Firewalls are great! They help keep the Internet from destroying your super-critical kitten pictures on your server. They also break phone calls. That's a problem.


Okay, so it's not firewalls that break phone calls – though they can. A firewall typically separates two networks that either can't or shouldn't be allowed to talk directly to each other. The most common example of this is the Internet. To handle this, the Firewall usually keeps all the public-internet facing IP Addresses to itself, forcing everything on the inside of the firewall to traverse it for security reasons. This is possible through a technology called NAT, or network address translation, which takes the IP address of your internal device and translates that session to a public IP address the firewall has.


For phone systems though, NAT is a problem. Protocols like RTP and SIP expect to be able to talk directly to the device their calling. This is hard to describe in words, so let me draw a really bad picture.



Let's say this is a phone with an IP address of We want to call that other phone with an IP Address of You can see that there is a firewall on either side of these phones, and their IP addresses are and for the first, and for the second. When our phone tries to call the other, the packet will say something like “Hey, establish a phone call with me. You can connect to me at”. Trouble is, the other phone can't reach because it's on the other side of the firewall. So we'll see our phone try to make a phone call, but it won't ever connect because the other phone wasn't able to send us it's response.


So this is where STUN, TURN and ICE come in handy. ICE stands for Interactive Connectivity Establishment – and it's a overarching technique that utilizes STUN and TURN.


STUN stands for Session Traversal Utilities for NAT, and works to identify if the call is taking place behind a NAT. If it sees a NAT, it determines the IP address the NAT is using and uses that to make sure the two end points can talk to each other.


TURN, which stands for Traversal Using Relay NAT, acts as a backup for scenarios where STUN fails. TURN provides a media relay server, which in this case would be the device performing the NAT, to let the endpoints know to try to send packets through it to connect. TURN can offer more than one option too, in case the call may take more than one path.


Protocols like SIP use STUN, TURN, and ICE so that we can have our phone system work regardless of where we are in the world.