Page Index Toggle Pages: 1 Send TopicPrint
Normal Topic Traversing NAT problem (Read 661 times)
a.y
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 07. Oct 2021
Traversing NAT problem
07. Oct 2021 at 22:33
Print Post  
I've experiencing difficulties on setting up NAT traverse in a case where the softphone with local IP is behind router and PBX is on the Internet. I'm using TLS for signaling and SRTP for media.

I set up STUN server in the client so Asterisk receives the correct client external IP and external port (random port chosen by router NAT mechanism, like 56789) in the Contact field in the REGISTER phase. And then successfully send an INVITE and initiate a call.

But after registering, while getting an incoming call, PhonerLite responds in its RINGING, INVITE, OK etc. SIP-messages with still right external IP (which it got from STUN-server), but with wrong port (with its local 5061 and not the external 56789 NAT port).
And after all that, the SIP messages PBX is trying to send to softphone are sent to external_IP:5061 port. Which cannot traverse NAT and reach PhonerLite for obvious reasons.

Note 1: I cannot rely on UPnP NAT in this case because I'm not in control of choosing the routing hardware.
Note 2: I cannot port forward external packages to a softphone PC port 5061 because there are not only one, but several phones in the LAN, which are also constantly changing.

So the question is: why PhonerLite knowing the fact that it is behind NAT, still sends its local port in Contact field in SIP messages to PBX? Why it is not reusing the existing connection? And is there any workaround for this to make it work?

Just checked with a few other softphone solutions, where I don't happen to face this behaviour.

Thanks in advance. Phoner is great!
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 10620
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Traversing NAT problem
Reply #1 - 08. Oct 2021 at 11:57
Print Post  
You told that you are using TLS - that is a TCP based protocol. When PhonerLite initates a TCP/TLS connection a such called ephemeral port is used - that is NOT the port incoming TCP/TLS connections can connect to. Normally all SIP messages are using the same established TCP/TLS connection. 

In PhonerLite at configuration/network you can right click in that connection type selection field. There is an option called "TCP/TLS: alias". You may enable that.

But I don't really understand, whats your problem. What exactly is not working with PhonerLite?
  
Back to top
WWW  
IP Logged
 
a.y
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 07. Oct 2021
Re: Traversing NAT problem
Reply #2 - 08. Oct 2021 at 16:17
Print Post  
Phoner Admin wrote on 08. Oct 2021 at 11:57:
But I don't really understand, whats your problem. What exactly is not working with PhonerLite?

Long story short: after Phonerlite advertises its local port in the contact field, the communication with PBX becomes totally onesided (broken).

Here is an example of what's going on (at least how I see it):

Phonerlite has local IP:port (TLS, for incoming connections): 192.168.0.1:5061
PBX IP:port: 1.2.3.4:5061
Phonerlite's login and extension is 90000

Phonerlite sends register request to PBX, trying to open a TLS session.

For that it uses a random local outbound port, say 192.168.0.1:56789

While Phonerlite goes through NAT, in the outbound TCP packets the router replaces Phoner's local ip:port with its external IP and other random port, for example 100.100.100.100:60000. This external ip:port pair Phonerlite sends in the Contact field in the registration phase to the PBX.

Here is a part of Phoner's REGISTER message (taken from the debug log):

Code
Select All
REGISTER sip:1.2.3.4 SIP/2.0
Via: SIP/2.0/TLS 100.100.100.100:60000;rport
Contact: <sip:90000@100.100.100.100:60000;transport=tls> 



As we can see, Phonerlite correctly determined external IP and port (100.100.100.100:60000) of the router and use them in the Contact field.
-------------------------------------------

PBX responds with register success:

Code
Select All
SIP/2.0 200 OK
Via: SIP/2.0/TLS 100.100.100.100:60000;rport=60000
Contact: <sip:90000@100.100.100.100:60000;transport=tls> 



Because server sends packets to 100.100.100.100:60000, the router with NAT correctly redirects such packets to a correct destination (Phonerlite local port 192.168.0.1:56789)
-------------------------------------------

After a while PBX initiates an incoming call:

Code
Select All
INVITE sip:90000@100.100.100.100:60000;transport=tls SIP/2.0
Via: SIP/2.0/TLS 1.2.3.4:5061;rport;
Contact: <sip:asterisk@1.2.3.4:5061;transport=TLS> 



To this point everything is going fine.
-------------------------------------------

Phonerlite indicates to PBX the phone is ringing:

Code
Select All
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 1.2.3.4:5061;rport=5061;
Contact: <sip:90000@100.100.100.100:5061;transport=tls> 



Now Phonerlite tells PBX: "Send me packets to 100.100.100.100:5061" (despite knowing that it is behind NAT!). So sending packets to 100.100.100.100:5061 is pointless.
-------------------------------------------

Beyond that point Phonerlite is not able to receive any SIP messages from PBX at all at least till the next call or re-registration because PBX starts to send them to 100.100.100.100:5061 (that connection from the PBX perspective stays in the SYN_SENT state because the router drops them packets without any warning, so a TCP session couldn't be established).

And the router simply drops all packets to that port because 5061 was not involved in any previous NAT-related communications. So port 5061 is not associated with any local IP address behind NAT.
And after the other side hangs up, Phonerlite never receives a BYE message from PBX and the call is indicated ongoing forever.

So why Phonerlite advertises "Contact: <sip:90000@100.100.100.100:5061;transport=tls>" in such case instead of continuing to advertise its port in an already established TLS session (100.100.100.100:60000) knowing that 100.100.100.100:5061 is a deadend? If it would have kept sticking with 100.100.100.100:56789 (reused the already established session) to the very end, all the PBX packets would have reached the destination.
« Last Edit: 08. Oct 2021 at 19:41 by a.y »  
Back to top
 
IP Logged
 
a.y
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 07. Oct 2021
Re: Traversing NAT problem
Reply #3 - 08. Oct 2021 at 17:23
Print Post  
Phoner Admin wrote on 08. Oct 2021 at 11:57:
In PhonerLite at configuration/network you can right click in that connection type selection field. There is an option called "TCP/TLS: alias". You may enable that.

It seems that with this option enabled, Phonerlite sticks to its local port in the Contact field just from the start, so it becomes even worse: we even cannot get an INVITE now and an incoming call request cannot pass through NAT.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 10620
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Traversing NAT problem
Reply #4 - 11. Oct 2021 at 11:54
Print Post  
I have uploaded a new beta version of PhonerLite. Can you please try if that version solves your problem?
  
Back to top
WWW  
IP Logged
 
a.y
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 07. Oct 2021
Re: Traversing NAT problem
Reply #5 - 11. Oct 2021 at 12:08
Print Post  
It would take some time to make more thorough tests, but at first glance the problem solved!
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 10620
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Traversing NAT problem
Reply #6 - 11. Oct 2021 at 12:13
Print Post  
Thanks for the feedback.
  
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1
Send TopicPrint