SIP with masquerading

ste · November 27, 2006, 8:34am

Hi,

we’ve seen Problems behind a MT in masqerading mode with sip.
The x-sip-lite client behind the MT can call and the called person
can hear the caller but the caller can not hear the called person.

Seems the NAT detection and STUN of X-Lite and MT Masquerading
do not cooperate. Using and configuring X-Tunnel manually works.
But I think it should work with STUN alone (that’s the purpose of STUN).

Skype works out of the box.

Firewall is very simple.
Some rules in the input chain for blocking access to the MT and:

[admin@xx] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=wlan1 action=masquerade

Any ideas?

Stefan

sergejs · November 27, 2006, 8:44am

Stefan, there might be some problems for SIP over NAT. SIP traversal helper is implemented in RouterOS3. SIP should over NAT on RouterOS3.

You can use Full NAT feauture to map public IP address to local one, configuration example is shown in the wiki,
http://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones

Additional information about SIP and different NAT scenarios,
http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions

ste · November 27, 2006, 9:14am

Sergejs,

So it’s no solution for the moment until ROS 3 leaves Beta State.

For this scenario the customer behind the MT has to tell me what
IP is used by an IP-Telephone and I have to assign an additional
official IP for each telephone.
Hmm. No good way.

Any Idea why STUN is not working. STUN shouldn’t need a
helper application. Maybe I have to change settings to make
it work?

Xten reports it has found a Nat of type: “Port Restricted Cone”

http://www.voip-info.org/wiki/view/STUN

Stefan

JJCinAZ · November 28, 2006, 2:27pm

Sip behind masq nat to an asterisk server from xlite works fine. You need to ensure that you have nat=yes and qualify=yes in you sip.conf on the asterisk server. This way, asterisk will ignore the ip/port in the sip msg and will use the ip/port from which the sip msg originated. You do need the asterisk server to not be behind masq nat.

nickb · November 29, 2006, 12:30am

Sip behind masq nat to an asterisk server from xlite works fine. You need to ensure that you have nat=yes and qualify=yes in you sip.conf on the asterisk server. This way, asterisk will ignore the ip/port in the sip msg and will use the ip/port from which the sip msg originated. You do need the asterisk server to not be behind masq nat.

Doing it this way should be fine. The key is that you can only have ONE end of the SIP pair behind NAT! Typically, the phone end will need to be behind NAT, so you need to make sure that your Asterisk (or other SIP server) has a non-NAT ip address. Not 1-1 NAT or anything fancy like that. It can NOT be natted, period.

eugenevdm · May 8, 2007, 9:39pm

All these complexities of SIP are solved in version 3.