Okay I am on a Windows machine so I have to run Linux in a VM. What’s worse is that I will not be able to do bridged connections from my VM to guest since my ISP supplies the unique static IPs per customer. That is every customer has a fixed static IP.
So will this architecture work if I need to communicate to a SIP provider like Flowroute and setup softphones in my VM.
SIP Provider <==>ISP NAT<==>Physical PC with Win 8.1<==>VBox NAT<==>OS running Asterisk
Will these NATs cause a problem ? Is it possible to setup asterisk in this way ?
I’m not sure that will work unless you can find a way to make windows forward all of the sip/rtp ports to the vm’s IP. If you have a router, the static IP from the ISP would be set to it, and you could port forward to the internal ip of your vm from the router.
Yeah the thing is that I don’t have a router.
Correct me if I am wrong, but I have to port forward only all the incoming connections right ? The out going connection don’t need any special treatment right ?
Also could you please explain to me why NAT is a problem ? I mean anyways I have a dynamic public IP and a static private IP, so NAT is already used in my case. Why won’t it work for VMs ?
All the youtube videos and forum posts that I have read recommend a bridged network, why is that ?
Why doesn’t NAT work ?
A bridged network essentially makes the VM its own computer on the network without the need for the host OS to manage any services or routing. If you use a NAT, the IP of the host is exposed, but the internal NATted IP of the VM is hidden from the network. Outbound traffic should work fine, but inbound (not response) traffic isn’t able to directly access the NATted IP without the host’s help.
In a bridged configuration, your host, for example (IPV4), could have the ip 10.0.0.2, and your VM could be 10.0.0.3. From the network, you can route traffic to 10.0.0.3. The VM’s kernel modules know where to send that traffic.
In a NAT, the only exposed IP is 10.0.0.2. The VM’s ip could be 192.168.1.2 which is not directly accessible from the network. However, if the traffic is initiated from the VM, it will be tagged with both IPs, and the network and host will know how to route the traffic when it returns. If it’s initiated from the network, it must go to 10.0.0.2, and that host believes that the traffic was meant for it unless you’ve set up some mechanism for forwarding that traffic. This is why I suggested a router.
In the config I would use, the router’s internal ip would be 10.0.0.1 (the IP from ISP could be anything), the host is 10.0.0.2, and the bridged VM is 10.0.0.3. Within the router, you can say, “send all inbound SIP and RTP traffic to 10.0.0.3”, and the rest to 10.0.0.2 if you had the need to allow any other inbound traffic. This can be done by telling the router which ports to forward to the VM.
Here’s an example from a router…
https://ixquick-proxy.com/do/spg/show_picture.pl?l=english&rais=1&oiu=http%3A%2F%2Fwww.fasttech.co.uk%2Fvoip%2Fportforward.jpg&sp=d5f8e920bcb85f134bfc903aa2967364
1 Like
I get the fact that outbound traffic will work. But I don’t understand why incoming traffic won’t.
If no incoming can arrive at my VM then how am I able to browse the internet from the VM. I can open up Google or Youtube from behind the VM, just as I would do normally. What’s the difference in this case ?
The difference you may point out is that whatever traffic enters the VM is in response to requests I already sent out. Like I am able to see YouTube or Google only after I have made a request for it. Youtube or Google cannot contact me by themselves.
To the above logic I would like to ask, that if computers behind NAT are inaccessible to the outside world, then how will a SIP provider find my host computer even if I don’t have a VM.
I may not have a router but I have a single unique private IP which is NATed to a dynamic/different public IP every time I connect to the internet.
So even if I am not using a VM how will the SIP provider find me ? Its still the same problem as if I was behind a VM.
So if the situation is more or less the same without the VM why can’t it work with the VM.
Thanks for replying, and clearing my confusion in advance.
Externally initiated traffic can’t route to a NAT’d address without some kind of helper. From the VM, you are initiating the traffic to Google, so when the response comes back, the network traffic contains the physical address (host) and the NAT’d address (VM). The kernel module knows to route that traffic to the VM.
You said that your ISP provided a static address for your host computer, right? If that’s provided to the SIP provider, it’s a direct shot from the ISP to your physical computer. Did the ISP provide you with a DSL modem or some other hardware that your computer connects to?
Try going to https://www.whatismyip.com/. It will show you how the internet sees you. If your ISP has given you a static IP, that should match what your PC has for the network address. If not, you’re already NAT’d behind something and inbound traffic won’t get to you without something to help route it.
My point is exactly that. I am already NATed behind something. My ISP provides a static private IP which is not visible on the internet.
I was not provided a router so there is no way I can set up port forwarding.
So my conclusion according to your reply is that is does not matter that I am using a VM, inbound traffic will not reach my host computer itself right ? (I mean even if I was running Asterisk on my host OS without a VM I still would have no inbound traffic from my SIP provider right?) ?
Any way I can route inbound traffic with buying a new router ?
Then the ISP is handling the NAT in their router. What does your computer plug in to for internet access? I’m sorry, but I think I’m missing something here. When you use whatismyip.com, does it match the IP of your host computer? There are some things you can do if you’re using the host computer, but I can’t think of any way to do it if it’s double-NAT’d to a VM.
http://www.voip-info.org/wiki/view/Asterisk+SIP+NAT+solutions
This is from the Asterisk Definitive Guide:
SIP and NAT
Probably the biggest technical hurdle SIP has to conquer is the challenge of carrying
out transactions across a NAT layer. Because SIP encapsulates addressing information
in its data frames, and NAT happens at a lower network layer, the addressing information
is not automatically modified, and thus the media streams will not have the correct
addressing information needed to complete the connection when NAT is in place. In
addition to this, the firewalls normally integrated with NAT will not consider the in‐
coming media stream to be part of the SIP transaction and will block the connection.
Newer firewalls and session border controllers (SBCs) are SIP-aware, but this is still
considered a shortcoming in this protocol, and it causes no end of trouble to network
professionals needing to connect SIP endpoints using existing network infrastructure.
Is there any virtual PBX servers (cloud PBX servers) out there that have the same ability as Asterisk ?
The ability that I am most interested in is setting the caller id like I can do in Asterisk.
I guess I have to let go of setting up Asterisk on my system, since there are too many problems to take care of.
Sorry, I don’t deal with any cloud services. I would be willing to guess that there are several.