Hi,
I am still having some problems with users behind NAT. I am using X-Lite and forcing it as Symmetric Firewall. For testing I am using the nathelper.cfg from CVS folder with only additions of mysql. Calling from X-Lite sound works fine. If the X-Lite sits idle for over a minute I am unable to make a call to the X-Lite. I ran ethereal but am not seeing any packets pertaining to rtpproxy which should be every 10 seconds. I also read the README for rtpproxy and it doesnt look up to date. It says to run rtpproxy type rtpproxy -s <proto>:<address>[:<port>] What is the correct way to run rtpproxy and is there up to date documentation on rtpproxy? I added my ser.cfg to the email as well...
Thanks for your help in advance
debug=8 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=yes log_stderror=yes */
listen=64.72.107.4 listen=127.0.0.1
# hostname matching an alias will satisfy the condition uri==myself". alias=cytelcom.com alias=64.72.107.4
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# !! Nathelper loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# database location modparam("usrloc", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# database location modparam("auth_db", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# !! Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 10) # Ping interval 10 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= max_len ) { sl_send_reply("513", "Message too big"); break; };
# !! Nathelper # Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!www_authorize("cytelcom.com", "subscriber")) { www_challenge("cytelcom.com", "0"); break; };
save("location"); break; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")){ sl_send_reply("479", "We don't forward to private IP addresses"); break; }; # if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); };
# NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
# !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; }
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Maybe SER does not detect your x-lite as behind NAT. Try to set ping_nated_only parameter to 0, re-register x-lite and see if it receives any natping packets (or if ser sends them).
Jan.
On 03-06 12:33, Harold Workman wrote:
Hi,
I am still having some problems with users behind NAT. I am using X-Lite and forcing it as Symmetric Firewall. For testing I am using the nathelper.cfg from CVS folder with only additions of mysql. Calling from X-Lite sound works fine. If the X-Lite sits idle for over a minute I am unable to make a call to the X-Lite. I ran ethereal but am not seeing any packets pertaining to rtpproxy which should be every 10 seconds. I also read the README for rtpproxy and it doesnt look up to date. It says to run rtpproxy type rtpproxy -s <proto>:<address>[:<port>] What is the correct way to run rtpproxy and is there up to date documentation on rtpproxy? I added my ser.cfg to the email as well...
Thanks for your help in advance
debug=8 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=yes log_stderror=yes */
listen=64.72.107.4 listen=127.0.0.1
# hostname matching an alias will satisfy the condition uri==myself". alias=cytelcom.com alias=64.72.107.4
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# !! Nathelper loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# database location modparam("usrloc", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# database location modparam("auth_db", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# !! Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 10) # Ping interval 10 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= max_len ) { sl_send_reply("513", "Message too big"); break; };
# !! Nathelper# Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling". fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed };};
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!www_authorize("cytelcom.com", "subscriber")) { www_challenge("cytelcom.com", "0"); break; };
save("location"); break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; };}; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")){ sl_send_reply("479", "We don't forward to private IP addresses"); break; };
# if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); };
# NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
# !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; }
This message was sent using IMP, the Internet Messaging Program.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Jan,
Thanks for the reply. I did change the parameter to 0 and saw the natping packets being sent out. I did find that cisco in 6.3 Pix code addresses SIP with NAT/PAT http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_exa mple09186a00801fc74a.shtml
Im guessing this could be the cause that its not seeing my clients behind NAT as being behind a NAT.... ?
Thanks,
Harold
-----Original Message----- From: Jan Janak [mailto:jan@iptel.org] Sent: Monday, June 07, 2004 3:27 AM To: Harold Workman Cc: serusers@lists.iptel.org Subject: Re: [Serusers] rtpproxy
Maybe SER does not detect your x-lite as behind NAT. Try to set ping_nated_only parameter to 0, re-register x-lite and see if it receives any natping packets (or if ser sends them).
Jan.
On 03-06 12:33, Harold Workman wrote:
Hi,
I am still having some problems with users behind NAT. I am using X-Lite
and
forcing it as Symmetric Firewall. For testing I am using the
nathelper.cfg
from CVS folder with only additions of mysql. Calling from X-Lite sound
works
fine. If the X-Lite sits idle for over a minute I am unable to make a
call to
the X-Lite. I ran ethereal but am not seeing any packets pertaining to rtpproxy which should be every 10 seconds. I also read the README for
rtpproxy
and it doesnt look up to date. It says to run rtpproxy type rtpproxy -s <proto>:<address>[:<port>] What is the correct way to run
rtpproxy
and is there up to date documentation on rtpproxy? I added my ser.cfg to
the
email as well...
Thanks for your help in advance
debug=8 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=yes log_stderror=yes */
listen=64.72.107.4 listen=127.0.0.1
# hostname matching an alias will satisfy the condition uri==myself". alias=cytelcom.com alias=64.72.107.4
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# !! Nathelper loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# database location modparam("usrloc", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# database location modparam("auth_db", "db_url", "sql://ser:n0kia12@localhost/ser")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# !! Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 10) # Ping interval 10 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind
NAT
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= max_len ) { sl_send_reply("513", "Message too big"); break; };
# !! Nathelper# Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a
configuration
# option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone
it is
# called "symmetric media" and "symmetric signalling". fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed };};
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!www_authorize("cytelcom.com", "subscriber")) { www_challenge("cytelcom.com", "0"); break; };
save("location"); break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; };}; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")){ sl_send_reply("479", "We don't forward to private IP addresses"); break; };
# if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); };
# NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
# !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; }
This message was sent using IMP, the Internet Messaging Program.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On 08-06 11:55, Harold Workman wrote:
Jan,
Thanks for the reply. I did change the parameter to 0 and saw the natping packets being sent out. I did find that cisco in 6.3 Pix code addresses SIP with NAT/PAT http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_exa mple09186a00801fc74a.shtml
Im guessing this could be the cause that its not seeing my clients behind NAT as being behind a NAT.... ?
Yes, if it rewrites IP addresses in SIP messages with the public IP of the NAT then ser will not detect the NAT. In this case the NAT device should make sure that the user agent will be reachable.
Jan.
-
'Jan Janak' -
Harold Workman -
Jan Janak