Hi Jerry, I just joined so am unsure if you are good to go now but thought I would post my config as I also have a Freeswitch environment which I have placed Kamailio in front of to act as a load-balancing proxy. I also managed to get RTPEngine proxying through it too.

Here is the config, which I have created from Daniel’s default kamailio config. I have omitted the top portions of loading the modules and their settings. My dispatcher list is just a text file. I have two groups. One for registrations and outbound calls, and one for calls inbound coming from the FreeSwitch server.

In the NATMANAGE route, I currently have RTP proxying disabled as my free switch servers have external IPs and I let them handle the rtp stream.

On Freeswitch, I made the following changes to accomodate user/pass and IPAuth reg:

Changes to the Freeswitch servers listed in the dispatcher file Edit /usr/local/freeswitch/conf/autoload_configs/acl.conf <list name="proxy" default="deny"> <node type="allow" cidr=“IP address of Kamailio/32"/> </list>

Edit /usr/local/freeswitch/conf/sip-profiles/internal-private.xml (or the sip-profile you need to edit in your instance) <param name="apply-proxy-acl" value="proxy"/> #Add this line above the one below. This tells Freeswitch to look at the X-Auth-IP header which was inserted by Kamailio.

<param name="apply-inbound-acl" value="domains"/> Then, restart freeswitch (with no active calls), service freeswitch restart # or rescan the profile / reloadxml

I am not proxying RTP, however, I can un-comment out the stanza in the NATMANAGE route to get it to work.

The biggest gotcha for me was I was trying to use fix_nated_register when handling NAT for registrations instead of:

Fix_nated_contact() or the better set_contact_alias().

Using add_path_received(); in the Dispatcher just before sending to Freeswitch ensured all traffic returned to Kamailio too.

I am unsure of the SUBSCRIBE/PRESENCE stuff for you but the route should go out via the Kamailio proxy with this.

---------------------------- # main request routing logic

request_route {

xlog("L_WARN", "--- Going to <$ru>. src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n"); # per request initial checks route(REQINIT);

# NAT detection route(NATDETECT);

if(ds_is_from_list("33")) { setflag(FLT_FS); #xlog("L_WARN", "This source $si is from the dispatcher list.\n"); }

# CANCEL processing if (is_method("CANCEL")) { if (t_check_trans()) { route(RELAY); } exit; }

# handle retransmissions if (!is_method("ACK")) { if(t_precheck_trans()) { t_check_trans(); exit; } t_check_trans(); }

# handle requests within SIP dialogs route(WITHINDLG);

# record routing for dialog forming requests (in case they are routed) # - remove preloaded route headers remove_hf("Route"); if (is_method("INVITE|SUBSCRIBE")) { xlog("L_WARN", "--- Going to <$ru>. src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n"); xlog("L_ALERT", "Marker 1\n"); record_route(); }

# account only INVITEs if (is_method("INVITE")) { setflag(FLT_ACC); # do accounting } if (isflagset(FLT_FS)) { ##t_on_reply("EXTERNAL_REPLY"); route(FROM_FS); exit; }

# handle presence related requests route(PRESENCE);

# handle registrations route(REGISTRAR);

if ($rU==$null) { # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; }

# dispatch destinations route(DISPATCH);

return; }

route[FROM_FS] { #record_route(); #loose_route_preloaded(); route(DLGURI); route(RELAY); exit; }

route[RELAY] {

# enable additional event routes for forwarded requests # - serial forking, RTP relaying handling, a.s.o. if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE")) { if(!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH"); } if (is_method("INVITE|SUBSCRIBE|UPDATE")) { if(!t_is_set("onreply_route")) t_on_reply("MANAGE_REPLY"); } if (is_method("INVITE")) { if(!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE"); }

if (!t_relay()) { sl_reply_error(); } exit; }

#reply_route { # if(status == 403) { # xlog("L_WARN", "Forbidden from $si:$sp blah...\n"); # xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n"); # } #}

onreply_route[LOGRPL] { if(status == 403) { xlog("L_ALERT", "$rs response. Consider banning AVP "ipbancandidate" is $avp(ipbancandidate) "); } }

# Per SIP request initial checks route[REQINIT] { # no connect for sending replies # Enable tracing for SNGREP ##sip_trace(); ##setflag(24); # set_reply_no_connect(); # enforce symmetric signaling # - send back replies to the source address of request force_rport();

#!ifdef WITH_ANTIFLOOD # flood detection from same IP and traffic ban for a while # be sure you exclude checking trusted peers, such as pstn gateways # - local host excluded (e.g., loop to self) if(src_ip!=myself) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n"); $sht(ipban=>$si) = 1; exit; } } #!endif if($ua =~ "friendly|scanner|sipcli|sipvicious|VaxSIPUserAgent|pplsip|Hello\ SIP\ Automated") { # silent drop for scanners - uncomment next line if want to reply # sl_send_reply("200", "OK"); xlog("User agent is: $ua\n"); exit; }

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }

if(is_method("OPTIONS") && uri==myself && $rU==$null) { sl_send_reply("200","Keepalive"); exit; }

if(!sanity_check("17895", "7")) { xlog("Malformed SIP message from $si:$sp\n"); exit; } }

# Handle requests within SIP dialogs route[WITHINDLG] {

if (!has_totag()) return;

# sequential request withing a dialog should # take the path determined by record-routing if (loose_route()) { xlog("L_INFO", "Routing before DLGURI\n"); route(DLGURI); if (is_method("BYE")) { setflag(FLT_ACC); # do accounting ... setflag(FLT_ACCFAILED); # ... even if the transaction fails } else if ( is_method("ACK") ) { # ACK is forwarded statelessly route(NATMANAGE); } else if ( is_method("NOTIFY") ) { # Add Record-Route for in-dialog NOTIFY as per RFC 6665. record_route(); } route(RELAY); exit; }

if (is_method("SUBSCRIBE") && uri == myself) { # in-dialog subscribe requests route(PRESENCE); exit; } if ( is_method("ACK") ) { if ( t_check_trans() ) { # no loose-route, but stateful ACK; # must be an ACK after a 487 # or e.g. 404 from upstream server route(RELAY); exit; } else { # ACK without matching transaction ... ignore and discard exit; } } sl_send_reply("404","Not here"); exit; }

# Handle SIP registrations route[REGISTRAR] { if(!is_method("REGISTER")) return; xlog("L_WARN", "--- Going to <$ru>. src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n"); add_path_received(); $avp(ipbancandidate) = $si; if(isflagset(FLT_NATS)) { setbflag(FLB_NATB); #!ifdef WITH_NATSIPPING # do SIP NAT pinging setbflag(FLB_NATSIPPING); #!endif } route(DISPATCH); if (!save("location")) { sl_reply_error(); } exit; }

# Presence server route route[PRESENCE] { if(!is_method("PUBLISH|SUBSCRIBE")) return;

sl_send_reply("404", "Not here"); exit; }

# Caller NAT detection route[NATDETECT] { #!ifdef WITH_NAT if (nat_uac_test("19")) { if (is_method("REGISTER")) { #fix_nated_register(); Disabled as we proxy registrations #fix_nated_contact(); set_contact_alias(); ##add_contact_alias(); #fix_nated_sdp("3"); xlog("L_ALERT", "Nat Registration nat fixed.\n"); } else { if(is_first_hop()) { set_contact_alias(); xlog("L_ALERT", "Contact NAT fixed\n"); } } setflag(FLT_NATS); xlog("L_ALERT", "FLT_NATS flag set\n"); } #!endif return; }

# RTPProxy control and signaling updates for NAT traversal route[NATMANAGE] { #!ifdef WITH_NAT if (is_request()) { if(has_totag()) { if(check_route_param("nat=yes")) { setbflag(FLB_NATB); } } } if (nat_uac_test("3")) { #fix_nated_contact(); set_contact_alias(); ##add_contact_alias(); force_rport(); } if (has_body("application/sdp") && nat_uac_test("8")) { fix_nated_sdp("11"); }

if (!(isflagset(FLT_NATS) || isbflagset(FLB_NATB))) return;

###!ifdef WITH_RTPENGINE ## xlog("RTPEngine enabled\n"); ## if(nat_uac_test("8")) { ## xlog("RTP 1\n"); ## rtpengine_manage("SIP-source-address replace-origin replace-session-connection"); ## } else { ## rtpengine_manage("replace-origin replace-session-connection"); ## } ###!else ## if(nat_uac_test("8")) { ## rtpproxy_manage("co"); ## } else { ## rtpproxy_manage("cor"); ## } ###!endif

if (is_request()) { if (!has_totag()) { if(t_is_branch_route()) { add_rr_param(";nat=yes"); xlog("Nat notation added!\n"); } } } if (is_reply()) { if(isbflagset(FLB_NATB)) { if(is_first_hop()) #fix_nated_contact(); set_contact_alias(); #add_contact_alias(); } }

if(isbflagset(FLB_NATB)) { # no connect message in a dialog involving NAT traversal if (is_request()) { if(has_totag()) { set_forward_no_connect(); } } } #!endif return; }

# URI update for dialog requests route[DLGURI] { #!ifdef WITH_NAT if(!isdsturiset()) { handle_ruri_alias(); xlog("L_INFO", "Routing in-dialog $rm from $fu to $du\n"); } #!endif return; }

# Dispatch requests route[DISPATCH] { # round robin dispatching on gateways group '1' remove_hf_re("Subject|P-.*|X-.*"); append_hf("X-Auth-IP: $si\r\n"); #add_rr_param(";nat=yes"); t_on_reply("LOGRPL"); if(!ds_select_dst("1", "0")) { send_reply("404", "No destination"); exit; } #xdbg("--- SCRIPT: going to <$ru> via <$du> (attrs: $xavp(_dsdst_=>attrs))\n"); xlog("L_WARN", "--- Going to <$ru>. src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si; $RAi; $Ri;\n"); t_on_failure("RTF_DISPATCH"); route(RELAY); }

# Try next destionations in failure route failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; } # next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { xdbg("--- SCRIPT: retrying to <$ru> via <$du> (attrs: $xavp(_dsdst_=>attrs))\n"); t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } } }

# Manage outgoing branches branch_route[MANAGE_BRANCH] { xdbg("new branch [$T_branch_idx] to $ru\n"); xlog("L_ALERT", "Marker 20\n"); route(NATMANAGE); return; }

# Manage incoming replies reply_route { if(!sanity_check("17604", "6")) { xlog("Malformed SIP response from $si:$sp\n"); drop; } return; }

# Manage incoming replies in transaction context onreply_route[MANAGE_REPLY] { xdbg("incoming reply\n"); xlog("L_ALERT", "Marker 21\n"); if(status=~"[12][0-9][0-9]") { route(NATMANAGE); } # if (has_body("application/sdp")) { # rtpengine_manage(); # } return; }

# Manage failure routing cases failure_route[MANAGE_FAILURE] { xlog("L_ALERT", "Marker 23\n"); route(NATMANAGE);

if (t_is_canceled()) exit;

#!ifdef WITH_BLOCK3XX # block call redirect based on 3xx replies. if (t_check_status("3[0-9][0-9]")) { t_reply("404","Not found"); exit; } #!endif

#!ifdef WITH_BLOCK401407 # block call redirect based on 401, 407 replies. if (t_check_status("401|407")) { t_reply("404","Not found"); exit; } #!endif

#!ifdef WITH_VOICEMAIL # serial forking # - route to voicemail on busy or no answer (timeout) if (t_check_status("486|408")) { $du = $null; route(TOVOICEMAIL); exit; } #!endif return; }