If you are using IPtables and are familiar with how to add modules - there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson Principal Consultant Aeonvista Ltd - opening up new ideas
-----Original Message----- From: users-bounces@lists.openser.org [mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen Sent: 21 July 2008 21:10 To: users@lists.openser.org Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my home phone keeps breaking voice channels (the box was not intended behind NAT and I'm, of course, using a configuration that no so well supported).
What is the idea:
SIP transactions should travel this way: ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way: ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really work. It seems that registers are functioning, at least X-Lite reports itself being registered. Voice calls always end up in timeouts, so something is really going wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see what it is doing, without really knowing what to expect exactly. Furthermore I have virtually no knowledge of OpenSER. I've quite a hard time even grasping the configuration I typed in. This is not really helpful
What I do know: * SIP Proxy traffic is flowing. * SIP INVITES don't work at all. * SIP to RTP is communication, but I don't know if RTP is actually flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of the "Italy 2007 Admin course", to which there is link on the documentation site. I adapted it to make it work with the debian supplied OpenSER 1.1.
How do I get this all working? What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this: # ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd) fork=yes # Set to no to enter debugging mode log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) advertised_address="82.168.191.xx" advertised_port=5060 port=5060 children=4 fifo="/tmp/openser_fifo"
# # ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database mpath="/usr/lib/openser/modules/" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "nathelper.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "auth.so" loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# -- nathelper params --- modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222") modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) #modparam("nathelper", "sipping_bflag", 7) modparam("nathelper", "sipping_from", "sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };
# NAT detection route(2);
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); # if you have some interdomain connections via TLS #if(uri=~"@tls_domain1.net") { # t_relay("tls:domain1.net"); # exit; #} else if(uri=~"@tls_domain2.net") { # t_relay("tls:domain2.net"); # exit; #} route(1); };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!www_authorize("sip.familiedobbelsteen.nl", "subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0"); exit; };
if (isflagset(5)) { # set branch flag -- when someone will call this user # INVITE will have branch flag 6 set after loopup("location") setflag(6); # if you want OPTIONS natpings uncomment next # setflag(7); };
save("location"); exit; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); };
route(1); }
route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (subst_uri('/(sip:.*);nat=yes/\1/i')) { setflag(6); };
if (isflagset(5) || isflagset(6)) { route(3); };
if (!t_relay()) { sl_reply_error(); }; exit; }
route[2] { force_rport(); if(nat_uac_test("19")) { if (method=="REGISTER") { fix_nated_register(); } else { fix_nated_contact(); }; setflag(5); }; }
route[3] { if (is_method("BYE")) { unforce_rtp_proxy(); } else if (is_method("INVITE")) { force_rtp_proxy("", "82.168.191.xx"); t_on_failure("2"); }; if (isflagset(5)) search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); t_on_reply("1"); }
failure_route[2] { if (isflagset(6)||isflagset(5)) { unforce_rtp_proxy(); }; }
onreply_route[1] { if ((isflagset(5) || isflagset(6)) && status =~ "(183)|(2[0-9][0-9])") { force_rtp_proxy(); }; search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) { fix_nated_contact(); }; exit; }
_______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users