Asterisk behind two NATs (Double NAT)


I just read this column and like to suggest a simpler solution. I have a couple of similar setups with multiple LAN segments, sometimes with VLANs. They basically share the PBX and the usual groupware stuff like calenders.

I know that OPNsense does exist, but I have never used it. My stuff works with pfSense, where it is now pretty easy to install packages from other repositories. Of course, one needs to be careful when updating the system to keep all packages in sync when the upstream repositories change.

Having said that, why not install Asterisk in the router/firewall right away? No NAT issues, multiple LAN segments as easy as pie, perfect control of packages.

Maybe OPNsense does allow to do something similar.

Your setup is not common and Asterisk can’t know any better, it doesn’t know how routing will end up with the setup you have done. I can only provide information on what exists now, I can’t provide information on how to make it work with your specific setup because noone has ever done so.

Like most internet software, Asterisk was designed to work on THE Internet, not on multiple, disjoint internets.

Given that the Internet’s origins are in battle damage tolerant military systems, there are ways of redundantly connecting to multiple providers, but they require sophisticated providers, offering business services, and significant knowledge on the part of the customer. They are not going to be available on consumer services, or on small business services.

When done, this will be done outside the Asterisk box and would be invisible to it.

Yes, OPNSense allow that, but… it’s not really fix the problem, because behind the VPN i have anothers routers that do NAT too and the problems starts again, now from the OPNSense WAN Network…

And with a sip proxy in each firewall that route all to the main asterisk??

What kind of setup is that?

If your setup is that general and convoluted, another approach could be to use OpenVPN, either as site-to-site tunnels between routers, or as client-to-site tunnels between phones and the PBX, regardless of how many NAT hurdles are in between (provided basic routing works).

Some SIP phones have OpenVPN already on board, some newer Android base ones might need third party libs. My experience with Yealink T4x-Series phones was excellent. Your mileage may vary.

I don’t think that you will ever get clean solutions with NAT on both sides with possibly more NAT firewalls in between. You do not only have to worry about the routing and the ports, but also about the timing behavior of the NAT devices. After all, it’s UDP. I may be wrong, but SIP does not have the mechanisms itself VPN solutions have on board to keep everything alive and to reconnect, if necessary.

There might be other reasons to use OpenVPN, as some mobile nets block SIP traffic. Blocking VPN tunnels might not be so easy, but in some countries they are forbidden.

Well my real network deploy has an OpenVPN by each external VPN (WANs) it’s like this

---- Mobile Network ------------ OpenVPN ------ FW_1 (NAT) ------
                                                                 | -------- Internal Net --- Asterisk Server
---- External Network 2 -------- OpenVPN -----  FW_2  (NAT) -----

I think that finnally I need put in this way

---- Mobile Network ------------ OpenVPN ------ FW_1 (NAT) (Siproxyd) ------
                                                                            | -------- Internal Net --- Asterisk Server
---- External Network 2 -------- OpenVPN -----  FW_2  (NAT) (Siproxyd) -----

Now I will (using pjsip) create a user for each external network and for example do this with pjsip_wizard:

type = wizard
accepts_registrations = yes
accepts_auth = yes
has_hint = yes
hint_context = from-inside
hint_application = Dial(${HINT})
endpoint/context = from-inside
endpoint/force_rport=yes    ;It's a good idea to read the configuration help for each
endpoint/direct_media=no    ;of these options.
aor/qualify_frequency = 15
aor/max_contacts = 3

hint_exten = admin
inbound_auth/username = admin
inbound_auth/password = admin

hint_exten = admin
inbound_auth/username = admin.vpn
inbound_auth/password = admin
endpoint/outbound_proxy = sip: ; IP OF FIREWALL SIPROXYD

hint_exten = admin
inbound_auth/username = admin.movile
inbound_auth/password = admin
endpoint/outbound_proxy = sip: ; IP OF FIREWALL SIPROXYD

This configuration is ok???

OpenVPN on the WAN side?

The proxy works, but given your router software, it is not necessary.

Then you say that using OpenVPN in the firewalls and not using proxy, and only one user, the asterisk users can be in wathever place of the NAT that works??? of course if not are a second NAT behind of that OpenVPN gg