Robert Dyck wrote:
I understand that the iptables SIP ALG has been much revised this year although I have not tested it myself. I believe you need at least linux 2.6.25.
The unfortunate situtions is that I currently run Debian, which has the 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe another solutions is more suited for the problem I have?
- Joris
On Monday 21 July 2008, Joris Dobbelsteen wrote:
Neill Wilkinson wrote:
If you are using IPtables and are familiar with how to add modules - there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the SIP packets still carry the LAN IP address. I'm currently missing audio (at least inbound is nowhere to be seen) and it doesn't really work reliable at this moment. That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the network, but its configured differently in my case, so I can't make that thing to play nicely with NAT.
lsmod on the firewall: ip_nat_sip 8832 0 ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message----- From: users-bounces@lists.openser.org [mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen Sent: 21 July 2008 21:10 To: users@lists.openser.org Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my home phone keeps breaking voice channels (the box was not intended behind NAT and I'm, of course, using a configuration that no so well supported).
What is the idea:
SIP transactions should travel this way: ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way: ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really work. It seems that registers are functioning, at least X-Lite reports itself being registered. Voice calls always end up in timeouts, so something is really going wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see what it is doing, without really knowing what to expect exactly. Furthermore I have virtually no knowledge of OpenSER. I've quite a hard time even grasping the configuration I typed in. This is not really helpful
What I do know:
- SIP Proxy traffic is flowing.
- SIP INVITES don't work at all.
- SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of the "Italy 2007 Admin course", to which there is link on the documentation site. I adapted it to make it work with the debian supplied OpenSER 1.1.
How do I get this all working? What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this: # ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd) fork=yes # Set to no to enter debugging mode log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) advertised_address="82.168.191.xx" advertised_port=5060 port=5060 children=4 fifo="/tmp/openser_fifo"
# # ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database mpath="/usr/lib/openser/modules/" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "nathelper.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "auth.so" loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# -- nathelper params --- modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222") modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) #modparam("nathelper", "sipping_bflag", 7) modparam("nathelper", "sipping_from", "sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # NAT detection route(2); # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); }; if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); # if you have some interdomain connections via TLS #if(uri=~"@tls_domain1.net") { # t_relay("tls:domain1.net"); # exit; #} else if(uri=~"@tls_domain2.net") { # t_relay("tls:domain2.net"); # exit; #} route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digestauthentication if (!www_authorize("sip.familiedobbelsteen.nl", "subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0"); exit; };
if (isflagset(5)) { # set branch flag -- when someone willcall this user # INVITE will have branch flag 6 set after loopup("location") setflag(6); # if you want OPTIONS natpings uncomment next # setflag(7); };
save("location"); exit; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); }; # native SIP destinations are handled using our USRLOCDB if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); };
route(1);}
route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (subst_uri('/(sip:.*);nat=yes/\1/i')) { setflag(6); };
if (isflagset(5) || isflagset(6)) { route(3); }; if (!t_relay()) { sl_reply_error(); }; exit;}
route[2] { force_rport(); if(nat_uac_test("19")) { if (method=="REGISTER") { fix_nated_register(); } else { fix_nated_contact(); }; setflag(5); }; }
route[3] { if (is_method("BYE")) { unforce_rtp_proxy(); } else if (is_method("INVITE")) { force_rtp_proxy("", "82.168.191.xx"); t_on_failure("2"); }; if (isflagset(5)) search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); t_on_reply("1"); }
failure_route[2] { if (isflagset(6)||isflagset(5)) { unforce_rtp_proxy(); }; }
onreply_route[1] { if ((isflagset(5) || isflagset(6)) && status =~ "(183)|(2[0-9][0-9])") { force_rtp_proxy(); }; search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) { fix_nated_contact(); }; exit;}
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users