[VoiceOps] ACME behaviour with Bad NAT Firewalls

anorexicpoodle anorexicpoodle at gmail.com
Fri Jun 10 03:06:14 EDT 2011


No what I am indicating is that by not using port 5060, or another well
known port, most ALG's in CPE routers will simply ignore your SIP
traffic and allow it to pass un-molested so the SD can get on with its
job and do NAT traversal in a consistent and reliable fashion. Most
poorly behaved ALGs in CPE routers only use source/destination port to
detect if the traffic should be passed through the ALG. Its simple,
dodge the match rule and the ALG doesn't get applied, no need to have
the customer change the config on their firewall or router, and your
product auto-magically "just works". 



On Thu, 2011-06-09 at 21:51 -0700, Mark Holloway wrote:

> Are you indicating that simply using the higher port numbers without ALG invokes a more successful and consistent behavior for IP PBX trunking or is this specific to Hosted IP? 
> 
> On Jun 9, 2011, at 9:35 AM, anorexicpoodle wrote:
> 
> > 
> > We have had a great deal of success simply abandoning port 5060 and using port numbers over 10000 on the endpoint and SBC, since most ALG's simply do protocol detection based on port, this will dodge much of your ALG/fixup headaches straight away. There are of course still some CPE routers with a more clever ALG that will catch this, but it dramatically reduces your exposure. 
> > 
> > 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110610/89bfc130/attachment.html>


More information about the VoiceOps mailing list