If the device is used as a router, it is able to connect IP terminals from the network with a non-public address to the public Internet. For this, NAT (Network Address Translation) is necessary. Additional configuration is required on the different IP interfaces (e.g. ETH, PPP, etc.) to define on which interfaces the public and on which interfaces the private network is accessed.
- Enable NAT
- If this checkmark is set, NAT is enabled. Without this checkmark being set all other NAT settings are without effect.
- Default forward destination
- If all incoming data packets from the public network are to be forwarded to a particular private IP address, the destination IP address must be entered here.
- Disable DNS Forwarding
- No DNS requests are answered by this host, if this option is enabled.
Add new map
- Port-specific forwarding
- To be able to address several internal destinations, different port numbers are assigned to IP addresses of the internal network here.
- Enable STUN
- If this checkmark is set, a STUN server is started on the box. The STUN server works like a regular STUN server from external. From internal binding requests create a NAT mapping and the binding response contains the public address of the mapping.
- Non standard port
- The port that shall be used for the STUN server. If empty the well known port 3478 is used.
- STUN Changed Address
- If the Enable STUN checkmark is ticked, an IP address:port must be configured, which will be used as source address for replies, when the client is asking for a changed address. This is used for the classic STUN NAT detection mechanism. Basically any address/port can be used here. It could be that a IP provider does not forward packets with a wrong address, so it is safer to use an address, which is valid in the network of the device. It is also better to use an address, which is not used for something else, because it could be that the local router uses these packets to update its ARP table. You can use 3480 as port. Note that NAT detection will not work properly if no STUN Changed Address is configured
- Up to four TURN accounts can be configured. If a TURN account is configured a TURN server is enabled for this account.
- TURN Public Address
- A TURN server can be operated in a private network behind a firewall. In this case port forwarding must be configured on the firewall for the complete RTP port range to the TURN server. On the TURN server the used public address of the firewall has to be configured, so that this can be provided to the remote RTP peer to send the RTP data to.
- TURN servers can be operated in a cluster behind a single firewall. Each TURN server within the cluster should be asigned a seperate RTP port range. On the firewall port forwarding to the different TURN servers has to be forwarded for the RTP port ranges. To distribute the incoming requests standard TCP or UDP load balancing to the different TURN servers has to be configured.
- If in this setup the other RTP peer use the same TURN cluster, the RTP is forwarded between the two session using the public firewall address, this requires the firewall to support hairpinning. To avoid this, on each TURN server all the TURN servers of the cluster can be configured, with their RTP port ranges (first, last) and their local (internal) addresses. If the RTP peer is identified as belonging to the same cluster, the local address is then used for the RTP.
Note: In v12r1 and higher version it's no longer necessary to enable NAT for the STUN/TURN services be enabled. If NAT is disabled make sure the UDP-NAT port range values are also deleted / not set.