I haven't made this kind of blog entry for a while, thank goodness.
My router failed the other day, and I decided to replace it. I have a couple of Grandstream Buge Tone 200 VoIP phones on the LAN, which work very well, in that they allow high-quality phone calls to be made to national and international destinations at low costs. I use Sipgate as the SIP gateway. They are very good.
The problem comes from having devices that really ought not to be hidden behind a NATS firewall. The problems are elegantly summed up on this page.
As the page quotes: "This protocol is not a cure-all for the problems associated with NAT. "
Stun seems a magic bullet, but really the magic bullet is to ban NAT routers and move to IP v6. Will this happen in my lifetime? I fear not.
There is a lot of port forwarding that Sipgate says is needed to run a VoIP phone behind a NAT firewall. See this page for details. Running two phones behind the same NAT router is virtually impossible. I seem to have managed it for the time being by making one of the devices a DMZ, and the other one configured as in the above page. Both are registered and working right now, but my experience in the past is that one tends to become deregistered.
I used this page as a starting point but of course this article doesn't describe which ports need to be forwarded to allow the second device to communicate with the STUN server. What is clear is that RTP and SIP ports for each device need to be unique otherwise there's no chance of those packets getting to the right phone!! I assume that the magic of STUN tells the server how to route them to the right machines, given that their externally-visible IP addresses are, because of the design of NAT, identical.
VoIP is lovely, and Sipgate is good. But running these things behind a NAT firewall is really not for the fainthearted.
