NAT Router und private IP

TWELVE

Aktives Mitglied
Mitglied seit
3 Okt 2004
Beiträge
940
Punkte für Reaktionen
0
Punkte
16
NAT Router geben überhaupt keine private IP nach außen, der Sinn eines NAT ist nämlich die Adressumsetzung.Der Router tauscht die IPs im IP Header aus und das wars.Würde da eine private IP drin stehen, würde keine einzige Antwort zurückkommen, da private IP Bereiche erstens millionenfach genutzt werden und zweitens deshalb gar nicht geroutet werden im Internet.Die private IP kann wenn also nur im Payload einer der höheren Layer eingepackt sein - das ist aber Sache des Clients und nicht des Routers.Möglicherweise verhält sich aber das UPnP der Fritz nicht so wie es sollte, bei den ganzen Macken, die da schon zu Tage getreten sind, wäre ich mir da nicht sicher.
 
Na super...ihr hättet auch meine Antwort nehmen können und einfach an ein anderes Thema dranhängen können...oder löschen...habe ja schonmal was dazu gesagt, ihr könnt nicht einfach Sachen zerreißen nur weil euch das gerade nicht in den Kram paßt was ich schreibe..das ist Zensur ...meint ihr das wär der richtige Weg..?
 
TWELVE schrieb:
Na super...ihr hättet auch meine Antwort nehmen können und einfach an ein anderes Thema dranhängen können...oder löschen...habe ja schonmal was dazu gesagt, ihr könnt nicht einfach Sachen zerreißen nur weil euch das gerade nicht in den Kram paßt was ich schreibe..das ist Zensur ...meint ihr das wär der richtige Weg..?

HI,
Kannst du bitte mal näher schreiben was passiert ist - so ist das nicht nachzuvollziehen da niemand geschrieben hat dass er einen Beitrag getrennt hat.

Viele Grüße :) Clemens
 
Ich hatte TWELVE 2 PNs geschickt hinsichtlich seines Postings. Ich habe den Beitrag aus der SNOM Rubrik getrennt und in den Router-Bereich verschoben - nachdem der Beitrag im SNOM Forum aufgetaucht ist unter dem Thread SNOM und GMX - aber TWELVEs Beitrag sich allein wieder um die an anderer Stelle geführe Diskussion über Sinn und Unsinn eines sip-aware Routers dreht - dessen Einsatz nach Meinung von TWELVE, die ich ihm selbstverständlich gerne lasse, "schwachsinnig" ist.

Leider konnte ich dann aber nach dem Verschieben nicht dazuschreiben: Thread getrennt. Ich dachte aber, dass eine Mitteilung per PN ausreichend wäre.


Zur inhaltlichen Frage:
http://www.snom.com/stun_en.htm

Basics - NAT in SIP

Network Address Translation (NAT) is a big problem for SIP, because both the SIP signalling and the media uses UDP to transport their information.

The reason for introducing NAT was the shortage of public addresses available on the Internet. Therefore, users started to share one IP address through a NAT gateway in a private network. Typically, addresses in the private network have the form 192.168.x.x or 10.x.x.x.

When a phone sends a packet from a private network to a public network, the NAT gateway allocates a port for this new "connection" and patches the IP packet according to this port. Looking at the IP transport layer of the packet, the recipient of the message thinks it came from that port on the NAT gateway. However, because SIP uses explicit addressing in the SIP contents (and that address has priority in SIP), the response to that packet will not find the right way.

The same problem occurs when the phone wants to invite a person for a call. In the invitation message, it needs to put the IP address and the port where it expects the media to go to. If it puts in its private address here, the media will not find its way from the public Internet to the phone.

Firewalls use this mechanism to filter traffic entering and leaving a zone. Often, this is combined with NAT.

There are different approaches to solving this problem:

* Use a SIP-aware NAT router
* Set up a static route in the NAT gateway
* Use STUN to measure out ports


INTERTEX IX66 - SIP-Aware NAT Router

With the increasing acceptance of SIP as a standard protocol and its needs, more and more network equipment becomes "SIP aware". That means, if a SIP packet passes a NAT gateway, the gateway will inspect it and make the necessary patches to the packet. It allocates ports for the media and puts the right addresses into the SIP address.

This solution is recommended in environments where there is sufficient number of subscribers in the private network. There are "Application Layer Gateways" available to solve this problem (like the snom 4S SIP NAT gateway), which are installed on the firewall or on the NAT gateway computer. Some gateway vendors offer special add-ons to their standard firmware that make their equipment SIP-aware. Some advanced DSL routers include this ALG in their standard configuration.

When you use a SIP-aware router, you should make sure that every SIP message goes to the NAT gateway directly. There are several ways of doing this, depending on the equipment you are using in the private network.

For this mode, NAT detection should be set to "Off" or "Automatic" with the STUN server field empty (this is the default). The fields "dynamic RTP port start", "dynamic RTP port end", "Network identity" and "Network port" should be left empty and "Local SIP port" should be set to default.

If all messages are to go over the NAT gateway, you can set the outbound proxy to the address and port of the private NAT gateway. This address takes the format of a SIP URL. If there is no initial "sip:", the phone will complete the URL according to the rules for the SIP URL. Valid examples for this field include "192.168.0.1", "192.168.0.1:5062", "nat.company.com" and "sip:[email protected]:5065". In this case you should set the "Treat as initial route" field to "Address", so that no additional headers are inserted into the SIP messages.

Especially where there are several phones located within the same NAT, you might want to avoid all traffic going through the NAT gateway. In such cases, we recommend setting up a SIP proxy (like the snom 4S SIP proxy) in the private network and pointing all traffic to this proxy. It will then take care of the traffic leaving the NAT and redirect the packets to the NAT gateway itself.


STUN Solution

Setting up the NAT router is impossible in many cases, and new equipment may be too expensive. For these environments, "Simple Traversal of UDP Through NATs" (STUN) has been defined in the SIP environment (see RFC3489).

STUN uses a server located in the public Internet. The phone sends a test message to the server and receives in the response which IP address and port the server received. The client may ask the STUN server to send the packet back from a different location. In this way the client can determine the type of NAT present. You can use the snom 4S proxy server for this.

To set up a phone for STUN, set the NAT detection to "Automatic" and enter the address of the STUN server in the field "STUN server". The field must have the format hostname [:port], a valid STUN SERVER is "217.115.141.99:5060".

If you set up DNS, please include a SRV entry for _stun._udp, which points to the right address. The phone should then be able to find the STUN server on its own.

SNOM STUN SERVER
-For eval use only- 217.115.141.99:5060

When you use STUN, the fields "dynamic RTP port start", "dynamic RTP port end", "Network identity" and "Network port" should all be left empty and the "Local SIP port" field should be default.


Static Route – Firewall Configuration

Setting up a static route on the NAT gateway is the most powerful, but also most complicated way of setting up the phone in a NAT environment. For this mode, NAT detection should be set to "Static".

There are a couple of settings available for the static route:

* Dynamic RTP port start, end: The range of ports that are used by the phone for media including start and excluding the end port.
* Network identity (hostname, port): The phone will insert the inserted name as hostname and port into the SIP messages. The values must match the router set-up.
* Local SIP port: With this flag you can decide whether the phone uses the standard port (5060) or the port provided in the network identity as local port. If the router is not able to translate ports, you must use network port.


On the router, you need to set up one UDP port for the SIP traffic and several ports for the RTP (media) traffic. Try to set up at least ten ports for RTP, so that the probability of a port conflict is not too high.

Make sure that the settings on the phone are exactly the same as those on the router. This is very important because otherwise the service will be unreliable and frustrating.

Changing these settings requires a reboot of the phone.


Decision-making matrix

Scenario -------------------------- Best Solution
Home user with old DSL router --- STUN
Experienced home user --- Static Route
Firewall --- Use software ALG
Small office --- Use advanced SIP aware router (IX66)
Phone on public Internet --- Automatic NAT or NAT detection off
Phone only used in private network --- NAT detection off


Wenn also die Empfehlung für ein Small office auf SIP aware router lautet, dann ist es m. E. also sicherlich interessant, einen solchen auch im privaten Bereich einzusetzen, wenn ein SIP aware Router ungefähr das gleiche kostet wie ein Router, der nicht SIP aware ist.

Bluesip.net empfiehlt übrigens auch den Einsatz eines SIP aware Routers: http://www.ip-phone-forum.de/forum/viewtopic.php?p=52309#52309
 
Weitere Aussagen zur Nützlichkeit von SIP aware Routern

http://www.voiptalk.org/products/index.php?cPath=30

SIP Routers TelAppliant

TelAppliant are pleased to introduce the Intertex ADSL modem router range to their range of IP Telephony products.

With an Intertex SIP-aware router, you no longer have to worry about how to handle multiple IP phones behind a NAT-based broadband connection. Intertex routers are intelligent enough to recognise SIP traffic and route it to any number of IP telephones located on your LAN. No more worrying about port forwarding and complex configurations with your existing router. Ideal for SOHO environments, the Intertex routers are also ADSL modems, and are available in wireless configurations as well.
What is a NAT connection?

A NAT-based connection enables multiple devices to share a single Internet connection using a router. The router takes on the public IP address allocated by your ISP, while your PC, IP phone and other devices, are provided with private IP addresses (usually obtained via the DHCP server built into the router).
How do NAT and firewalls cause problems?

The problem occurs when 2-way communication is required. For example, if your IP phone sits on the LAN, it will have a private IP address which cannot be contacted from outside the LAN. Therefore when inbound VoIP traffic hits your router, it simply will not know what to do with it. With standard routers, there are partially successful workarounds using configurations involving port forwarding and DMZ. However if you start introducing multiple phones then this workaround becomes unmanageable.



http://www.gossiptel.com/forums/index.php?action=vthread&forum=2&topic=14
GossipTel 3rd Line Support
Posted: Jun 14, 2004 22:04:15
Quote

Our reccommended SIP aware router/firewall is the Intertex IX-66 (mentioned above).

Once equipped with one of these, all those frustrating little NAT/Firewall traversal problems just go away!
 
When a phone sends a packet from a private network to a public network, the NAT gateway allocates a port for this new "connection" and patches the IP packet according to this port. Looking at the IP transport layer of the packet, the recipient of the message thinks it came from that port on the NAT gateway. However, because SIP uses explicit addressing in the SIP contents (and that address has priority in SIP), the response to that packet will not find the right way.

Nicht mehr und nicht weniger habe ich behauptet als hier steht.That's the way NAT works.

Da Du ja so ein SNOM Überzeugter bist, habe ich also auch mal in deren Release Notes nachgelesen, wo sie z.B.schreiben, das sie ein Problem mit falschen Register Messages gefixt haben.Und im FAQ auch klar sagen, das UPnP immer noch am besten ist für NAT Gateways.Vielleicht hat die Fritz da ein kleines Problem beim NAT, vielleicht kommt es aber auch daher, das die SIP Portweiterleitungen schon fest eingebaut sind, nämlich für den Fritz eigenen VoIP Adapter.Auf jeden Fall habe ich bisher hinter keinem Router Probleme mit SIP gehabt, man muß eben nur den Client - ob Soft oder Hard/Software - entsprechend einstellen.Ich habe kein Problem damit, so einen Client auf NAT Traversal oder UPnP einzustellen.Wenn es funktioniert, das ist die Hauptsache.Wer meint, er muß für einen VoIP Adapter oder Telefon einen neuen Router kaufen, der muß das tun.Damit begibt man sich aber auch in eine starke Abhängigkeit von der Router Firmware.Ansonsten was ich so gehört hab, bereiten z.B. die Grandstream Teile keine Schwierigkeiten hinter einem Router, vielleicht sollte man dann von SNOM absehen.


Grüße

TWELVE
 
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.