Getting SIP (session initiation protocol) traffic through NAT (network address translation) firewalls is a beastly problem. Unless you are the proud, and nearly unique, possessor of an adequately large pool of public-routable IPv4 addresses, you’re using NAT.
Escort SIP traffic through NAT with open source Siproxd.
Getting SIP traffic through NAT presents several problems. SIP traffic splits into two streams, signaling and media, which can follow different routes to their destinations. Both ends of the session must be able to initiate connections — most networks are set up to allow desktop computers to initiate connections with outside servers but do not allow new connections to be initiated on them. It also uses both UDP and TCP ports, and it can eat up a large number of UDP ports. RTP (real-time protocol), which carries the actual voice traffic, encloses information like port numbers, IP addresses, and codecs within the SIP message body.
NAT rewrites IP addresses in packet headers. For example, a typical small network shares one public IP address, 22.33.44.55, with 10 LAN hosts in the 192.168.1.0/24 network. Every outgoing packet from 192.168.1.0/24 is changed to 22.33.44.55. Return traffic, which is addressed to 22.33.44.55, is re-written so it can be delivered to the correct host: 192.168.1.0/24. Putting port numbers and IP addresses in message bodies puts them out of reach of NAT. If both endpoints are behind NAT, the pain is doubled.
A common way to handle this is to use a proxy, which then becomes responisble for ensuring local calls for NAT clients are correctly routed. Siproxd is an excellent, open source, free software SIP proxy. To quote its overview:
Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT).
Siproxd runs on an Internet gateway. Only clients behind the firewall know about it, and they are protected from the big bad Internet. It is considerably easier to configure and use than most other SIP proxies and STUN servers. You need only edit /etc/siproxd.conf and write some firewall rules to direct VoIP packets to Siproxd. Point the VoIP clients to Siproxd and you’re done. Visit Siproxd for downloads and howtos.