dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5664
share rss forum feed

vincentdelpo

join:2010-06-24

Is SIP ALG a good solution for NAT?

Hello,

Having Asterisk and some SIP clients in a private LAN between a NAT router is doable but a bit of a pain:
1. On the Asterisk server, I must use a small and fixed range of ports for RTP, and the Asterisk configuration must be configured carefully (tell Asterisk that it's located behind a NAT, what is its public IP, SIP clients must not use STUN, etc.)
2. On the router, I must open ports for SIP and RTP manually
3. If some SIP client registers from outside on the Net and calls a local SIP client, all RTP packets go through Asterisk

So I was wondering if having an SIP ALG on the NAT router would make it easier to use a telephony server and SIP clients in the private LAN:

»img46.imageshack.us/img46/6264/sipalg.png

If you've tried some NAT router that has an SIP ALG, would you recommend it, or is the "manual" way above the recommend solution (I know that moving the Asterisk server in front of the router in the public part makes things easier)?

Thank you.


OmagicQ
Posting in a thread near you

join:2003-10-23
Bakersfield, CA
kudos:1
Reviews:
·Bright House

SIP ALG's in most consumer grade routers is broken. Most providers recommend turning them off because they break more than they fix. I can't think of a router with a working sip alg off the top of my head.
--
Dovahkiin, Dovahkiin naal ok zin los vahriin wah dein vokul mahfaeraak ahst vaal!
Ahrk fin norok paal graan fod nust hon zindro zaan Dovahkiin, fah hin kogaan mu draal!


PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13

Exactly.

See here, one fellow even calls SIP ALG as evil.

»wiki.freeswitch.org/wiki/ALG



ArgMeMatey

join:2001-08-09
Milwaukee, WI
kudos:2
reply to vincentdelpo

I've tried it on a couple of Netgear routers. Doesn't work for me with voip.ms.


Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
reply to OmagicQ

Even Tomato - which makes a fantastic router in my opinion - has a horrible SIP ALG. Frankly I don't know why people put energy into it, if it's going to work this poorly.


RonR

join:2003-10-10
Ash Flat, AR
kudos:6

said by Mango:

Even Tomato - which makes a fantastic router in my opinion - has a horrible SIP ALG.

Where is there any SIP ALG option in Tomato firmware?

I've been using Tomato firmware for many many years and it handles SIP/VoIP excellently.

OZO
Premium
join:2003-01-17
kudos:2
reply to vincentdelpo

said by vincentdelpo:

1. On the Asterisk server, I must use a small and fixed range of ports for RTP, and the Asterisk configuration must be configured carefully (tell Asterisk that it's located behind a NAT, what is its public IP, SIP clients must not use STUN, etc.)

It's strange to see the last suggestion - "SIP clients must not use STUN". Perhaps it's because very cheap NAT routers may not support loopback correctly? Otherwise - using STUN servers makes setup more universal and automatic.

I'm using FreeSWITCH (SIP server, similar to Asterisk) on LAN behind NAT router (ZyWALL 5) with all other SIP clients connected from different WAN/LAN segments, using WAN IP's, provided by remote STUN servers. And it works very well even in direct media mode. No port forwarding is required (setup uses UPnP). ALG is turned off.
--
Keep it simple, it'll become complex by itself...

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to vincentdelpo

New to this forum and have been lurking for the past few days in preparation for my new VoIP service. That said, in seeing the opinions of SIP ALGs just now, any difference in opinion when it comes to Siproxd, »siproxd.sourceforge.net ?

Thanks.


Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
reply to RonR

It's in Conntrack/Netfilter, but it only appears in some builds of Tomato. Indeed, Tomato is an excellent router for VoIP, when SIP ALG is disabled.



XCOM
digitalnUll
Premium
join:2002-06-10
Spring, TX
reply to Bink

Bink,

siproxd works and works very well. I have used it in the past.
in the other hand my mom told me that sip alg is the devil.
--
[nUll@dcypher ~]$


RonR

join:2003-10-10
Ash Flat, AR
kudos:6
reply to Mango

said by Mango:

It's in Conntrack/Netfilter, but it only appears in some builds of Tomato. Indeed, Tomato is an excellent router for VoIP, when SIP ALG is disabled.

I see a SIP checkbox under Tracking / NAT Helpers, but I have a hard time believing that's the dreaded SIP ALG. I've been running this version (TeddyBear) for over a year with that box checked and I haven't had a single router related hiccup with 3 ATA's hung off of it.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
Reviews:
·Callcentric
·Anveo
·Shaw
·AcroVoice

Good point. All I know about that option is that it makes SIP connections time out after an hour, and not respect the UDP Timeout settings. This is bad if you're affected by the Tomato bug that causes NAT associations to be mangled. I'm not sure what else it does, if anything.


RonR

join:2003-10-10
Ash Flat, AR
kudos:6

said by Mango:

Good point. All I know about that option is that it makes SIP connections time out after an hour, and not respect the UDP Timeout settings. This is bad if you're affected by the Tomato bug that causes NAT associations to be mangled. I'm not sure what else it does, if anything.

Could this problem have been fixed in v1.28? I was on a 1 hour and 42 minute call yesterday (using SipBri no less) and everything stayed glued together perfectly.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
Reviews:
·Callcentric
·Anveo
·Shaw
·AcroVoice

I don't think I explained that clearly. I didn't mean phone conversations would cut off after an hour. When your phone registers with a VoIP server, the router keeps the "NAT hole" open for typically the length of the Assured UDP timeout. This way, the VoIP server may deliver incoming calls to you. As long as the phone's registration interval is less than the Assured UDP Timeout, everything will work properly.

With SIP Helper turned on, the router will not respect the Assured UDP Timeout and instead uses 3600 seconds. This means that your phone has one hour to re-register and will possibly make Linksys devices workish with their default settings.

The reason this is not optimal is that if for example your ISP changes your public IP address, it could potentially take an hour before you can receive incoming calls, or worse, it could require human intervention to reboot things if you're affected by the bug I mentioned before.

Obviously if things work well for you then there's no need to tinker with anything. My point was that my opinion is the same as the general opinion in this thread - leave my SIP alone!

m.
--
Recommended ATA Settings | e164 - make your DID accessible via SIPBroker!


OmagicQ
Posting in a thread near you

join:2003-10-23
Bakersfield, CA
kudos:1
Reviews:
·Bright House
reply to vincentdelpo

Does anyone know if IAX gets mangled by a SIP ALG or not? I'm wondering if it might be an option for people who are stuck behind isp provided/provisioned routers with no admin access to turn it off.

(Jedi mind trick) These aren't the packers you're looking for...(/jedi mind trick)
--
Dovahkiin, Dovahkiin naal ok zin los vahriin wah dein vokul mahfaeraak ahst vaal!
Ahrk fin norok paal graan fod nust hon zindro zaan Dovahkiin, fah hin kogaan mu draal!



Trev
IP Telephony Addict
Premium
join:2009-06-29
Victoria, BC
kudos:5

said by OmagicQ:

Does anyone know if IAX gets mangled by a SIP ALG or not? I'm wondering if it might be an option for people who are stuck behind isp provided/provisioned routers with no admin access to turn it off.

IAX is different in almost every way, so it would be completely immune to SIP "helpers."
--
Wondering what I do? Find out at »www.digitalcon.ca

vincentdelpo

join:2010-06-24
reply to vincentdelpo

said by OmagicQ:

SIP ALG's in most consumer grade routers is broken.

Thanks for the feedback. I'll just forget about SIP ALG, then.

said by OZO:

It's strange to see the last suggestion - "SIP clients must not use STUN". Perhaps it's because very cheap NAT routers may not support loopback correctly? Otherwise - using STUN servers makes setup more universal and automatic.

I said this because I thought (haven't tried, though) that enabling STUN on an SIP client where the SIP server is also located in the private LAN (ie. behind the NAT router) will just break things.

I have a couple more questions:
1. Does Asterisk now support STUN, so that I would no longer have to open ports manually on the router for SIP + RTP?
2. Is there a way to have the two SIP clients (local and remote) send RTP packers to each other so that the SIP server doesn't spend resources on this?
3. Am I correct in understanding that UPnP is a protocol that lets UPnP clients connect to the NAT router to have it open ports automatically?
4. What is "direct media mode"? RTP packets flowing directly between the two SIP clients? Will this work with the two sitting on either sides of the NAT router, and the SIP server will stay in the loop just to monitor SIP messages (close call, put call on hold, etc.)?

Thank you.


erfans

join:2008-10-10
Canada
Reviews:
·TekSavvy Cable
·voip.ms
reply to vincentdelpo

Since we're on this topic, I was wondering if you guys could help me with my DLINK DIR-625 settings.

I am experiencing problems with my voip.ms account. Often times, like today for instance, I received calls several times and each time I picked up the phone, it would get disconnected. I called back the number after a pause and I get a busy tone. I then receive a voice mail (no voice) but some background noise after every two seconds. I am sure the person trying to call me did not leave a message. This has happened several times and it is really frustrating me now.

I guess it is my router but I am not sure. I have used voip.ms's tickets and so far they haven't been able to help me out. They're trying to troubleshoot it.

Here is the screenshot to my router's firewall page:
»i39.tinypic.com/206hd84.png

Thanks guys!


OZO
Premium
join:2003-01-17
kudos:2
reply to vincentdelpo

It's very rare to see someone runs its own STUN server. I still not have one, even though I want to do it on my local Windows server. But there is no simple and free package, that does just that...

Answering your questions:
1. I don't run Asterisk, I use FreeSWITCH instead
2. It's called "direct media mode" (one of the terms used)
3. Yes, you are. One of the functions of UPnP is to allow clients to open and forward ports on NAT router. Check for that feature support on your particular hardware
4. Yes, it is. There are two different streams of data (and related protocols) - SIP (initiation and control of the call), RTP (media stream, usually only sound stream). Direct media mode is when SIP clients stream media directly between them and do not through SIP server. The latter is used for SIP protocol only. In that mode (support is required) you may run SIP clients independently of any NAT (or multiple NATs) in the middle. But again, because the SIP protocol was not initially designed to be used with a NAT (a huge omission, IMO), there should be a special setup. STUN (ICE, local UPnP etc) could help to automate it.
--
Keep it simple, it'll become complex by itself...


PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms

1 recommendation

reply to erfans

said by erfans:

Since we're on this topic, I was wondering if you guys could help me with my DLINK DIR-625 settings.

On the UDP Endpoint Filtering, and also the TCP Endpoint Filtering, try changing both of those to "Address Restricted" instead of "Port and Address Restricted".

That works for me on my D-Link DGL 4100 routers.

EDIT: Here's a nice explanation of why this is sometimes useful.

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the router's NAT manages incoming connection requests to ports that are already being used.

Endpoint Independent

Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet.

Address Restricted

The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP address with which a connection was established. This allows the remote application to send data back through a port different from the one used when the outgoing session was created.

Port And Address Restricted

The NAT does not forward any incoming connection requests with the same port address as an already establish connection.

Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port triggers, virtual servers, or port forwarding to open the ports needed by the application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected.

»www.trendnet.com/emulators/TEW-6···ced.html

vincentdelpo

join:2010-06-24
reply to OZO

said by OZO:

It's very rare to see someone runs its own STUN server.

I didn't mean that I would run my own STUN server, rather whether Asterisk is now able to act as a STUN client to be able to find its public address and punch holes in the NAT router just like FreeSwitch can (if I'm correct).

As a reminder, here's the setup I have in mind:

»img46.imageshack.us/img46/6264/sipalg.png

One thing I find puzzling, though, is:

1. With the two SIP clients sitting on either side of the NAT (one local, one on the Internet), should I configure the local SIP client to use STUN, or will the SIP server handle rewriting the IP address in the SIP packets and opening the RTP port on the router?

2. UPnP only opens holes, but doesn't know anything about SIP/RTP so UPnP only solves part of the problem while STUN handles both issues. So I don't see the point of using UPnP for VoIP

3. Direct media mode: In which case is it not a good idea and should we have RTP packets go through the SIP server instead?

Thank you.

OZO
Premium
join:2003-01-17
kudos:2

1. If you use direct media mode (DMM), and your SIP server doesn't touch SDP part of the INVITE message (FreeSWITCH e.g. doesn't change it in DMM), then you have to make sure that your local SIP client uses STUN (or UPnP) to get and use the WAN IP. My advise, watch INVITE message and particularly its SDP part. Without STUN it will contain c=IN IP4 LAN.LAN.LAN.LAN attribute. While with STUN it's c=IN IP4 WAN.WAN.WAN.WAN. That IP will be used by remote SIP client to send RTP stream to your local client. Again, if your local client is behind NAT, it's better to make sure that the 'o=' attribute contains WAN IP.

Without DMM SIP server rewrites that attribute to point to its own WAN address (which in general case could be not the same as your local SIP client's WAN).

2. Here is example - PhonerLite SIP client doesn't need STUN to work properly. It uses only UPnP (and quite successfully, I might add)

3. Only in case if one of your clients doesn't support it. If SIP server doesn't watch for it (LAN address is used in SDP instead of WAN) and doesn't forcefully change that IP for other client it may break the correct two way audio support. Otherwise, I don't see why don't use DMM all the time (presuming that you don't want to record conversations by SIP server).

DMM always provides a better quality of voice - less latency, less packet losses, etc.
--
Keep it simple, it'll become complex by itself...



espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
Reviews:
·Vitelity VOIP
reply to Mango

said by Mango:

With SIP Helper turned on, the router will not respect the Assured UDP Timeout and instead uses 3600 seconds. This means that your phone has one hour to re-register and will possibly make Linksys devices workish with their default settings.

Is that really a problem?

I think the longest refresh interval I've seen a provider use is maybe 10 minutes. The majority are in the 60-120 second ballpark.


erfans

join:2008-10-10
Canada
Reviews:
·TekSavvy Cable
·voip.ms
reply to PX Eliezer7

said by PX Eliezer7:

said by erfans:

Since we're on this topic, I was wondering if you guys could help me with my DLINK DIR-625 settings.

On the UDP Endpoint Filtering, and also the TCP Endpoint Filtering, try changing both of those to "Address Restricted" instead of "Port and Address Restricted".

That works for me on my D-Link DGL 4100 routers.

Thanks! voip.ms have advised me to change both of those settings to "Endpoint Independent" because it is the "least restrictive option." I will give your suggestion a try and if that doesn't work out, then I will try what voip.ms has suggested. Thanks once again.

vincentdelpo

join:2010-06-24
reply to OZO

said by OZO:

1. If you use direct media mode (DMM), and your SIP server doesn't touch SDP part of the INVITE message (FreeSWITCH e.g. doesn't change it in DMM), then you have to make sure that your local SIP client uses STUN (or UPnP) to get and use the WAN IP. [...] Without DMM SIP server rewrites that attribute to point to its own WAN address (which in general case could be not the same as your local SIP client's WAN).

Thanks for the clarification. I'm just uneasy about an SIP client registered with an SIP server, both located in the LAN behind the NAT router, while the SIP client uses STUN on its own, but I guess it's irrational.

Am I correct in understanding that those are the issues that must be solved when both the SIP client and the SIP server are located in a LAN behind a NAT router and we want to use DMM so that RTP sound flows directly between the two SIP clients?

1. SIP: In the reply to an incoming INVITE (ie. the remote SIP client is trying to call the local SIP client), the local SIP client's LAN IP address in the SIP reply must be replaced with a WAN IP address as available on the NAT router. This task can be accomplished either by the server or the client

2. RTP: Either the client or the server must reconfigure the NAT router on the fly to open a UDP port for RTP and route those packets to the SIP client, or the SIP client won't hear the remote caller's voice (one-way audio)

said by OZO:

2. Here is example - PhonerLite SIP client doesn't need STUN to work properly. It uses only UPnP (and quite successfully, I might add)

I've never used UPnP although the NAT router/modem provided by my ISP is supposed to support it:
- Does UPnP support finding out the NAT router's WAN IP(s), which would explain why PhonerLite's doesn't need to support STUN
- With UPnP, does it mean that any application running on any device on the LAN is allowed to open ports on the router? Sounds pretty dangerous, as any virus could then open up the firewall.

said by OZO:

Otherwise, I don't see why don't use DMM all the time (presuming that you don't want to record conversations by SIP server).

The reason I haven't used DMM yet is that I remember reading that there were cases where it wasn't a good idea. I guess being able to have the server record the conversation is one case, although the client could take care of this. Do you know of other cases where DMM would break things?

Or maybe it works fine, and it's specifically Asterisk that's not supporting DMM as well as other IP PBX's.

Thanks.

vincentdelpo

join:2010-06-24

I know why I was uneasy about configuring the LAN SIP client to use STUN instead of letting the SIP server replace the LAN IP with the WAN IP: What about the case where there are other SIP clients in the LAN?

»img528.imageshack.us/img528/6264/sipalg.png

If the SIP clients use STUN, they'll report the WAN IP in the SIP INVITE instead of their LAN IP: In this case, is there another solution than not using STUN for the clients and let the server rewrite IP's when necessary (ie. when the SIP client is on the WAN side)?


lifespeed

join:2009-09-08
reply to vincentdelpo

Here is an example of a problem caused by SIP ALG in Verizon Wireless router.

»[Asterisk] re-invites fail Verizon Wireless 3G or 4G
--
Lifespeed


OZO
Premium
join:2003-01-17
kudos:2
reply to vincentdelpo

said by vincentdelpo:

Am I correct in understanding that those are the issues that must be solved when both the SIP client and the SIP server are located in a LAN behind a NAT router and we want to use DMM so that RTP sound flows directly between the two SIP clients?

1. SIP: In the reply to an incoming INVITE (ie. the remote SIP client is trying to call the local SIP client), the local SIP client's LAN IP address in the SIP reply must be replaced with a WAN IP address as available on the NAT router. This task can be accomplished either by the server or the client

2. RTP: Either the client or the server must reconfigure the NAT router on the fly to open a UDP port for RTP and route those packets to the SIP client, or the SIP client won't hear the remote caller's voice (one-way audio)

Answers to your questions:
1. Yes
2. Yes

said by OZO:

2. Here is example - PhonerLite SIP client doesn't need STUN to work properly. It uses only UPnP (and quite successfully, I might add)

I've never used UPnP although the NAT router/modem provided by my ISP is supposed to support it:
- Does UPnP support finding out the NAT router's WAN IP(s), which would explain why PhonerLite's doesn't need to support STUN
- With UPnP, does it mean that any application running on any device on the LAN is allowed to open ports on the router? Sounds pretty dangerous, as any virus could then open up the firewall.

- NAT router knows both its LAN IP and its WAN IP. UPnP is just a protocol, used to get that info from the router.
- Yes, it does. But the same (uncontrolled communications) could be achieved without UPnP. Any program on your computer may open new connection to any host on the Internet and download anything and then run it. The only solution is local outbound firewall that blocks all your applications from opening any connections without your consent.

BTW, ironically you don't need a local firewall to protect your computer from inbound connections (your NAT routed does that). But you need "outbound" firewall to keep your computers secure...

said by OZO:

Otherwise, I don't see why don't use DMM all the time (presuming that you don't want to record conversations by SIP server).

The reason I haven't used DMM yet is that I remember reading that there were cases where it wasn't a good idea. I guess being able to have the server record the conversation is one case, although the client could take care of this. Do you know of other cases where DMM would break things?

You're right. If you need to record conversation you usually may do it with SIP client. Why SIP server should do it anyway?

DMM should always work fine, even in case when both your SIP clients are on the same LAN. The only problem that I know of could come from a cheap NAT router, that doesn't support loopback correctly. Any decent router can easily handle connection made to its WAN address and redirect it to local LAN IP.
--
Keep it simple, it'll become complex by itself...

OZO
Premium
join:2003-01-17
kudos:2
reply to vincentdelpo

said by vincentdelpo:

If the SIP clients use STUN, they'll report the WAN IP in the SIP INVITE instead of their LAN IP: In this case, is there another solution than not using STUN for the clients and let the server rewrite IP's when necessary (ie. when the SIP client is on the WAN side)?

SIP server could do it, if ... it supports the feature. I'd not bet on it though. I prefer my clients always set WAN IP for media stream, in case they're behind the NAT (and it's same LAN for SIP server or other SIP clinet) or not. And one of the reasons why I do it - I set it and I forget it... It's especially beneficial for clients, that are mobile (can easily change their location - one moment it's on LAN, then next time - it's on a remote location).
--
Keep it simple, it'll become complex by itself...

lifespeed

join:2009-09-08
reply to OZO

said by OZO:

DMM should always work fine, even in case when both your SIP clients are on the same LAN. The only problem that I know of could come from a cheap NAT router, that doesn't support loopback correctly. Any decent router can easily handle connection made to its WAN address and redirect it to local LAN IP.

But this (loopback) would have to be specifically configured by the user, correct? Otherwise a mobile SIP client currently registered on the LAN, for example, that is configured to use the WAN Fully Qualified Domain Name (dynamic IP, so WAN IP use is impractical) would go out on the net, and then loopback to the router, adding 10s of milliseconds of ping, right?
--
Lifespeed