Skype on Netgear Routers
Port Forwarding Solution
A recent and well-documented troubleshooting thread on Netgear's community forms detailed many issues that a customer had with both Skype and Facetime. There were many suggestions in the thread but none of them solved the issue on all of the customer's devices. Eventually, a solution was found for every device. The customer was given specific ports from Skype that he should forward/open on his Netgear router. Here is the image that the customer posted. This may also be a solution for you:
Here's an image of what my ports are now. Not sure what I started with and it doesn't list here what is for FaceTime. He worked so quickly that I didn't copy down everything that he changed. Service type is set to port triggering.
VoIP and the Need for Peer-To-Peer Connections
Skype is motivated to use techniques to establish a peer-to-peer connection instead of acting as a middle-man for VoIP connections. Imagine two people in Australia trying to connect on Skype. It would take too long to route the data through United States. The latency would be too high! It would not make for a good chat experience because everything would be delayed. In this case, a peer-to-peer connection is more favorable because it has less latency. The problem that Skype then needs to overcome is that both clients sit behind a router, also known as a masquerading firewall. Shown here:
Routers are a type of masquerading firewall because:
Packets passing from the private network to the public network will have their source address modified, while packets passing from the public network back to the private network will have their destination address modified. To avoid ambiguity in how replies are translated, further modifications to the packets are required. The vast bulk of Internet traffic uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). For these protocols the port numbers are changed so that the combination of IP address and port information on the returned packet can be unambiguously mapped to the corresponding private network destination. [1]
The two computers in a Skype call are behind routers, and so Skype utilizes something called a NAT traversal technique in order to get both computers to establish a peer-to-peer connection. However,
Network address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented.[2]
In your question you mentioned "hole punching":
Specifically, it seems like "hole punching" out of Router 1 doesn't work...
You're definitely on the right track here. "Hole Punching" is a NAT traversal technique. It is basically a hack to get two internal networks to communicate with each other.
Now, if we add a second subnet/router to the mix. Things get even more complicated because we go from having Single Network Address Translation (Single NAT) to Double NAT.
So, Single NAT is necessary for most configurations and allows multiple devices on a local network to share the same connection via the same public IP address, how is this different from Double NAT?[3]
Everything technically works because static and dynamic NAT’s occur on each device which hops data across each device, the network is segmented at a layer 3 level so layer 2 protocols like DHCP do not conflict.[3]
Understanding Double NAT and its implications for UPnP
Problems arise mainly because the NAT tables on one device fill up or lose track of a particular connection, this type of configuration will cause issues with peer-to-peer technologies that are unable to effectively trace back the network path, MTU path discovery may not function or break and gaming/media services that use uPnP probably will not work unless [they reforward] these services manually.[3]
In your case, Skype may be trying to use UPnP (Universal Plug and Play)[4] which becomes an issue with two routers/subnets or Double NAT because:
There is no mechanism for one UPnP capable router to ask another to open ports[5]
This means that if the local addresses on your subnet are being translated TWICE before going out to the web, devices on that subnet will not be able to use UPnP.
Also see: "The problems that can arise from Double NAT" (answer by harrymc)
Solution
If you would like both routers to provide full functionality for Skype, you will need to set a single subnet for both routers. Please refer to the guides below on how to do this.
References
[1]: Wikipedia - Network Address Translation
[2]: Wikipedia - NAT Traversal
[3]: Double NAT explained and possible solutions
[4]: How does Skype gain access to port forwarding?
[5]: uPNP and double NAT
[Guide] Switching to a Single Subnet
Switching to a Single Subnet can remove the Double NAT problem. In order to get a single subnet, you can follow these steps found at: https://support.bluos.net/hc/en-us/articles/360000220927-Can-I-connect-two-routers-to-the-same-network-with-the-same-network-name-
- Disable the DHCP server on [the second] router to prevent IP conflicts or network configuration issues allowing only Router 1 to manage the network.
- Manually set the IP Address of [the second] router to 1 number higher than the existing main router, for example if your router IP is 192.168.1.1, set this router to 192.168.1.2. [Please] make sure this address is out of the 1st router's allotment of addresses for DHCP distribution. If not, please make a DHCP reservation for this router's address in the router 1's DHCP table.
- Set the Internet Gateway of router 2 to router 1's IP address.
- Connect the two routers using a wired connection from any of port 1-4 in router 1 to any of port 1-4 in router 2. You can use a Wireless Media Bridge or Powerline Ethernet Kit to create a wired connection. DO NOT use router 2's WAN port.
- In the wireless security settings of this router, disable Automatic Channel selection and manually set the channel to channel 8 - or any other channel not being used by the main router or any other router on this network (it is possible to set more than two routers for really large areas).
- Set up wireless security to be identical in router 2 as it is in router 1.
Using Bridge Mode
You can also avoid double NAT by using router 2 in Bridge Mode
Log into your router and browse through the various settings to enable bridge mode.
An example for TP-Link routers is seen here in the following photo:
Additional Considerations
Please ensure that when you are connected to each router, you have either disabled Windows Firewall, or allowed Skype through your Windows Firewall on both public and private networks.
If you are seeing successful connections in Double NAT and not in Single NAT, it's possible that the data is being routed through Skype's servers instead of through a peer-to-peer connection. See here in an article about how Skype works:
Nevertheless, in very active networks [the Skype caller] may not find the correct, open port. The same also applies for a particular type of firewall, which assigns every new connection to a random source port. The Skype server is then unable to tell [the Skype caller] where to look for a suitable hole in [the receiving Skype client's] firewall.
However, even then, Skype doesn't give up. In such cases a Skype server is then used as a relay. It accepts incoming connections from both [Skype clients] and relays the packets onwards. This solution is always possible, as long as the firewall permits outgoing UDP traffic. It involves, however, an additional load on the infrastructure, because all audio data has to run through Skype's servers. The extended packet transmission times can also result in an unpleasant delay.
.jpg){kind=link}