12 years and still NAT issues

It is hard to believe - since over 12 years I’m messing with asterisk yet noone seems to have yet come up with a comprehensive solution to address double NAT issues and client transition between LAN and a public network. Even worse, thanks to far-from-reality deskjockeys like the IETF, the SIP protocol which is the main reason for those NAT issues has become the most widespread protocol and promising alternatives like IAX vanished into meaninglesness… And instead of actually developing progress, nothing has been done than carpentering crutches for SIP which also ran into problems and then needed crutches for the crutches…

But enough ranting…

Here is my issue:

I have an asterisk in a private network behind a firewall. Only one public IP is available.

Internet — Firewall — LAN — Asterisk

The challenge is to have mobile clients transitioning seamlessly between the LAN and external networks, e.g. a wifi in a café. This would probably result in something like that:

Wifi — Router — Internet — Firewall — LAN — Asterisk

Now, I can make the clients work from external networks. With some trickery even through double NAT (at least in some cases, depending on how smart the router in the public wifi is).
And - of course - I can make the clients work in the LAN.
But I haven’t managed to let them transition without user interaction.

One of my main problems here is the pesty STUN which makes the client think it’s in an external network when it’s actually in the LAN, which leads to one-way audio issues. I tried with CSIPSimple and with Zoiper and both show the same results. If STUN is activated, LAN means audio issues.

Does anybody happen to have a solution for this kinds of problems?

[quote=“sgofferj”]It is hard to believe - since over 12 years I’m messing with asterisk yet noone seems to have yet come up with a comprehensive solution to address double NAT issues and client transition between LAN and a public network. Even worse, thanks to far-from-reality deskjockeys like the IETF, the SIP protocol which is the main reason for those NAT issues has become the most widespread protocol and promising alternatives like IAX vanished into meaninglesness… And instead of actually developing progress, nothing has been done than carpentering crutches for SIP which also ran into problems and then needed crutches for the crutches…

But enough ranting…

Here is my issue:

I have an asterisk in a private network behind a firewall. Only one public IP is available.

Internet — Firewall — LAN — Asterisk

The challenge is to have mobile clients transitioning seamlessly between the LAN and external networks, e.g. a wifi in a café. This would probably result in something like that:

Wifi — Router — Internet — Firewall — LAN — Asterisk

Now, I can make the clients work from external networks. With some trickery even through double NAT (at least in some cases, depending on how smart the router in the public wifi is).
And - of course - I can make the clients work in the LAN.
But I haven’t managed to let them transition without user interaction.

One of my main problems here is the pesty STUN which makes the client think it’s in an external network when it’s actually in the LAN, which leads to one-way audio issues. I tried with CSIPSimple and with Zoiper and both show the same results. If STUN is activated, LAN means audio issues.

Does anybody happen to have a solution for this kinds of problems?[/quote]

That’s a bummer. I hope that this issue gets a resolution.

Just spend some money for a public IP on which you will run Asterisk. If you don’t have many clients/locations spend some money on a good router and use VPN.

NAT does not have any place in VoIP systems. No one has good support for it. Change your topology and you will see that Asterisk is working just fine :wink:

You didn’t read my text at all or my signature, did you?
I’m talking about mobile clients and seamless transition between LAN and external networks.
Seamless transition isn’t possible with VPN because the VPN needs to be activated by hand.
Besides, if “just getting a public IP” for the server would be an option, I would have done that instead of posting here.
And about NAT “having no place in any VOP system”… Until we globally have v6, there will always be NAT involved - which wouldn’t be a problem if protocols like IAX2 would be standard instead of SIP…

Dude, you are running an Asterisk server behind NAT and want to access if from mobile networks not me. Get yourself a public IP and solve one part of the problem.

The second part of the problem might be the mobile network itself. You might get issues with initiating Asterisk -> Client SIP traffic. Incoming requests are usually blocked on mobile networks. Some providers even block SIP traffic altogether.
VPN solves this. PPTP is integrated in any IOS and Android device I have seen so far. I know, it’s not secure, but it’s widely implemented and will do the job you need - provide a clear channel to your Asterisk box. But it does need two clicks to enable before you start dialing.

One more problem with mobile networks. VoIP will work on 3G network with low load. On 2G networks and 3G networks with big load on the base station you can expect issues with RTP traffic.

Dude, I do Asterisk for over 12 years now, IT and Security way longer. I usually know what I’m doing…

  1. I wrote, additional public IPs are not an option.
  2. SIP is not blocked on mobile networks in Finland.
  3. I wrote that the focus here is on the seamlessness of the transition.
  4. PPTP is not “insecure”, it’s obsolete and nobody who has a minimum of actual IT-/Security experience would even think of bothering to suggest that. Besides, client availability is not the issue.

I’m looking for out-of-the-box ideas from experieced tech-guys, not some nonsens from somebody who doesn’t bother to read or understand…

Well, you are really sucking the fun out of helping out members in Asterisk community. Your attitude is probably also the main reason why you are getting so much replys from other forum members.

I have read you post and I know what you are trying to do. And I am trying to explain to you why you can’t do this without a public IP. I have done this in multiple posts. But you don’t want to listen. It looks like you are just too smart and experienced to even consider my advices.

This is my final post in this topic. I wish you all the best in your project.

Dejanst don’t feed the troll, usually the “self-claimed-tech-advanced” guys are the same too much words and no action. Just don’t go deeper in his game.

You know and I hope He knows that NAT issues are part of the design of SIP protocol not asterisk and there are alternatives like STUN or TURN servers and SIP proxies like OpenSIPS and kamalio to mitigate that.