> > > Is it possible to have 2 (working) iax2 phones behind port restriced nat? > > Interesting you ask, since I just had an incident concerning this. I > have an IAXy and got an IAX hardphone which I tested at home behind > the same NAT. Using IAX soft clients before in this situation, they > would work, but the hardphone had a lot of trouble being "reachable" > and was shown at port 1024 while all other peers were listed on the > correct 4569. Putting that same hardphone in the DMZ (which I've never > gotten to work before with say, SIP phones) made it work normally. > > It also seems that while the IAXy will work with qualify=300, none of > the IAX phones I've tested so far will be reachable if qualify is > used. I've wondered why this is, in case anyone has the answer? My > guess is that qualify uses a message that these phones don't answer.
Whether two or more iax phones work behind a nat is highly dependent on exactly how the nat box handles data flows that initiate on the same udp port. Not all nat boxes function the same. Example: two iax phones behind an inexpensive nat box. Both iax phones use a source and destination port of udp 4569, and each iax phone has its own internal IP address. When internal iax phone #1 contacts an external asterisk box, that udp session will oftentimes use udp 4569 for both the source and destination ports. The packet leaving the nat box will have a source IP address of the external nat interface. When internal iax phone #2 attempts the same thing, the nat box already knows (via its internal tables) that source and destination ports 4569 are in use (with the outside IP address), and will remap the source udp port to something else (eg, 1024 or higher). There are some cheep nat boxes that mess that map process up.) Assuming the nat box mapped these two correctly, both iax phones should be registered. However, both are using udp, and udp is a connectionless protocol. When the nat box maps those ports, it also starts a timer that will be used to "time out" those table entries. The timeout value can be as small as a minute or two, or as long as no timeout (drop the oldest entries when the table becomes full). If you think about how many times your pc goes to the internet to resolve dns entries (for all pc access, whether its a phone or web surfing), those dns entries (also using udp) will become a rather large number. If the nat box has limited internal memory resources, the manufacturer will likely have a rather small timeout value that could actually be in seconds. Now, what is going to happen to your iax phones when the nat box decides to drop the table map entries? (Ans: no more communications.) Some nat boxes will let you configure the udp map timeout values while others won't even publish their default values. And in some cases, the manufacturer will change their unpublished default value from one version of firmware to another. The 'qualify' statement was intended (as one purpose) to pulse the remote phone and keep the nat table entries from timing out. That usually works just fine "if" the iax phone uses the register method. If the iax phone does not use the register method (and you have the * iax definitions in terms of 'peer' and 'user'), you're likely to have a nat box problem. Why? Because asterisk will attempt to contact both iax phones by sending udp packets to the same nat address using udp port 4569. The nat box won't know what to do with that pkt. The work around to that is to statically map 4569 to one phone and map 4570 to the second phone (in the nat box). Then in the * config, ensure your dialplan uses the same port numbers to reach each phone. If you've followed along thus far, then what happens when the iax phone sends an arbitrary pkt (of any type) to asterisk? The nat box will likely get in the middle again and map that outgoing pkt to yet another port, and * may become rather confused. Bottom line: when having problems with two or more phones behind a nat box, you almost always have to use a packet sniffer on the inside and outside of the nat box to "see" what that box is actually doing to you. If the iax phones allow you to select a udp source port range that it will use, then set the range to different values for each phone. E.g., iax phone #1 uses "source" udp ports 10,000 - 10,100, and phone #2 uses ports 10,200 - 10,300, or something like that. Since I don't use any iax phones, I don't have a clue if any of the common ones provide such an option. You may also find that different iax phones will operate differently using the same nat box. Its not uncommon for programmers to force the use of udp port 4569 for _both_ the source and destination ports. Two instances of that kind of phone will likely cause the nat issues noted above. If a different iax phone allows the source port to be chosen by the system, there is a much smaller chance of having a nat problem. (The small chance results when both phones happen to chose the same source port and the nat box doesn't handle the duplicate port number correctly.) Hope that helps........ _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
