Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sun Aug 02, 2020 8:22 Post subject: Exclude a port, say 5060, from NAT function?
Hi,
Is it possible to exclude port 5060 from NAT? If so, can you please show me how?
What i want is for the VoIP phone to work. It's built into my ISP router, and the ISP router is placed behind the (gateway) DD-WRT router.
Constraints:
1. I understand that DD-WRT router does not have sort of a SIP ALG button which can simply be turned off . This would solve the issue of the VoIP not ringing on subsequent incoming calls.
2. My ISP does not give out details of SIP phone as they think we are too dumb to know how to use it.
(Putting the ISP router into a separate VLAN does not work because of NAT and SIP ALG)
To be precise, you're not excluding the port(s) from NAT. You always need NAT because your router always needs to convert the local IP of your VOIP adapter (and other devices) to the public IP of the WAN. That never changes. But if you need to allow remote devices/systems to initiate connections over certain ports on the WAN (which is normally blocked), then as PYB suggests, you need to port forward those ports (or else DMZ the VOIP adapter).
Only problem w/ DMZ is that it exposes *all* ports to the target device. And if the device doesn't have a good firewall, it *might* be subject to hacking.
I've tried Port Forwarding. The VoIP phone rings on the first two incoming calls. After that, it does not ring on subsequent incoming calls.
Your linked article gives out quite a number of variables which i'll see if they make a difference.
I also came across another article at "https://www.nextiva.com/blog/disable-sip-alg.html' which gives up on DD-WRT. '' . My question above is very much a wild guess based on this article suggesting 'no ip nat service sip tcp port 5060' on Cisco.
My ultimate desire is to isolate the VoIP/router from the rest of my LAN. But maybe it cannot be done.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Mon Aug 03, 2020 3:54 Post subject:
eibgrad wrote:
To be precise, you're not excluding the port(s) from NAT. You always need NAT because your router always needs to convert the local IP of your VOIP adapter (and other devices) to the public IP of the WAN. That never changes.
I think i understand what you mean. At the same time, the following somehow explains why my VoIP fails to ring on subsequent incoming calls.
Problems with incoming calls show up due to the ‘Register’ request in the UA feature of SIP proxies. This request is used to localize and reach the user who needs to receive the incoming call.
The problem starts when the SIP ALG rewrites the ‘Register’ request. This results in the proxy being unable to detect the NAT, in turn preventing incoming calls from reaching the desired destination.
I'm surprised these days that so many VOIP providers still requires port forwarding. My own (OOMA) avoids the issue entirely by establishing a secure, encrypted tunnel between the VOIP adapter and the remote service provider w/ OpenVPN.
I have been using a VoIP service for >10 years. It does not need Port Forwarding as you said. But our traditional Telecom company (Telstra) is a rather late player in providing VoIP services. Hence its peculiarities.