SIP NAT-Helper

Discussion in 'Tomato Firmware' started by jochen, Aug 22, 2008.

  1. jochen

    jochen Network Guru Member

  2. humba

    humba Network Guru Member

    isn't that already included?I never needed an rtp proxy or opening any ports on my Linksys WRT54G routers... and not only with Tomato but even the stock firmware. All I had to do is enable NAT keepalive to leave the signaling port open.
  3. jochen

    jochen Network Guru Member

    No, the SIP helper modul is not installed on Tomato.

    If STUN works depends on many things.
    Linux netfilter masquerading is of type "ported restricted cone NAT". On every outgoing request netfilter creates a mapping of port number and ip. It tries to use the same port on the WAN side, but if there exists a mapping it uses a new port.
    When the phone asks STUN a mapping is created. This mapping lives 180 seconds (default in Tomato for UDP). If a phone call is made in this 180 seconds, then netfilter must map the local port to some other port, because it is already used in the STUN mapping. The phone does not know about this mapping, it uses in its SDP message the port from the STUN answer. So the phone on the other side sends its RTP stream to the wrong port, a port which is not opened on the firewall.

    If you make seldom STUN querys, the risk of making a phone call in these 180 seconds where the STUN mapping is alive, is minimal. But if you have a T-DSL connection in Germany, you are forced to make STUN querys in short intervals, because German Telekom terminates ATM connections with no data traffic in some small time intervall (about 15 minutes). When this happens the router reestablishes the PPPoE connection and you get a new IP. Your phone is then unreachable until it reregisters at the SIP registrar, and you cannot make outgoing calls until it does a new STUN query to determine the new IP.
  4. humba

    humba Network Guru Member

    Well.. let me put it this way.. for 2 years now I have been using just WRT54GL routers with either stock firmware or Tomato and I'm not using STUN anywhere and yet all my calls succeed and so do incoming. The only thing I have activated is the NAT traversal option.. that keeps sending NOTIFY packets in short intervals to keep the signaling path open.. but there's no help whatsoever for RTP and as far as I have understood, the patch you're referring to helps only with the audio.
    So, if you turn on nat keepalive on your end, I think you would be okay... sending the NOTIFYs (or is it option? I'm not sure anymore) would keep your PPPoE connection open and spare you from having to set up a port forward on the router as well.

    As far as STUN goes, my current PBX uses it and even though I make test calls after a reboot I haven't noted any problem but I shall run another experiment through the night.
  5. jochen

    jochen Network Guru Member

    When your phone sends SIP messages in short intervalls, it only keeps the SIP connection open. This is not necessary, because SIP operates on well known ports and you can make a static port forwarding. Forwardings are a better alternative than relying on packets keeping the NAT open.
    The problem with VoIP is the RTP connection, and the SIP NAT helper module can solve this. It analyses the SDP messages and opens the NAT for RTP.
  6. humba

    humba Network Guru Member

    Well.. I disagree.. should my PBX fail or should I not want VoIP to work my approach ensures that no ports are permanently open.. I always prefer not to punch any unneeded holes through my firewall.

    And as I said.. I have no RTP problems.. never had any. Hence I still believe that at least as far as RTP is concerned the Linksys stock and Tomato firmware already handle that. I've had various different VoIP devices connected behind such routers and not a single one gave me audio problems as long as sip messages reached their destination (by help of nat keepalive).
    So I'm wondering.. are you having any problems with your VoIP equipment behind a tomato router where you get a call set up but you have no audio? If so, which equipment, which settings and which IPTSP?

    @edit: I unplugged my PBX (Epygi Quadro) for 15 Minutes, then rebooted and as soon as it was up (that's within 180 seconds of the device making the stun request.. I checked as stun is part of the system logs and I made the call just seconds after the device made the stun request) made an incoming call.. and it worked just fine including audio. So I'm a bit surprised at your statement of problems during the first 180 seconds after a STUN request as I cannot reproduce this issue.
  7. JensG

    JensG Network Guru Member

    I have a Fritz!box Fon ATA 1020 behind my Tomato, and it seems that incoming calls fail if I don't use STUN.
    I have enabled a function in the ATA called "Keep port forwarding of the Internet router enabled for Internet telephony", and set it to 30 seconds, which is the lowest value. Maybe that will do it without STUN, but I can't do any experiments with the phone for a while.
  8. jochen

    jochen Network Guru Member

    I'm sorry, I don't have the time to explain you in detail how SIP, STUN and NAT works. But believe me, the SIP NAT helper module is necessary, it does not exist for nothing.

    Look at FTP, there is a similar problem, but not as complex as sip. FTP opens a second connection for the data. There is a NAT helper module in Tomato for this. It would not be if this is not necessary. SIP is more complex than FTP, because there are three devices involved, not only two as in FTP. There is a communication between your phone, the other phone and the SIP server. If this complex situation would not need the nat helper, why should ftp need one?

    Think about that, and don't say it is not necessary because you had luck and VoIP works in your situation (because your providers do a lot to work around those NAT issues).

    If you don't understand the protocols, you cannot say nat helper module is unnecessary.
  9. humba

    humba Network Guru Member

    Thanks for patronizing me.. I've spent 5 years working in telecom and I know SIP quite well.. in fact well enough so that I found various RFC violations in devices I'm using. But of course you know everything better than the guy who's had it running for two years without a glitch..
  10. jaak

    jaak LI Guru Member

    Your VoIP provider is probably using a SBC (session border controller) which gets around the NAT issue.
  11. humba

    humba Network Guru Member

    The way I see it the IPTSP could work around private IP addresses used in the signalling traffic, but it cannot open ports in your firewall to let RTP traffic through.
    There's not much info about the iptables patch but the way I read the post it dows two things:
    1) it modifies signalling packets and puts the WAN ip address and appropriate port in the contact, via and sdp endpoint addresses
    2) it opens up the appropriate ports in the firewall to allow media to pass through.

    I did not save any traces gathered on my WAN link when I was on the old PBX that didn't use STUN (and thus the PBX sending out private IP addresses).. it may well be that all my IPTSPs (a two digit number) can handle private IPs in my signalling traffic (however I seem to recall seeing some people in other forums using the same IPTSPs and needing STUN and opening ports to get things working) but they certainly cannot punch holes in my firewall (to allow the incoming audio stream to get to the phone)- that's why I think the port opening part of the patch is not necessary (note that even with hours of inactivity incoming calls still work.. with two way media).
  12. 325xi

    325xi Addicted to LI Member

    Here's a nice overview why STUN is a bad idea

    Nevertheless, SIP NAT helper would be best gift for VoIP-ers. Would probably make Tomato even more legendary :)
    Seriously, while making ATA working behind NAT is trivial, making ATA working with REINVITE is a big pain you know where. And REINVITE is too valuable to be missed.

    So, Someone, please give us Tomato SIP NAT helper!
  13. njeske

    njeske Network Guru Member

    a SIP NAT helper in Tomato would be great.
  14. jochen

    jochen Network Guru Member

    Good explanation for newbies. But there are much more issues with STUN. Most phones not only detect their public IP through STUN, they also detect the public ports for RTP. The RTP stream is for the audio between the two ends. My phone is listening on some port for the audio. In the SDP message my phone must tell this port to the remote phone, so the remote can send it's audio to this IP and this port. The NAT sometimes changes this port if it is already in use.

    Assume the following:
    my phone is listening for RTP on port 5000. It uses STUN to determine the external port. NAT detects that port 5000 is free and leaves it untouched for the STUN query. Next, the phone initiates the RTP session, it informs the remote through SDP to use port 5000 (that STUN returned). Now my phone begins sending audio with it's local port 5000. NAT detects that port 5000 is in use (because of the STUN query) and changes it to 5001 (which is a free port). Now the remote should send to 5001, but my phone told him (through SDP) to send to port 5000. Audio is never reaching my phone.

    The NAT helper module could correct this issue.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice