Brad Templeton
2006-Oct-31 01:26 UTC
[asterisk-users] Asterisk both behind a NAT and outside at the same time
I've read a lot of the descriptions of handling NAT with Asterisk, and the use of both the nat and canreinvite flags. I am very familiar with Sip and NAT but have not seen an answer to the following question. My Asterisk server runs on a machine with two ethernets. One is an external net, with exposed IP addresses. The other is an internal net with natted IP addresses. Thus the server has two addresses. The server is _not_ the NAT gateway. That's a linksys box which has its own external IP to gateway traffic from the internal natwork. The phones are on the internal NATwork. Asterisk talks to them over it. Outside peers, such as SIP termination providers etc. talk to the Asterisk server via its outside address, which is as you would expect. However, from time to time I get the famous one-way audio because Asterisk has decided to do a native bridge between a natted SIP phone and an external SIP peer. It sends the internal IP of the SIP phone in the SDP and of course the outside service can't send packets to that. I could just turn off reinvites on the internal phones, but this would cause them to route all traffic through the asterisk box, even on internal calls between phones on the same ethernet, which seems foolish to me. I don't want to turn off reinvites to the external peers -- if a call comes in from a SIP originator for example, and is send back out to a SIP terminator (call forwarding) I want a native bridge for sure. (Handling the internal traffic is not so much of a burden though sometimes I hear latency because of it, but routing external traffic through the asterisk box is a bad thing.) So what I want is for Asterisk to use native bridges when connecting two channels behind the NAT, or two channels on the real internet, but not to do so when connecting an internal and external channel. It should be able to see the IP addresses, and know the difference between natted and external ones and know they can't talk to one another. (The ICE protocol would handle this someday.) Is IAX smarter about this? Of course I might even want to get smarter about this. Is it possible, typically by configuring stun in the phones, to have them be aware of their external IP and tell Asterisk about it? With a full cone NAT, it would work to do a native bridge between the internal and external devices so long as the external device is given the right address and port of the NAT box, not the internal address of the phone. However, we don't want to do this on internal to internal calls -- many NATs can't hairpin. I would think this would be a common situation (though perhaps more commonly the asterisk server IS the firewall/NAT.) Is there a solution that does the right thing most of the time?
Leo Ann Boon
2006-Oct-31 04:40 UTC
[asterisk-users] Asterisk both behind a NAT and outside at the same time
Brad Templeton wrote:> I've read a lot of the descriptions of handling NAT with Asterisk, > and the use of both the nat and canreinvite flags. I am very > familiar with Sip and NAT but have not seen an answer to the following > question. > > > My Asterisk server runs on a machine with two ethernets. One is > an external net, with exposed IP addresses. The other is an internal > net with natted IP addresses. Thus the server has two addresses. > > The server is _not_ the NAT gateway. That's a linksys box which has > its own external IP to gateway traffic from the internal natwork. > > The phones are on the internal NATwork. Asterisk talks to them over > it. Outside peers, such as SIP termination providers etc. talk > to the Asterisk server via its outside address, which is as you > would expect. > > However, from time to time I get the famous one-way audio because > Asterisk has decided to do a native bridge between a natted SIP > phone and an external SIP peer. It sends the internal IP of > the SIP phone in the SDP and of course the outside service can't > send packets to that. > > I could just turn off reinvites on the internal phones, but this > would cause them to route all traffic through the asterisk box, > even on internal calls between phones on the same ethernet, which > seems foolish to me. I don't want to turn off reinvites to the > external peers -- if a call comes in from a SIP originator for example, > and is send back out to a SIP terminator (call forwarding) I want > a native bridge for sure. (Handling the internal traffic is not > so much of a burden though sometimes I hear latency because of it, but > routing external traffic through the asterisk box is a bad thing.) > > So what I want is for Asterisk to use native bridges when connecting > two channels behind the NAT, or two channels on the real internet, but > not to do so when connecting an internal and external channel. > > It should be able to see the IP addresses, and know the difference between > natted and external ones and know they can't talk to one another. > (The ICE protocol would handle this someday.) > >Have you tried setting the externalip and localnet parameters? Leo
C F
2006-Oct-31 07:13 UTC
[asterisk-users] Asterisk both behind a NAT and outside at the same time
Seems to me that you have a routing problem, asterisk should not know how to send packets to an outside IP using the NATed network. Make sure that the internal (NAT) interface doesn't have a gateway to it. On 10/31/06, Brad Templeton <brad+aster@templetons.com> wrote:> > I've read a lot of the descriptions of handling NAT with Asterisk, > and the use of both the nat and canreinvite flags. I am very > familiar with Sip and NAT but have not seen an answer to the following > question. > > > My Asterisk server runs on a machine with two ethernets. One is > an external net, with exposed IP addresses. The other is an internal > net with natted IP addresses. Thus the server has two addresses. > > The server is _not_ the NAT gateway. That's a linksys box which has > its own external IP to gateway traffic from the internal natwork. > > The phones are on the internal NATwork. Asterisk talks to them over > it. Outside peers, such as SIP termination providers etc. talk > to the Asterisk server via its outside address, which is as you > would expect. > > However, from time to time I get the famous one-way audio because > Asterisk has decided to do a native bridge between a natted SIP > phone and an external SIP peer. It sends the internal IP of > the SIP phone in the SDP and of course the outside service can't > send packets to that. > > I could just turn off reinvites on the internal phones, but this > would cause them to route all traffic through the asterisk box, > even on internal calls between phones on the same ethernet, which > seems foolish to me. I don't want to turn off reinvites to the > external peers -- if a call comes in from a SIP originator for example, > and is send back out to a SIP terminator (call forwarding) I want > a native bridge for sure. (Handling the internal traffic is not > so much of a burden though sometimes I hear latency because of it, but > routing external traffic through the asterisk box is a bad thing.) > > So what I want is for Asterisk to use native bridges when connecting > two channels behind the NAT, or two channels on the real internet, but > not to do so when connecting an internal and external channel. > > It should be able to see the IP addresses, and know the difference between > natted and external ones and know they can't talk to one another. > (The ICE protocol would handle this someday.) > > Is IAX smarter about this? > > Of course I might even want to get smarter about this. Is it possible, > typically by configuring stun in the phones, to have them be aware of their > external IP and tell Asterisk about it? With a full cone NAT, it would > work to do a native bridge between the internal and external devices > so long as the external device is given the right address and port of > the NAT box, not the internal address of the phone. However, we don't > want to do this on internal to internal calls -- many NATs can't hairpin. > > > I would think this would be a common situation (though perhaps more > commonly the asterisk server IS the firewall/NAT.) Is there a > solution that does the right thing most of the time? > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Possibly Parallel Threads
- SNOM 200 behind NAT and other xmas woes
- SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
- SIP - no audio behind nat problem
- NAT and Dial to two channels at once
- "detected NAT type is full cone" for BT behind nat ?