VoIP and NAT (and blocked ports)

Bastien Matthai asked:

I’m making a VoIP application and I have trouble to make it working properly. On each side there are SIP clients.
In my office, we use 2 differents boxes to access internet. The first one is like a home network and it is quite not restricted. On this one, everything is working fine. The second one, (which causes me troubles) is a company network and a lot of ports on it are blocked by default.

My VoIP application uses an Asterisk server. Some clients that should connect on that Asterisk server are in the company network, behind the restricted router. Actually, SIP registering is using the port 5060 TCP/UDP and RTP is using the range from 10 000 to 20 000 UDP.

The problem is that my network admin doesn’t want to open that huge range of port. According to him, this would create security holes.

Is there any mean to allow SIP signaling or voice through RTP protocol to pass through the company router ?

Currently I have some ideas but I don’t know if they are relevant.

  1. My SIP clients are connected to a VPN. Could I pass all the traffic through the VPN interface so that the restricted router would not have any knowledge of what passes through it ? I tried, but some packets still seems to be passing via my ethernet interface instead of my VPN interface.

  2. Would protocols like STUN or ICE resolve such a problem ?

  3. I read a lot about NAT traversal, but didn’t found any solution that would have resolved my issue.

I am able to provide more detail about my setup if needed.

My answer:

You probably don’t need such a wide range of ports opened. It requires up to four ports for each simultaneous phone call that might be im progress. So, a 100 ports would suffice for most small offices. You just need to configure them in rtp.conf.

; RTP start and RTP end configure start and end addresses

Consider using the range 16384-16482 as many VoIP devices already default to using this port range.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.