dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8997
METsen
join:2006-03-15
Turkey

METsen

Member

NAT problem: How to change symmetric to asymmetric ?

Hi

During a slow startup of X-Lite I was able for once to read that a symmetric NAT was discovered. How is this possible having selected in the router the option: "Allow Asymmetrical Route"? This issue wasn't of concern so far, since the Voip arrangements did work. I only had once some difficulties with one provider. He indicated that I probably would be one of those rare cases having a symmetrical NAT. Since I could solve this problem using a different client I didn't follow this further. Today, where I intend to arrange for P2P calls a symmetric NAT is - to my understanding - a no-go criterium.

Has anyone out here an idea why in my case NAT turns out to be symmetric? Is there a way to make it asymmetric?

Here some information on my Voip setup:
Router Zyxel P660HW-61 connected to this an ATA HT286 and a Laptop (wireless) with several SIP and IAX softphones running on it. On the router portforwarding has been set up.

Thanks for your help.

Regards METsen

DogFace056
join:2005-12-09
Cary, NC

DogFace056

Member

Some ZyXEL routers (P650HW, P660HW, etc), by default, try to act as transparent SIP proxys (which is why to SIP they appear like symmetric routers even though they aren't), but unfortunately that feature has been incorrectly implemented and doesn't work right. The problem with it is that it interferes with and wreaks havoc with the SIP client's (in your case X-Lite's) own attempts to handle NAT. Depending on who provided you with the router, you may or may not be able to turn this behavior off. If your unit lets you, you should turn off the SIP Application Level Gateway (ALG). In my case, a P650HW from Spanish Telefonica, the unit does not allow turning this feature off, so I can't use it for SIP VoIP.
METsen
join:2006-03-15
Turkey

METsen

Member

Thank you for your information. Had a look in the detailed manual. I can see there the ALG option under NAT. Unfortunately my Router doesn't have this option, i.e I therefore can't disable it. It seems that this is the reason why I'm not able to do P2P calls. Yes
slow mo
join:2002-03-19
USA

slow mo

Member

You may want to uncheck SPI in advanced firewall section. It may change to asymmetric.
hwittenb
join:2003-12-20

hwittenb to METsen

Member

to METsen
I see the ZyXEL P660HW-61 router has a 450 page user manual. It is hard to believe that with that much detail you can't make it work with a telephone ATA. I'm not sure exactly how the Grandstream HT286 works, but if it is like a Sipura device the ata will have a port number for the incoming sip signalling(typically 5060 but it can be anything) and then you have a range of port numbers that can are used for the incoming rtp voice packets. A single call will use a single incoming rtp port number that is setup initially, but different calls will use different rtp port numbers. You have a single external ip address to the internet and it is the router's job to sort out incoming packets to the correct device and port number.

Port forwarding is the usual solution when you cannot use a STUN server.

A Google search turned up this explanation of why a STUN server won't work with a Symmetric NAT
»www.newport-networks.com ··· al3.html
METsen
join:2006-03-15
Turkey

METsen to slow mo

Member

to slow mo
Couldn't find an "advanced firewall section" in the router nor in the main manual for the Zyxel P660HW-61. I also couldn't find SPI. What does SPI stand for? Could you please be more specific on what you suggest? Thank you.
METsen

METsen

Member

@hwittenb
Sorry, but I only notice your answer now. It's not the question that it wouldn't work at all. It actually does, this with about 5 different SIP phones and an IAX one, all on standby. Did you read the first answer I received?
slow mo
join:2002-03-19
USA

slow mo to METsen

Member

to METsen
It's Stateful Packet Inspection.

In Zyxel's product description, this router has
----
Robust Firewall Security
The ICSA-certified ZyNOS operating system ensures state-of-art firewall performance and robust security from the P-660HW series. Based on Stateful Packet Inspection, DoS (Denial of Service) and DDoS features, it provides the first line defense against hackers, network intruders, and other harmful threats.
----

Link: »us.zyxel.com/web/product ··· 187F44AA

I took the liberty to presume there is an option to disable it.

DogFace056
join:2005-12-09
Cary, NC

DogFace056 to hwittenb

Member

to hwittenb
The problem with the ZyXELs is that unless the SIP ALG is disabled, the router ignores any port forwarding of SIP/RTP packets and does its own thing, which turns out to be the wrong thing in many cases. And unfortunately, ISP provided versions of these routers appear to be commonly customized to disallow the disabling of the SIP ALG feature.
DogFace056

DogFace056 to METsen

Member

to METsen
SPI stands for Stateful Packet Inspection. In short, it means that an SPI router performs special handling of packets based on the data in them and may modify their contents as deemed appropriate. The SIP ALG feature of the ZyXELs is an example of SPI.
DogFace056

DogFace056 to slow mo

Member

to slow mo
Damn, you beat me to the answer. Should I rather call you "Fast Mo"?
slow mo
join:2002-03-19
USA

slow mo

Member

said by DogFace056:

Damn, you beat me to the answer. Should I rather call you "Fast Mo"?
LOL.

METsen,

After 17M download of whopping 450 pages, it in section 30.3 Enabling the Firewall, page 282 in user guide. Good luck.
METsen
join:2006-03-15
Turkey

METsen to slow mo

Member

to slow mo
@slow mo
It's (almost) clear now. It refers to a table under "Firewall - Default Policy" where one defines the default action (block or forward) for the different packet directions. Thank you for indicating this. Would it mean for SIP to forward both, i.e WAN to LAN and WAN to WAN / Router ? Or, is only one sufficient, e.g. WAN to WAN / Router ?
slow mo
join:2002-03-19
USA

3 edits

slow mo

Member

I don't have this router to fully understand what they mean. You may want to experiment one at the time then maybe both. My guess is WAN to LAN.

Good luck.

EDIT: Please let us know the results.

DogFace056
join:2005-12-09
Cary, NC

DogFace056 to METsen

Member

to METsen
You may just try letting the ZyXEL do its thing and instead disable NAT handling in your SIP clients. Depending on your VoIP provider, this may or may not work. But it's worth a try.
METsen
join:2006-03-15
Turkey

METsen

Member

said by DogFace056:

You may just try letting the ZyXEL do its thing and instead disable NAT handling in your SIP clients.
What do you mean with this exactly? May be just enable/disable STUN?
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo to DogFace056

Premium Member

to DogFace056
said by DogFace056:

Damn, you beat me to the answer. Should I rather call you "Fast Mo"?
May be, a Speedy Mo is more appropriate?
ctylor
join:2006-03-15
Nelson, BC

ctylor to DogFace056

Member

to DogFace056
said by DogFace056:

You may just try letting the ZyXEL do its thing and instead disable NAT handling in your SIP clients. Depending on your VoIP provider, this may or may not work. But it's worth a try.
Yeah that's what I was thinking too, if you can't skin the cat one way, try the opposite. If STUN and NAT support inherent in your SIP device conflicts with the router's own handling of SIP, then if you can't change the router, change the SIP device to not do any of those special things and maybe it will balance itself out.
METsen
join:2006-03-15
Turkey

METsen

Member

ctylor you wrote
"...if you can't change the router, change the SIP device to not do any of those special things and maybe it will balance itself out."

That's one of the reasons for running several SIP phones on standby: certain providers don't work on certain clients.

In the mean time I made now also some test with SPI. In order to better read the login information on X-Lite, Windows has been slowed down with a throttle. What I can read there is that none of the changes from block to forward had any effect on this. It also didn't improve one of the critical provider/client-combination which I tested as well. So, I guess having to leave things "as is" until the router is replaced...

I should add here that I finally also found a SIP client allowing me to make with the existing arrangement P2P calls.

Thanks to all of you for all your explanations, propositions and help!

Best Regards

METsen
METsen

METsen

Member

@DogFace05 and all other users of Zyxel P660 Router:

In an other forum I learned that the SIP ALG can be disabled, this by using the Command Interpreter (CI) via telnet. The corresponding command is: ip nat service sip active 0

However, disabling SIP ALG and SPI didn't change X-Lite to consider the found NAT to be symmetric.

DogFace056
join:2005-12-09
Cary, NC

DogFace056

Member

said by METsen:

In an other forum I learned that the SIP ALG can be disabled, this by using the Command Interpreter (CI) via telnet. The corresponding command is: ip nat service sip active 0

However, disabling SIP ALG and SPI didn't change X-Lite to consider the found NAT to be symmetric.
If you enter

ip nat service sip active

(without the '0'), the command should display the current state of the SIP ALG ("SIP ALG Enable" or "SIP ALG Disable"). If it doesn't, then as in my case, your router may be customized to prevent user disabling of the feature. My ZyXEL simply doesn't support the command, yet it doesn't respond with any error messages to it. It just ignores it.