VoIP and NAT

Network Address Translation (NAT) is a technique that is used at the edge of a network to route traffic to the right device. It’s used inside routers and in firewalls and security devices to makes sure that data packets can flow freely across the network – and it conveniently also overcomes issues with the lack of available addresses available under IPv4.

But while it’s a useful technique for routing traffic and protecting data and identities, it causes something of a problem for VoIP, which requires a point-to-point connection between the two ends of the voice call. The way NAT works means that a VoIP call will either fail completely or be subjected to intolerable interference or glitches.

This means you either need to avoid using NAT altogether with VoIP or provide some additional solution that will overcome the problem.

Back to top

What is NAT?

NAT is an address mapping system that’s used to direct traffic to the right place on the network. It’s used to create what are often called sub-nets or virtual servers inside the network that can be used for specific purposes, such as hosting a website. It associates certain kinds of traffic or communications with specific devices or ports, In this way, NAT acts as the traffic controller on the router.

NAT is used at what’s often called the edge of the network – either within the router that connects the network to the Internet, or within the firewall device that protects traffic flowing in and out through that gateway to the network.

Aside from providing a method of routing traffic, it is also useful for two other reasons: it helps to overcome the limitation on available IPv4 addresses; and it can be used to provide an added layer of protection for network devices.

The world ran out of IPv4 addresses some time ago – simply because the format of IPv4 addressing – it uses four sets of numbers which can be between one and three digits each – is just not big enough. It uses a uses a 32-bit addressing format and can support 4.3 billion devices. Back in the day that sounded like it would be more than enough. But no-one anticipated that the Internet would become as huge as it has, and 4.3 billion is nowhere near enough anymore.

That limitation is overcome by IPv6 – but that’s not backwards-compatible with IPv4 but before that arrived, NAT was used to make it possible to use IPv4 addresses multiple times.

This is possible because with NAT, an entire network can be given a single IP address. NAT then does all the connecting to specific devices behind the scenes. Just one address is ‘public’; the rest are ‘private’ and managed through NAT. As the whole network is – on the outside at least – seen as having a single IP address, it’s possible to make use of any group of IPv4 addresses within the network without causing any confusion out on the Internet.

This also has the benefit of adding an extra level of security to the network, as external connections can’t what’s behind that single public IP address; they can’t connect to individual devices as they don’t have any way of finding their way through to those devices.

But of course, external systems or connections do need to connect to devices that sit on the network behind the NAT-enabled firewall or router. To do that with NAT, they have to be authorised first. Once they are given authorisation, the NAT software translates the address and sends the data packet onwards. The external connection though, still only sees that single, outward-facing IP address.

By the way, with IPv6, which is based on the much longer MAC (Media Access Control) addressing method for network devices, there is no capacity problem. IPv6 uses a 128-bit address format and will support approximately 340 trillion trillion devices – if we need it to! That ought to keep the Internet going for some time.

But IPv6 is not backwards-compatible with IPv4, so when carriers and network operators start to switch to using IPv6 addresses, there needs to be a method of translating between the two – but that’s another story. The switch to IPv6 is starting to happen, but one big reason it’s not become a landslide, is the use of NAT to extend the possibility of using IPv4.

Back to top

How NAT works?

The NAT system keeps a track of which device on the internal network originated and received a connection to an external device. It can thus direct packets moving back and forth through the gateway without ever revealing the individual IP addresses to the external connection.

NAT basically records which internal device connected to or requested a connection to an external point or IP address. When data comes back from that address, it therefore knows where to send it onto on the network. It’s like a distribution depot for data packets. All the packets arrive at the same place (in the router or firewall); NAT then looks up their specific destination addresses on the internal network and sends them on.

It sounds quite simple, but things can get fiendishly complicated when you try to use VoIP across NAT.

Back to top

How NAT can affect SIP?

NAT is designed to deal with IP packets rather than the SIP (session initiation protocol) packets that are used to set up, connect and end VoIP calls. It will actually allow the call to be set-up and established. But with a VoIP call that has to travel through NAT, users will almost certainly experience interference, jitter, and breaks in the call. Or the call might be connected but no sound will come through – or it only goes through in one direction.

It would be broadly similar to being on a badly-connected cellular call. The network address translation process just does not lend itself to the way VoIP works.

Back to top

How to fix NAT issues for VoIP phone system

One simple answer is not to use NAT at all. Or you can set up a way to by-pass firewall/router in which the NAT happens. But neither of these options may be desirable. Another is to use IP tunnelling to set up VoIP calls. This adds a certain amount of complexity and overhead but will give you a secure point to point connection.

Alternatively, you can make use of one of the various get-around solutions for using VoIP over NAT. These basically involve adding further information to the SIP packets to ensure that the connection is properly established between the two ends and calls can be properly connected and made smoothly, with both parties able to hear clearly. This basically means opening up that NAT bridge completely for the duration of the call session.

These techniques are quite complicated – but you really don’t need to know how they work to benefit from them. Your VoIP provider or specialist supplier should be able to talk you though the options and explain them in simple terms. The bottom line here is that if you’re organisation is looking to implement VoIP, it’s worth checking up-front if NAT is being used on the gateway and discussing the potential impacts.

It may be that the firewall or security appliance that is in-situ already has a special forwarding feature that will deal with the issue, or that a slightly different protocol can be used that will to allow the voice traffic to travel across NAT.

Back to top