VoIP - NAT(Firewall)

最後更新: 2015-01-21

介紹

 

Most conventional voip protocols (SIP, h323, …) are not programmed with NAT in mind

Call signaling(call setup, teardown) ... WORK

Voice ... Not

=> you can pick up and hangup the call, but no audio in one or both directions.

Voice packet exchange occur over two separate sessions (SIP, RTP)

The actual voice packets travel between the two phones directly, without the aid of a VoIP or SIP intermediary device.

 

目錄

 


Router Port Forward

 

Internet -- Router --- PBX

  • UDP: 5060               <-- Sip
  • UDP: 5061               <-- Sip with TLS
  • UDP: 10000-11000   <-- RTP Port

 


RTP Port

 

設定檔: rtp.conf

# default 10000 - 20000
rtpstart=10000
rtpend=11000

Other Setting

# UDP package 要 checksum 嗎 ?
rtpchecksums=no

# drop RTP packets that do not come from the source of the RTP stream
# Default: NO !!
strictrtp=no

 


SIP Settings

 

Port: 5060/tcp

設定檔: sip.conf

# This is only needed when asterisk is behind a NAT and trying to communicate with devices outside of the

localnet=192.168.88.0/24

# work with NAT’d remote devices

nat=yes

Nat=route

Asterisk will send the audio to the port and ip where its receiving the audio from.

Instead of relying on the addresses in the SIP and SDP messages.

This will only work if the phone behind nat send and receive audio on the same port and if they send and receive the signaling on the same port.

(The signaling port does not have to be the same as the RTP audio port).

NAT=rfc3581

This is the default behaviour, is no nat=… line is found for that user, this is the option used.

Asterisk will add an rport to the via header of the SIP messages, as described in rfc3581 (see http://www.faqs.org/rfcs/rfc3581.html),
this will allow a client to request that the server send the response back to the source IP address and port where the request came from.
The "rport" parameter is analogous to the "received" parameter in the VIA line, except "rport" contains a port number, not the IP address.

NAT=never

This will cause asterisk not to add an rport "rport" in the VIA line of the sip invite header,

as introduced in rfc3581. (see http://www.faqs.org/rfcs/rfc3581.html)

as some sip ua’s seem to have problems with them.

(one of those UAs being the Uniden SIP phone UIP200 – Olle E. Johanson.)

# 如果 Server 在 NAT 後, 那一定要

strictrtp=no

Public IP

; put in outbound SIP messages if we're behind a NAT
externhost=X.X.X.X

;externhost=foo.dyndns.net
;externrefresh=10

 


Keep A Live

 

設定檔: sip.conf

# Asterisk will send a SIP OPTIONS command regularly to check that the device is still online.

# If the device does not answer within the configured (or default: 2s) period (in ms) Asterisk considers the device off-line for future calls.

qualify=yes

# tells Asterisk to send a kind of ping message to the remote device (Default: 60)

# If the packet is not responded within 1 second, asterisk will keep trying until 7 packets have failed.

# Unit: second
qualifyfreq=10

 

 


Doc

 

Creative Commons license icon Creative Commons license icon