VoIP One‑Way Audio Issues on ISP Using CGNAT

Help & Support
1

Has anyone here dealt with VoIP issues when the ISP uses CGNAT? I’m running an ATA on a provider that uses CGNAT and I’m trying to figure out if others have seen similar behavior.

For anyone not familiar with CGNAT: instead of your router getting a true public IP, the ISP puts you behind a shared carrier‑grade NAT. So you end up with two IPs — an internal one assigned by the ISP and a single external IP shared among many customers. It generally works fine for most traffic, but it can complicate anything that relies on stable inbound connections, like VoIP.

My setup: Grandstream HT702 ATA behind an R7000 router. I’ve used this exact configuration on multiple ISPs without any issues. But on the one ISP that uses CGNAT, I occasionally get one‑way audio after about 10–15 minutes into a call. Everything starts fine, then suddenly I can hear the other side but they can’t hear me (or vice‑versa). Because this only happens on the CGNAT ISP, I’m pretty confident that’s the culprit.

I’m using TLS and SRTP, and I have keep‑alive enabled for both NAT and SIP. Has anyone found a configuration that plays nicely with CGNAT? Any tricks, settings, or workarounds that helped stabilize long calls?

I’d appreciate any suggestions or experiences.

2

Configure to use STUN server?

3

I’ve tried it both ways — using STUN and using only Keep‑Alive — and I still end up with one‑way audio after about 15 minutes. STUN didn’t make any difference for me. I remember seeing a comment from another VoIP provider saying STUN can actually cause more issues when you’re behind CGNAT, but I never really understood the technical reasoning behind it or whether it’s universally true. All I can say is that in my case, STUN didn’t help at all.

4

Grandstream HT702 behind pfsense with a CGNAT address here – no issues with calling or voice.

Not using any special settings beyond what is documented in the wiki.

5

Is your pfSense setup paired with a VPN or a VPS tunnel? I’m not sure how a router alone could solve the CGNAT issue without one of those in place. I’ve read that if I flashed third‑party firmware onto my R7000, I could configure a VPN, VPS tunnel, or reverse proxy to work around CGNAT — but I’m not sure I want to get into all that.

6

Sorry for the delay – got no notification of your question.

And no – no VPN or tunnels configured to support the grandstream.