On 2019-08-15 03:17 AM, Per Jessen wrote:
The NAT is done with keep-alive traffic or with a STUN server, I don't think one works better than the other. As I mentioned, I am not aware of any of my installations having been behind a CGN, but I fail to see the significance. Basically, if you can browse a website from behind layers of NAT and CGN, the VoIP telephone will also work.
The problem is that VoIP is supposed to work directly end to end. NAT breaks that. So, first off, the firewall NAT has to be configured to pass the incoming UDP packets to the phone. Then, STUN has to be used, as the address contained in the UDP packets is for the phone, not the firewall. Since that's going to be an RFC1918 address, it can't be used. Instead a STUN server is used to provide the actual public firewall address. This is a hack to get around NAT. Now with CGN, you cannot configure the NAT to provide the appropriate address to get to the phone, which is on the other side of another NAT. On top of that, you'd need another layer of STUN and I don't know that's supported. All in all, NAT is a hack that causes problems and the sooner we get away from it the better. The way to get away from it is IPv6. Another thing NAT breaks is Authentication Headers, in IPSec. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org