How to deploy MSS behind NAT and provide public service

Some customers often request to deploy MSS behind NAT, but still need provide public service. That means MSS is in private network and some SIP phones/clients are in public network (internet), or MSS need work with public VoIP carriers’ network.

Following figure describes a simple network for this scenario:

Demo network

In this network, we can see

(1) Private network is connected to public network by a router whose public address is and private address is

(2) MSS is deployed in private network with private address

(3) Some SIP phones are in the same private network, such as local users 100 and 101. Some SIP phones are in public network, such as local user 102.

It is no problem for local user 100 and 101 to visit MSS since they are in the same network. So the problem is how to make outside local user (102) can visit MSS.

We can resolve it by forwarding some ports in router.

First, in the router, we can configure forwarding UDP port 5060, 10000~20000 to the PC where MSS is installed. Most routers can support this function. Port 5060 is standard SIP port. Ports 10000~20000 are RTP ports to transfer media streams.

Second, we must indicate MSS to work with public address. Please click menu “Data / System / SIP” and fill theĀ  “local address” with the public address “”. SIP phones/clients can use this public address to visit MSS.

There is another problem. In above scenario, the router is configued with a fixed public address. In normal, the router could be ADSL router and it maybe has a dynamic IP address. Outside users cannot use the dyanmic address to visit MSS. Then, how can we provide public services?

To resolve it, we can use domain name, for example, we can use DynDNS to provide domain name for our MSS. The router must be able to support “Dynamic DNS”. In our example, we assume we get a domain name “” from DynDNS and configure it in our router, then we can use this domian name as MSS SIP address:

SIP configuration
System configuration

In this configuration, you must disable “Detect another address if current address is unavailable”.

SIP phones/clients must be able to use domain name as server address or proxy address, so they can configure “” to visit MSS in our scenario and make calls.