Re: SIP with NAT traversal and STUN using NPF

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: SIP with NAT traversal and STUN using NPF
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sun, 14 Jun 2026 13:21:32 +0200

On Sat, Jun 13, 2026 at 07:51:37PM -0400, Greg Troxel wrote:
> That seems like TURN not STUN.  They run on the same port, and it's
> confusing.

Wireshark calls the protocol "CLASSIC-STUN" and the packet a "BINDING REQUEST".

> My impression is that usually the outbound packets of the RTP stream hit
> a stateful rule that allow the inbound packets.

Yes, that is what I would expect too, and various docs claim it should
just work (though some say through NAT it is always hit or miss - but
since it worked w/o any trouble or special setup with the old firewall
and no special setup there I had expected it to just work with NPF too).

> It's not clear to me that you are having STUN/TURN problems as much as
> RTP problems.

I think they are related, I definitively don't get the incoming RTP connection
working when the call is picked up.

> > I am confused, as the documentation for the VoIP device says I just need
> > to map ports 5060 and/or 5061 from the public address to 5060/5061 on the
> > VoIP device. But that part is not actually needed, the VoIP device opens
> > a connection to port 5061 on my providers server and keeps it alive.
> 
> The docs are probably presuming you not having a stateful firewall.

They are especially for this case. But they may be wrong.

> > I get calls signalled and can call out - just when the call is
> > established and RTP audio connections should happen, they are blocked
> > by my firewall. I could make them pass (i.e. by "pass in" rules
> > restricted to the servers the VoIP thing communicates with) - but then
> > where should they be forwarded to (same port on VoIP device?) and how
> > would I tell npfctl?
> 
> When the RTP inbound packets are blocked, are there outbound RTP packets
> from the device to the peer?

This is a bit puzzling. When the call is picked up I start seeing a stream
of UDP packets from my VoIP device to some server/port (I guess that is
the outgoing audio) and an incoming stream of UDP packets all blocked
by the firewall from another server/port. And I fail to match both
server/port to anything in the "BINDING RESPONSE" packet.

> I wonder if you are using a hardware SIP terminal ("hardphone") vs using
> a program on a computer (linphone, or bareseip on android).   I wonder
> if you have tried signal calls, or XMPP calls, from your LAN (with v6
> disabled).

It is a black box device, a consumer grade wifi-router + DECT gateway
(Fritz!Box) that I use for the DECT part mostly (and as a wifi access
point, but no routing).

Are there any application gateway modules for NPF (or IPF that could be
ported) and would that help? I still don't see the big picture and need
to read more of the related RFCs.

Martin

References:
- SIP with NAT traversal and STUN using NPF
  - From: Martin Husemann
- Re: SIP with NAT traversal and STUN using NPF
  - From: Greg Troxel
- Re: SIP with NAT traversal and STUN using NPF
  - From: Martin Husemann
- Re: SIP with NAT traversal and STUN using NPF
  - From: Greg Troxel

Prev by Date: Re: SIP with NAT traversal and STUN using NPF
Previous by Thread: Re: SIP with NAT traversal and STUN using NPF
Indexes:

Home | Main Index | Thread Index | Old Index