STUN compaitibile NAT devices/routers

I am fighting with STUN setup over 2 different networks. I have 2 VoIP phones each in their own network behind NAT connected to Asterisk in Cloud with p2p connectivity for RTP. All phones are registering to Asterisk server. STUN server is working e.g. I have public IP addresses in SDP header. You can make calls between network A and B but RTP stream is not passing. What I have concluded for now seems like NAT router is not allowing such traffic to pass. In theory STUN is working out of the box if everything is setup correctly. Do you know
what is needed on NAT device configuration to allow such traffic to pass? Like do you need to open RTP ports on NAT device e.g. 10000-60000 that RTP is passing or router which supports stun will allow it automatically? If VoIP phone sees NAT as symmetric which is not good for STUN to work can you force router to accept such traffic or change NAT type on router device ? I
am using two different 4G routers one from Microtic one from D-LINK for this setup to work.

What do you mean with “p2p”? Are you trying to setup direct media between the phones? If yes, I doubt that this will work without portforwarding of the sdp ports on your router.

Maybe you also want to show pjsip.conf of your asterisk.

Yes I am using direct media between phones with STUN support. Asterisk is using native RTP and says direct media is going p2p. But still I have silence. RTP is only going out from each VoIP phone but not in. I think there is problem with router config. Can you describe with words what is needed on router config for RTP to flow in and out?

More detail is required on network topology. E.g. in a typical case where STUN would be used, with direct media, the routers will not be involved in the optimised media path, so we need to fully understand the intended media path and locations of firewalls and NAT processing.

I have two VoIP phones. Each is connected to 4G router directly. Each 4G router has mobile internet on it. Idea is to have p2p communication between VoIP phones. Each phone is behind standard NAT for Internet access and has some firewall rules like opened port 5060 for Asterisk server in Cloud, port 3478 for STUN and opened range for RTP stream like 10000-60000. All communication is over UDP. STUN server used is one from public Internet list and is configured on each VoIP phone. I am trying to use UDP hole punching mechanism for RTP to pass in. Problem is this setup is not working. STUN server gives public IP address and I see in SDP part STUN IP address and port. RTP is only going out from each VoIP phone but newer comes in. I think problem is in router config. I am trying to force router to have Full Cone NAT for this setup to work. I see in some situation is that STUN IP address differs from routers public IP address which is strange and could be cause of problem. Why is this happening? Any ideas how to properly config router or what is causing this setup not to work ?

Have I got this correct:

Phone - private network - NAT router - 4G mobile data - CGNAT - public internet.

I can’t see a 4G network not using aggressive CGNAT, which means you have multiple levels of NAT, some of which you can’t control. Any router requirements will apply to the mobile operator’s CGNAT router.

Could be that CGNAT is affecting p2p RTP stream. What are my options than to make this setup to work? I wont to test STUN with VoIP phones over 2 different networks.

The only solution I see is to use VPN. Snom & GrandStream phones are able to mount VPN (OpenVpn).


Daniel

They want direct media.

I will opt out of CGNAT. I think this is easiest solution.

I have one 4G router out of CGNAT. For other 4G router I still wait for mobile operator response. I tried to connect both phones to same 4G router. Router is of type Microtik. Does anybody know how to properly setup NAT hairpin rules for Microtik?