IV. Voice-over-IP (VoIP)

NAT Traversal on the Router

NAT Traversal on the Router

DrayTek routers provide a number of facilities to handle SIP calls and VoIP phones, which can assist with traversing the router's Network Address Translation or bypassing NAT entirely where possible. This can assist in the setup of many phones on a network that would be permanently connected through the DrayTek Vigor router, so that the router itself and the network design can be configured to either handle SIP when going through NAT, or by using the router's capabilities to create routed links between VoIP phones and their PBX system.

Some possible methods are explained in the table and sections below:

SIP ALG - Session Initiation Protocol Application Layer Gateway

The SIP-ALG is a router level 'NAT-Helper' which performs additional packet level translation for SIP packets to aid in routing the SIP messages and RTP audio through the router's NAT. It does this by altering the packets going from the LAN to the WAN; replacing the references to internal IP addresses and ports in the SIP packets with the router's Internet IP and the correct port information. The return packets are translated back to the internal IP address so the VoIP phone is not directly aware of the change.

The benefit of this is that when enabled, IP phones making calls through the router require no additional set up of proxy or STUN servers to successfully make and receive calls, which is ideal for connecting fixed location VoIP desk phones that will always be connected through the router, to their SIP provider or hosted PBX.

DrayTek routers with SIP-ALG enabled are designed to handle a large number of SIP sessions, up to 256 active at one time. This is typically sufficient for most VoIP phone & network implementations but can be exceeded with some network configurations or VoIP phone configurations, particularly if there are a large number of BLF (Busy Lamp Field) indicators configured on many VoIP desk phones.

This feature can be enabled from the [NAT] > [ALG] menu on the router, where the SIP and RTP ALGs can be enabled. The listening ports and protocols to manage (TCP/UDP) can be configured, if your network uses a port other than 5060 to for SIP. This requires 3.8.5 or later firmware, for older firmware versions, see this guide:

Below are two examples of how calls are handled with and without the router's SIP-ALG enabled, assuming that there is no other NAT traversal method configured:

SIP ALG Enabled	SIP ALG Disabled

VPN Tunnel

It is possible to avoid NAT by using a VPN Tunnel, which creates a secure and encrypted tunnel between two networks (LAN-to-LAN VPN), or a remote device and a network (Teleworker VPN). With a VPN set up, both sides are linked as if connecting locally, so there is no translation of IP addresses required, which avoids the need for any NAT traversal.

For an example, a DrayTek VigorBX 2000 IP-PBX / router in the main office could connect a LAN-to-LAN VPN tunnel to a remote office's DrayTek Vigor 2762 router. IP Phones connected into to the Vigor 2762 router would register with the PBX system without being affected by NAT. The VPN tunnel itself may be passing over a NAT-ted connection, but the calls passing through the VPN tunnel will work as though going across a local network.

The limitation of this method is that both the VoIP phone and PBX system must be able to connect to each other through the VPN, like the Vigor 2762 and VigorBX 2000 example above. With a hosted PBX system, it wouldn't typically be possible to create a VPN link between the router and the hosted PBX, and would instead be going over the NAT-ted Internet connection to reach the hosted PBX system.

Port Forwarding

If there is a single IP-Phone or PBX system that needs to be able to receive calls, the router can be configured to send all incoming SIP calls and their RTP audio in to that address. To do this, set up a port forward on the router in a [NAT] > [Open Ports] entry, which allows opening up to 10 different ranges of ports to a single internal IP address.

In the example below, any incoming traffic on UDP ports 5060 for SIP and UDP ports 10000-20000, which are an example of an RTP port range. The RTP range can vary between devices so check the RTP port range on your device and match that setting on the router.

If the DrayTek Vigor router has an integrated VoIP ATA (i.e. 2862Vac), disable the router's internal VoIP ATA from the [VoIP] > [General Settings] menu, otherwise the internal VoIP ATA will be listening on UDP port 5060, taking precedence over the NAT port forwarding configuration.

While this does allow incoming calls to be routed through directly to the SIP client device (PBX or phone), it does not handle the information in the SIP packets for incoming and outgoing calls, therefore it must be used in combination with SIP-ALG, STUN or a SIP proxy to send correct address information when making and receiving calls.

Routing calls over IPv6

DrayTek Vigor routers provide IPv4 & IPv6 dual-stack connectivity to each LAN subnet and if the ISP supports IPv6 Internet connectivity, this means that every device on the IPv6 side of the router's LAN can make use of a directly routable IPv6 address. The IPv6 address space is so large that it allows all devices on the LAN to be provided an IPv6 routable IP address, with ISPs typically providing a /56 subnet which has billions of individual addresses. This large address space eliminates the need for and usage of NAT when using pure IPv6 connectivity.

Similarly to using a VPN, it requires both parties to be using IPv6 address space or some additional gateway to translate between IPv4 and IPv6 networks, which will likely be necessary until more of the Internet transitions onto IPv6 networks. If two offices have IPv6 Internet access, VoIP phones configured to use IPv6 should be able to make and receive calls without requiring NAT helpers such as STUN or SIP-ALG