VOCAL’s NAT/Firewall software library is integrated within our Network Stack and SIP Stack. This module permits users behind a NAT/firewall to safely and successfully communicate with other users who may similarly also be behind a NAT/firewall. Compatibility and interoperabilty has been assured by extensive testing and use with many popular industrial products and VoIP providers. Contact us to discuss your software application requirements.
NAT/Firewall
While Network Address Translators (NATs) may be necessary to manage IP communication between different networks, simply changing IP addresses may break many network applications and make future deployment of new products problematical. As a result, various methods have been developed to analyze and successfully traverse NATs.
There are four basic types of NATs, varying in the degree of security and filtering performed:
- Full Cone – all requests from the same internal IP address and port are mapped to the same external IP address and port. Any external host can send a packet to the internal host by sending a packet to the mapped external address.
- Restricted Cone – all requests from the same internal IP address and port are mapped to the same external IP address and port. An external host can send a packet to the internal host only if the internal host had previously sent a packet to the external host IP address.
- Port Restricted Cone – similar to a restricted cone NAT except that an external host can send a packet to the internal host only if the internal host had previously send a packet to the external host IP address AND port.
- Symmetric – all requests from the same internal IP address and port to a specific destination IP address and port are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port to a different destination, a different mapping is used. As well, only the external host that receives a packet can send a UDP packet back to the internal host.
Symmetric NATs are the most restrictive and, unfortunately, are commonly found in business. These require matching destination IP address and port numbers for the VoIP speech packets. This specifically disallows the direct end-to-end speech packets sent by many free VoIP service providers. The paid subscription VoIP providers typically deploy a hardware end-point to terminate each leg of the voice call so that the requirements for symmetric NATs are satisfied.
Simple Transfer of UDP though NAT (STUN) is also known as a NAT probe or external query. A STUN client, in this case within an ATA (behind a NAT), sends out a series of probe messages to a STUN server residing outside a NAT. Based on the responses from the STUN server, the STUN client can determine the type of NAT that it is located behind. When used with VoIP protocols, the results of STUN mapping discovery (namely the public IP address and port number) are used in the VoIP protocol exchanges.
This allows many of the free VoIP services to function properly, but only if the NAT is non-symmetric. Symmetric NATs require either the opening of fixed address/port mappings for the VoIP protocols to use or the use of specific VoIP service providers which deploy RTP relay equipment.
More Information
NAT/Firewall Features
- BOOTP – Protocol (RFC 1497)
- DHCP – Dynamic Host Configuration Protocol (RFC 2131)
- MIB I (RFC 1156)
- RIP – Routing Information Protocol (RFC 1058)
- RIP 2 – Routing Information Protocol (RFC 1723)
- STUN – Simple Traversal of UDP over NATs (RFC 8489, previously RFC 5389)
- TURN – Simple Traversal of UDP over NATs (RFC 8656, previously RFC 5766)
- ICE – Simple Traversal of UDP over NATs (RFC 8445, previously RFC 5245)
- PPP – PPP – Point to Point Protocol (RFC 2153)
- PPPoE – PPP over Ethernet (RFC 2516)
- Gateway and DMZ Port Forwarding