[Serusers] NAT: minimise media proxying whilst maximising usability

Mon Sep 25 07:29:39 CEST 2006

> Yes, you are most definitely on to something. NAT-handling is complex and
> it takes some work to fine-tune it the way you want. I few comments:
> - Look at nathelper's nat_uac_test. It has more options and better
> control, look at option 16, which is very good for detecting symmetric
> NATs where STUN or an ALG has tried to fix the message
> - If you are doing pstn, your gw supporting active media will reduce your
> proxied calls to none
> - sipura has many nat-handling options and takes some tweaking to get them
> right for your config
> - The behavior of the UAs will differ depending on the type of NAT they
> are behind. When behind a symmetric NAT, they should not try to fix the
> ip:port, but some do. nat_uac_test("16") will in most cases reveal this
>
> Good luck! (and I'm sure others would appreciate a how-to on optimizing
> NAT at iptel.org
> http://www.iptel.org/node/add/flexinode-4
> If you create one, I'll help out in making it accurate)
> Also, make sure you have a look at the new NAT-handling document:
> http://www.iptel.org/ser/howtos/optimizing_the_use_of_rtp_proxy
> g-)
>
Many thanks. I've read and reread "Optimizing the use of rtp proxy". I've 
also done a lot more reading on SDP & RTP which is most relevant to the 
audio issue. Signalling is not the problem i.e. the messages are passed back 
and forward through the proxy and I'm happy with that. It's the audio I want 
to offload.

I think the key unanswered question I have is this: in the (seemingly) most 
common scenario of two symmetric (signalling and RTP) UAs behind two 
different (port) restricted cone NATs, can two-way audio be established 
without the use of a media proxy? I had previously thought that was possible 
but the latest reading I have done indicates not. Why? Because one side must 
initiate the audio part of the call and the other side's NAT device will not 
know where to send that audio on the LAN side of the network. Could someone 
put me out of my misery and confirm one way or the other?

I had thought another alternative was to map the RTP ports on the NAT 
device. This would mean forwarding ranges of ports to specific IP addresses 
(each different port range relating to a specific UA) on the NAT device. 
Each UA would then be configured to send RTP traffic on the port range 
relating to its IP address. But if both sides are behind NAT then am I right 
in thinking that this won't work either because the callees NAT device still 
doesn't know where to send it?

Regarding me documenting my solution it looks to me like it's already been 
done in "Optimizing the use of rtp proxy"! I'm currently using media proxy 
so the main difference would be that the media proxy selection would be 
based on the domain rather than an avp.e.g. west.domain.com goes to one 
proxy and east.domain.com goes to another.

Cameron