSIP Server is freeware VoIP, SIP server for Windows admin 2013-09-11 21916
20 My new toy: Bluebox-ng admin 2013-04-06 35339
19 Flooding Asterisk, Freeswitch and Kamailio with Metasploit admin 2013-04-06 31958
18 Asterisk Installation Asterisk Realtime configuration admin 2013-04-06 24431
17 The SIP Router Project admin 2013-04-06 23479
16 Kamailio :: A Quick Introduction admin 2013-04-06 20714
15 Welcome to the Smartvox Knowledgebase admin 2013-04-06 21277
14 Kamailio 3.3.x and Asterisk 10.7.0 Realtime Integration using Asterisk Database admin 2013-04-06 25302
13 OpenSIPS vs Asterisk admin 2013-04-06 46179
12 OpenSER_from_an_asterisk_POV file admin 2013-04-06 21218
» Using SIP Devices behind NAT OPensip Asterisk IPPhone SIP Telephony file admin 2013-03-31 46338