On Mon, 05 Dec 2005 00:43:19 +0200, Jan Henkins wrote
Interesting! In my particular case, it's a Netgear ADSL router running a version of uCLinux or something similar. The Netgear firmware is apparently available for download (minus some proprietry WWW frontend and related stuff) in order to comply to the GPLv2, but I haven't taken the time to do this in order to check which Netfilter modules are being used by the particluar 2.4.x kernel. In any case, I'm not particularly good at C, so it wouldn't do me any good anyway. However, in my experience the "statefulness" of a Linux Netfilter-based gateway should be sufficient to be able to handle a situation like this transparently, unless there is still something fundamental that I'm missing.
Be that as it may, the simple question still remains: is it possible to handle more than one UA behind a single NAT gateway with a single SER setup on the outside of the NAT gateway (RFC 1918 address space inside, normal routable IP outside)? Alternatively, would it be best to have an inside SER that simply forwards all SIP traffic to the outside SER?
If the gateway has no issues with hairpinning, then yes, it's quite possible. I use a Linksys gateway at home and a slightly older, pre-sip-proxy version of Astaro linux firewall at work, and we have multiple UAs behind each in the NAT space of our firewall. They can call each other. They can all outside. All based off registrations with a SER server on the outside of the network.
Netgear specifically has some serious issues both with hairpinning and with just plain ol' SIP. Netgear makes some mighty unfriendly gateways. :)
If you can't do it, though, it makes sense to set up some sort of proxy on the inside of the NAT that all the UAs register with, and have it pass things back and forth... forwarding the necessary data from outside to the server on the inside using port-fowarding rules. For some of our customers, we've recommended Asterisk setups inside their NAT, just to make the passing of RTP packets more rational. You don't have to worry about individual client UA RTP settings, you can just worry about forwarding the RTP ports to Asterisk, and then inside the NAT do anything you wish. Since SER doesn't manage RTP, using just SER becomes problematic if your UAs are not homogeneous.
N.