Greetings,

My asterisk systems sit behind a Meraki mx80 firewall at a data center. I use static public IPs on the firewall and port forward 5060,5061, and 10,000-20,000 so the clients can connect. Per Meraki support: “Our MX security appliances do not support SIP ALG. Our NAT is a stateful NAT, so only return traffic will be able to traverse the NAT, unless a port forwarding rule is in place.” Im not sure if this would have any negative impact or if my traversal issues are only client side. My port forwarding should be good I think.

Especially since testing with asterisk 13.7 and PJSIP (compared with freepbx chan_sip asterisk 11) I am having more problems with 1-way and no-way audio .

Most of my endpoints are iPhones using the “Bria” soft phone app from Counterpath. This means that their IP address may change often, and whatever kind of NAT they are behind is beyond my control.

Given this scenario, I’m hoping for advice on the best strategy for configuration of my Asterisk server, and soft phones with ICE/TURN/STUN? To help with NAT traversal. The Bria app allows multiple options to be turned on for traversal strategy:

For SIP:
RPORT WiFi RPOR TMobile Outbound Wifi Outbound Mobil STUN WiFi STUN Mobile

–
STUN/TURN (server/username/password fields)
–
Media NAT Traversal STUN WiFi Stun Mobile Use ICE Wifi Use ICE Mobile Use TURN WiFi Use TURN Mobile

—

To use ICE on Asterisk, do I need to also set up a separate TURN server, and is one in particular recommended? I’ve looked into “turnserver” and “resiprocate-turn-server” (reTurn) briefly. I’m unclear as to whether I need to run this server on a true public IP or if the server can also run behind a firewall with port forward from the WAN public IP. I’m also unclear as to whether I truly need 2 separate public IPs for the turn server to work, which I have seen mentioned in some of the documents.

Thank you for your time.

Regards,

Kevin Long