--- On Mon, 6/9/08, Pezhman Lali pezhman_lali@yahoo.com wrote:
From: Pezhman Lali pezhman_lali@yahoo.com Subject: stun To: pezhman.lali@gmail.com Date: Monday, June 9, 2008, 6:02 PM Dear, does setting the ip of stun server in the sip-phones, behind the symmetric nat, make the problem ? my experience with stund 0.96, said yes. the stun server, can detects the type of nats properly, but the sip-phones behind the un-symmetric nat, can not register, or one-way calling.
????
Hi Pezhman,
If I'm not wrong STUN cannot cross symmetric nats - it is one of its limitations.
Regards, Bogdan
Pezhman Lali wrote:
--- On Mon, 6/9/08, Pezhman Lali pezhman_lali@yahoo.com wrote:
From: Pezhman Lali pezhman_lali@yahoo.com Subject: stun To: pezhman.lali@gmail.com Date: Monday, June 9, 2008, 6:02 PM Dear, does setting the ip of stun server in the sip-phones, behind the symmetric nat, make the problem ? my experience with stund 0.96, said yes. the stun server, can detects the type of nats properly, but the sip-phones behind the un-symmetric nat, can not register, or one-way calling.
????
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi All
I had a lot of problems with STUN and symmetric NAT. The thing is that it does not always work with symmetric NAT. That would be mostly routers based on Linux IPTABLES.
-----Original Message----- From: users-bounces@lists.openser.org [mailto:users-bounces@lists.openser.org] On Behalf Of Bogdan-Andrei Iancu Sent: Tuesday, June 10, 2008 11:42 AM To: pezhman_lali@yahoo.com Cc: users@lists.openser.org Subject: Re: [OpenSER-Users] stun
Hi Pezhman,
If I'm not wrong STUN cannot cross symmetric nats - it is one of its limitations.
Regards, Bogdan
Pezhman Lali wrote:
--- On Mon, 6/9/08, Pezhman Lali pezhman_lali@yahoo.com wrote:
From: Pezhman Lali pezhman_lali@yahoo.com Subject: stun To: pezhman.lali@gmail.com Date: Monday, June 9, 2008, 6:02 PM Dear, does setting the ip of stun server in the sip-phones, behind the symmetric nat, make the problem ? my experience with stund 0.96, said yes. the stun server, can detects the type of nats properly, but the sip-phones behind the un-symmetric nat, can not register, or one-way calling.
????
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
El Tuesday 10 June 2008 10:44:51 Ali Jawad escribió:
Hi All
I had a lot of problems with STUN and symmetric NAT. The thing is that it does not always work with symmetric NAT. That would be mostly routers based on Linux IPTABLES.
STUN **CANNOT** work with symetric NAT. The NAT router maps the internal port with a different public port *depending* on the destination IP:port, so STUN can't work.
Stun can work even behind symmetric NAT if the stun server was running on the same socket the SIP server is running... I hope this feature will come soon!
I can help with this.
Also, SIP don't need to use STUN to work: you can discover your IP address and port very easily by looking at the REGISTER answer or OPTIONS answer which contains the "received" and "rport" parameter.
Of course, symmetric NAT are a nightmare for RTP, but not for SIP...
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
On Tue, 10 Jun 2008, Iñaki Baz Castillo wrote:
El Tuesday 10 June 2008 10:44:51 Ali Jawad escribió:
Hi All
I had a lot of problems with STUN and symmetric NAT. The thing is that it does not always work with symmetric NAT. That would be mostly routers based on Linux IPTABLES.
STUN **CANNOT** work with symetric NAT. The NAT router maps the internal port with a different public port *depending* on the destination IP:port, so STUN can't work.
-- Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
El Tuesday 10 June 2008 13:59:42 Aymeric Moizard escribió:
Stun can work even behind symmetric NAT if the stun server was running on the same socket the SIP server is running... I hope this feature will come soon!
Sure? AFAIK a symmetric NAT not only depends on the destination IP but also on the port. So unless you have a STUN server listening in all the ports available for RTP proxing you don't know if STUN will work.
Also, clients implementing STUN will refuse using STUN if they discover they are behind symmetric NAT. The STUN server needs 2 public IP's so probably each one will see a different public source port from the NAT router. In this case STUN will report "Symmetric NAT" so the client will not trust it.
For example Twinkle or Ekiga don't use STUN if STUN discovers they are behind symmetric NAT.
Mybe I'm forgotting something? :)
On Tue, 10 Jun 2008, Iñaki Baz Castillo wrote:
El Tuesday 10 June 2008 13:59:42 Aymeric Moizard escribió:
Stun can work even behind symmetric NAT if the stun server was running on the same socket the SIP server is running... I hope this feature will come soon!
Sure? AFAIK a symmetric NAT not only depends on the destination IP but also on the port. So unless you have a STUN server listening in all the ports available for RTP proxing you don't know if STUN will work.
Right. 1-> I'm talking about SIP and contact management. (not about RTP). In this case, the STUN server must be on the same socket as the SIP server. This is planned in 'outbound' draft from ietf.
2-> As you said, for RTP there is no working easy solution. Only ICE and TURN can help.
Also, clients implementing STUN will refuse using STUN if they discover they are behind symmetric NAT. The STUN server needs 2 public IP's so probably each one will see a different public source port from the NAT router. In this case STUN will report "Symmetric NAT" so the client will not trust it.
For example Twinkle or Ekiga don't use STUN if STUN discovers they are behind symmetric NAT.
There is no such standard: may be they are doing this way, but I don't...
Mybe I'm forgotting something? :)
I don't think you are! Except this:
It is not possible to know wether a NAT will always behave as you have detected. For example, short testing usually show that basic iptables is port restricted cone nat while it turns into a symmetric 50% of the time...
STUN is only a protocol to help: my *own* opinion is that it's not because you detect a full cone nat that it will behave as a full cone nat for the voip call...
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
-- Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
10 jun 2008 kl. 18.02 skrev Aymeric Moizard:
On Tue, 10 Jun 2008, Iñaki Baz Castillo wrote:
El Tuesday 10 June 2008 13:59:42 Aymeric Moizard escribió:
Stun can work even behind symmetric NAT if the stun server was running on the same socket the SIP server is running... I hope this feature will come soon!
Sure? AFAIK a symmetric NAT not only depends on the destination IP but also on the port. So unless you have a STUN server listening in all the ports available for RTP proxing you don't know if STUN will work.
Right. 1-> I'm talking about SIP and contact management. (not about RTP). In this case, the STUN server must be on the same socket as the SIP server. This is planned in 'outbound' draft from ietf.
Yes, that is something I need to fix in that "other b2bua" as well... I haven't seen this being used much, but have seen that I can enable it in Eyebeam. Going to try now. If I get disconnected from the Internet, you guys know what happened... :-)
Anyone knows any more about the outbound draft and it's progress through the IETF?
/O
On Tue, 10 Jun 2008, Johansson Olle E wrote:
10 jun 2008 kl. 18.02 skrev Aymeric Moizard:
On Tue, 10 Jun 2008, Iñaki Baz Castillo wrote:
El Tuesday 10 June 2008 13:59:42 Aymeric Moizard escribió:
Stun can work even behind symmetric NAT if the stun server was running on the same socket the SIP server is running... I hope this feature will come soon!
Sure? AFAIK a symmetric NAT not only depends on the destination IP but also on the port. So unless you have a STUN server listening in all the ports available for RTP proxing you don't know if STUN will work.
Right. 1-> I'm talking about SIP and contact management. (not about RTP). In this case, the STUN server must be on the same socket as the SIP server. This is planned in 'outbound' draft from ietf.
Yes, that is something I need to fix in that "other b2bua" as well... I haven't seen this being used much, but have seen that I can enable it in Eyebeam. Going to try now. If I get disconnected from the Internet, you guys know what happened... :-)
Anyone knows any more about the outbound draft and it's progress through the IETF?
Change between last 2 versions are minor: I suspect it's very close from being complete:
http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=http://tools.ietf.o...
Anyway, I think it would be good to have a STUN server runing inside openser no matter this draft is out or not.
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
/O _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
-
Ali Jawad -
Aymeric Moizard -
Bogdan-Andrei Iancu -
Iñaki Baz Castillo -
Johansson Olle E -
Pezhman Lali