What to do: NAT woes (1-way audio) (phones register fine)

So, any tips for when this happens …

An end-user has Comcast Xfiniti in their home-office.
They are using the ISP’s provided gateway as their router/firewall/WiFi.
They do not have their own router “behind” the ISP’s device.
They are a DHCP client (no static IP from the provider).

We can get their phone to register
(using Ethernet cable to the ISP equipment).
We can also get a softphone registered
(Windows 10 PC with headset)

But: both devices have 1-way audio …(they cannot hear the other side)
x101 Phone: Fanvil phone: Chan_SIP on PBX (5060/ UDP)
x102 Phone: Windows 10: PJSIP on PBX (5160 / UDP)

We’ve tried calling from other extensions to extensions …
We’ve tried calling into a DID directly to the phones …
They have 1-way audio on all calls (they cannot hear the other side).

Using sngrep to view the INVITE / RTP details:
We see the RTP address is a 10.0.0.x IP address
This is the local LAN IP address of the Comcast Xfiniti process
This is where the NAT woe is at …
The networking process from Comcast is not replacing the 10.0.0.0 IP address to the DHCP public IP address
I do not recall what this is called when it happens.

Using sngrep to view the REGISTRATION details:
We can see the outside Comcast DHCP public address
This is why the phones will register
No NAT woes on registration … Registration looks clean.

What we are thinking about to do next:
Comcast is telling us that their gateways do not have a SIP ALG setting and/or that it is already off/disabled

We were going put the Comcast Xfiniti gateway into “pass-through” and put a decent router with WiFi behind it.

We were going to try to build a TLS based extension and see if this works (2-way audio).
We are hearing that TLS extensions do not face NAT woes as much.

The SangomaOS firewall is disabled / stopped
All other phones (in the main office) register fine and have 2-way audio. They have been working daily for years now.
This is only happening for a remote user working from home.

Thank you for your thoughts and TIPS (esp) about using TLS.

That is called SIP ALG and you probably do not want it.

Asterisk will handle NAT for you as long as you put the PBX’s public IP and the networks local to the PBX into Asterisk SIP Settings.

For chan_sip extensions, you need to enable NAT handling at the extension level. PJSIP extensions already have NAT-aware defaults.

Yes. Done that. This is one of the 1st things we do when making a new system. This PBX has been up for years and years with other remote phones. Good point! The PBX public IP (static) is listed.

Yes. We always set NAT = YES for all chan_SIP extensions.
I double-checked for these we were trying to get to work.
NAT=Yes

I’ve often wondered why PJSIP had no NAT settings choices in the PBX UI. Thanks for that info.

We decided to get the home-user a router and put the Xfiniti gateway into pass-through mode.

Thanks for your tips.

I believe what was being said is that you need to configure the devices constituting the extensions, rather than Asterisk, to be aware that they are behind NAT. nat=force_rport,comedia is a workaround for devices which haven’t been, or can’t be, properly configured.

What I suspect is part of the problem here is that you have two devices, behind the same NAT, which means you either have to have disjoint RTP port ranges (NB not the Asterisk port ranges), with port forwarding, or you are relying on the router to create dynamic port forwarding rules. In the latter case, you will need nat=comedia, at the Asterisk end, and it will be essential that the devices send RTP before they have received any.

Generally the right solution in your situation is a VPN, but it sounds like you don’t have sufficient control of the router to do that at a network level.

Hi david55:

Thank you for your tips and ideas.