SIP over double NAT headaches

Discussion in 'UK VOIP' started by Theo Markettos, Apr 21, 2010.

  1. I have the following setup:

    192.168.1.*: IP phone (not bought yet, using a laptop for the moment)
    | Local side of consumer router (Huawei B220)
    Linux NAT
    PPP over mobile broadband 3G/HSDPA connection
    10.*.*.*: Mobile network (MTN Sudan)
    Carrier's NAT (might be symmetric NAT)
    | Internet

    I can set up port forwards on the router as much as the crummy router
    software allows (it runs Linux, but installing OpenWRT etc isn't an option
    nor is changing the router). But I'm still stuck with the carrier's NAT.

    Is there any way I can push SIP into working over this setup? For example,
    will STUN work with additional port forwards? One problem is that I can't
    be sure of what the public IP will be to embed into the SIP packets.

    One option is to use UPnP, if the carrier NAT supports that (which I doubt).
    But I suspect the relevant multicast packets won't get that far.

    I've just tried another network (Zain Sudan) which is also using NAT on the
    'Internet' APN. I've seen SIP successfully working on Zain mobile
    broadband, so it must be possible. Perhaps there's an APN that gives a
    global IP, but these sort of details just aren't available (and techsupport
    doesn't exist).

    Or should I give up and use Skype, which works? But wish me luck trying to
    find a Skype hardware phone in Sudan.

    Theo Markettos, Apr 21, 2010
    1. Advertisements

  2. I'd start by turning-off port forwards and trying STUN. With a bit of
    luck it'll discover the final external IP address and let the phone
    know that. Make sure any SIP ALG on the router you have control over
    is turned off too.

    I've had success that way over double NAT, but it is asking a
    lot... biggest issue might be getting the RTP back to the phone.
    (so cue one-way audio issues, etc.)
    I don't think UPnP is designed to go past the first router...
    What about IAX? Single port rather than the multiple that SIP needs. There
    are SIP deskphones (although not many) and soft-phones (Zoiper) avalable.

    You just need a carrier at the far-end who supports it... (Or the ability
    to terminate IAX yourself, and then bridge over to a SIP provider)

    Gordon Henderson, Apr 21, 2010
    1. Advertisements

  3. Trying plain STUN was what my Twinkle/X-lite uses by default, but there's no
    incoming audio on Sipgate's 10000 test number. The call connects and hangs
    up correctly, but the incoming bandwidth to my machine is exactly zero
    (outbound audio at 3.4KB/s looks OK).
    I managed to once get some audio from Sipgate by setting the global IP into
    Twinkle's settings to embed into the SIP packets, but there's no way I can
    reliably determine the global IP on a softphone (where I can't run
    arbitrary scripts). While the current IP looks like it's one of a small
    subnet for the ISP (the DNS address is the same + I can't rely on
    that (and if I change network it's all screwed).
    And a huge other can of worms.
    Hmmm... interesting. I can terminate IAX myself if necessary. The problem
    is going to be sourcing an IAX hardware phone in Sudan... there just isn't
    the choice we enjoy in the UK.

    However one way around is an IAX softphone running on a mobile, which would
    be easier to source. So far the only one I can find is Zoiper Mobile Beta
    for Windows Mobile, but there's very little detail available. I'll start
    another thread.

    Theo Markettos, Apr 21, 2010
  4. Probably the inbound route just not being setup correctly via 2 NAT
    gateways )-:
    Indeed - that is what STUN is supposed to do though - let the phone know
    it's real external IP address - however, I don't think it's perfect.
    There isn't much choice in the UK either - there's ATCOM or ... ATCOM
    by the looks of it....


    Ah, looks like there's another - Citel:
    It's a shame there never was a 'refernce' IAX softphone source code

    However, something is ticking over in the back of my mind - I'll read
    your next post :)

    Gordon Henderson, Apr 21, 2010
  5. Theo Markettos

    Voiptalker Guest

    Voiptalker, Apr 22, 2010
  6. Theo Markettos

    Stephen Guest

    the whole point of NAT is to hide private networks behind 1 or more IP
    addresses and fix things up - so 2 NATs are no more of a problem than
    1, if you get the protocol stuff sorted out.
    What normally causes the problem are traffic streams initiated in the
    outside world trying to find the way back to the NAT'ed device.

    So since you dont have control over 1 NAT, turn off all helper
    features on the one you have got and test with that.

    Once you make something work thru that, it should handle more than 1
    NAT on the way.

    If you need a helper function on your router, you will have problems
    with the carrier gateway.
    1 point - is VoIP even legal in Sudan?

    and even if it is does the carrier block it explicitly?
    Good luck

    Stephen, Apr 22, 2010
  7. Trouble is, the carrier's is symmetric NAT which is more problematic with
    SIP. Other than setting an STUN server (which Twinkle says won't help for
    symmetric NAT, and indeed doesn't) what else can I do on the client side?
    X-lite, which is usually good at traversing NAT, doesn't work either.

    I wonder if it's the symmetric-ness of the carrier's NAT that's the problem,
    rather than double NAT?
    Strangely, the only time I got it to work was messing with the router and
    the settings in Twinkle. But I couldn't make it work for a second time.
    Well, there are plenty of calling shops advertising Net2Phone. And there's
    very little DSL (and what there is is very expensive - GBP250/month for
    2Mbit) so most people use mobile broadband. Of course things may change,
    but there's nowt I can do about that...

    Theo Markettos, Apr 23, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.