Kamailio + RTPEngine SIP Proxy... - sr-users

24 Sep 2022

Hi Jerry,
            I just joined so am unsure if you are good to go now but thought I would post
my config as I also have a Freeswitch environment which I have placed Kamailio in front of
to act as a load-balancing proxy. I also managed to get RTPEngine proxying through it
too.

Here is the config, which I have created from Daniel’s default kamailio config.  I have
omitted the top portions of loading the modules and their settings. My dispatcher list is
just a text file. I have two groups. One for registrations and outbound calls, and one for
calls inbound coming from the FreeSwitch server.

In the NATMANAGE route, I currently have RTP proxying disabled as my free switch servers
have external IPs and I let them handle the rtp stream.

On Freeswitch, I made the following changes to accomodate user/pass and IPAuth reg:

Changes to the Freeswitch servers listed in the dispatcher file
Edit /usr/local/freeswitch/conf/autoload_configs/acl.conf
<list name="proxy" default="deny">
     <node type="allow" cidr=“IP address of Kamailio/32"/>
   </list>

Edit /usr/local/freeswitch/conf/sip-profiles/internal-private.xml    (or the sip-profile
you need to edit in your instance)
<param name="apply-proxy-acl" value="proxy"/>  #Add this line
above the one below. This tells Freeswitch to look at the X-Auth-IP header which was
inserted by Kamailio.

<param name="apply-inbound-acl" value="domains"/>
Then, restart freeswitch (with no active calls),
service freeswitch restart     # or rescan the profile / reloadxml

I am not proxying RTP, however, I can un-comment out the stanza in the NATMANAGE route to
get it to work.

The biggest gotcha for me was I was trying to use fix_nated_register when handling NAT for
registrations instead of:

Fix_nated_contact() or the better set_contact_alias().

Using add_path_received(); in the Dispatcher just before sending to Freeswitch ensured all
traffic returned to Kamailio too.

I am unsure of the SUBSCRIBE/PRESENCE stuff for you but the route should go out via the
Kamailio proxy with this.

----------------------------
# main request routing logic

request_route {

	xlog("L_WARN", "--- Going to <$ru>.
src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n");
	# per request initial checks
	route(REQINIT);

	# NAT detection
	route(NATDETECT);

    if(ds_is_from_list("33")) {
	    setflag(FLT_FS);
	    #xlog("L_WARN", "This source $si is from the dispatcher
list.\n");
     }

	# CANCEL processing
	if (is_method("CANCEL")) {
		if (t_check_trans()) {
			route(RELAY);
		}
		exit;
	}

	# handle retransmissions
	if (!is_method("ACK")) {
		if(t_precheck_trans()) {
			t_check_trans();
			exit;
		}
		t_check_trans();
	}

	# handle requests within SIP dialogs
	route(WITHINDLG);

	# record routing for dialog forming requests (in case they are routed)
	# - remove preloaded route headers
	remove_hf("Route");
	if (is_method("INVITE|SUBSCRIBE")) {
		xlog("L_WARN", "--- Going to <$ru>.
src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n");
		xlog("L_ALERT", "Marker 1\n");
		record_route();
	}

	# account only INVITEs
	if (is_method("INVITE")) {
		setflag(FLT_ACC); # do accounting
	}

	if (isflagset(FLT_FS)) {
                ##t_on_reply("EXTERNAL_REPLY");
                route(FROM_FS);
                exit;
        }

	# handle presence related requests
	route(PRESENCE);

	# handle registrations
	route(REGISTRAR);

	if ($rU==$null) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}

	# dispatch destinations
	route(DISPATCH);

	return;
}

route[FROM_FS]
{
        #record_route();
	#loose_route_preloaded();
	route(DLGURI);
        route(RELAY);
        exit;
}

route[RELAY] {

	# enable additional event routes for forwarded requests
	# - serial forking, RTP relaying handling, a.s.o.
	if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE")) {
		if(!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH");
	}
	if (is_method("INVITE|SUBSCRIBE|UPDATE")) {
		if(!t_is_set("onreply_route")) t_on_reply("MANAGE_REPLY");
	}
	if (is_method("INVITE")) {
		if(!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE");
	}

	if (!t_relay()) {
		sl_reply_error();
	}
	exit;
}

#reply_route {
#    if(status == 403) {
#        xlog("L_WARN", "Forbidden from $si:$sp blah...\n");
#	xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n");
#    }
#}

onreply_route[LOGRPL] {
      if(status == 403) {
	  xlog("L_ALERT", "$rs response. Consider banning AVP
\"ipbancandidate\" is $avp(ipbancandidate) ");
      }
}

# Per SIP request initial checks
route[REQINIT] {
	# no connect for sending replies
	# Enable tracing for SNGREP
	##sip_trace();
	##setflag(24);
	#
	set_reply_no_connect();
	# enforce symmetric signaling
	# - send back replies to the source address of request
	force_rport();

#!ifdef WITH_ANTIFLOOD
	# flood detection from same IP and traffic ban for a while
	# be sure you exclude checking trusted peers, such as pstn gateways
	# - local host excluded (e.g., loop to self)
	if(src_ip!=myself) {
		if($sht(ipban=>$si)!=$null) {
			# ip is already blocked
			xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");
			exit;
		}
		if (!pike_check_req()) {
			xlog("L_ALERT","ALERT: pike blocking $rm from $fu
(IP:$si:$sp)\n");
			$sht(ipban=>$si) = 1;
			exit;
		}
	}
#!endif
	if($ua =~ "friendly|scanner|sipcli|sipvicious|VaxSIPUserAgent|pplsip|Hello\ SIP\
Automated") {
		# silent drop for scanners - uncomment next line if want to reply
		# sl_send_reply("200", "OK");
	        xlog("User agent is: $ua\n");
		exit;
	}

	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	if(is_method("OPTIONS") && uri==myself && $rU==$null) {
		sl_send_reply("200","Keepalive");
		exit;
	}

	if(!sanity_check("17895", "7")) {
		xlog("Malformed SIP message from $si:$sp\n");
		exit;
	}
}

# Handle requests within SIP dialogs
route[WITHINDLG] {

	if (!has_totag()) return;

	# sequential request withing a dialog should
	# take the path determined by record-routing
	if (loose_route()) {
	  	xlog("L_INFO", "Routing before DLGURI\n");	
		route(DLGURI);
		if (is_method("BYE")) {
			setflag(FLT_ACC); # do accounting ...
			setflag(FLT_ACCFAILED); # ... even if the transaction fails
		} else if ( is_method("ACK") ) {
			# ACK is forwarded statelessly
			route(NATMANAGE);
		} else if ( is_method("NOTIFY") ) {
			# Add Record-Route for in-dialog NOTIFY as per RFC 6665.
			record_route();
		}
		route(RELAY);
		exit;
	}

	if (is_method("SUBSCRIBE") && uri == myself) {
		# in-dialog subscribe requests
		route(PRESENCE);
		exit;
	}
	if ( is_method("ACK") ) {
		if ( t_check_trans() ) {
			# no loose-route, but stateful ACK;
			# must be an ACK after a 487
			# or e.g. 404 from upstream server
			route(RELAY);
			exit;
		} else {
			# ACK without matching transaction ... ignore and discard
			exit;
		}
	}
	sl_send_reply("404","Not here");
	exit;
}

# Handle SIP registrations
route[REGISTRAR] {
	if(!is_method("REGISTER"))
		return;
	xlog("L_WARN", "--- Going to <$ru>.
src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si\n");
	add_path_received();
	$avp(ipbancandidate) = $si;
	if(isflagset(FLT_NATS)) {
		setbflag(FLB_NATB);
#!ifdef WITH_NATSIPPING
		# do SIP NAT pinging
		setbflag(FLB_NATSIPPING);
#!endif
	}
        route(DISPATCH);
	if (!save("location")) {
		sl_reply_error();
	}
	exit;
}

# Presence server route
route[PRESENCE] {
	if(!is_method("PUBLISH|SUBSCRIBE"))
		return;

	sl_send_reply("404", "Not here");
	exit;
}

# Caller NAT detection
route[NATDETECT] {
#!ifdef WITH_NAT
        if (nat_uac_test("19")) {
                if (is_method("REGISTER")) {
                        #fix_nated_register(); Disabled as we proxy registrations
                        #fix_nated_contact();
			set_contact_alias();
			##add_contact_alias();
			#fix_nated_sdp("3");
			xlog("L_ALERT", "Nat Registration nat fixed.\n");
                } else {
                        if(is_first_hop()) {
                                set_contact_alias();
				xlog("L_ALERT", "Contact NAT fixed\n");
                        	} 
			}
                setflag(FLT_NATS);
		xlog("L_ALERT", "FLT_NATS flag set\n");
       } 
#!endif
        return;
}

# RTPProxy control and signaling updates for NAT traversal
route[NATMANAGE] {
#!ifdef WITH_NAT
	if (is_request()) {
		if(has_totag()) {
			if(check_route_param("nat=yes")) {
				setbflag(FLB_NATB);
			}
		}
	}
	if (nat_uac_test("3")) {
            #fix_nated_contact();
	    set_contact_alias();
	    ##add_contact_alias();
            force_rport();
        }
	if (has_body("application/sdp") && nat_uac_test("8")) {
            fix_nated_sdp("11");
        }

	if (!(isflagset(FLT_NATS) || isbflagset(FLB_NATB))) return;

###!ifdef WITH_RTPENGINE
##	xlog("RTPEngine enabled\n");
##	if(nat_uac_test("8")) {
##		xlog("RTP 1\n");
##		rtpengine_manage("SIP-source-address replace-origin
replace-session-connection");
##	} else {
##		rtpengine_manage("replace-origin replace-session-connection");
##	}
###!else
##	if(nat_uac_test("8")) {
##		rtpproxy_manage("co");
##	} else {
##		rtpproxy_manage("cor");
##	}
###!endif

	if (is_request()) {
		if (!has_totag()) {
			if(t_is_branch_route()) {
				add_rr_param(";nat=yes");
				 xlog("Nat notation added!\n");
			}
		}
	}
	if (is_reply()) {
		if(isbflagset(FLB_NATB)) {
			if(is_first_hop())
				#fix_nated_contact();
				set_contact_alias();
				#add_contact_alias();
		}
	}

	if(isbflagset(FLB_NATB)) {
		# no connect message in a dialog involving NAT traversal
		if (is_request()) {
			if(has_totag()) {
				set_forward_no_connect();
			}
		}
	}
#!endif
	return;
}

# URI update for dialog requests
route[DLGURI] {
#!ifdef WITH_NAT
	if(!isdsturiset()) {
		handle_ruri_alias();
		xlog("L_INFO", "Routing in-dialog $rm from $fu to $du\n");
	}
#!endif
	return;
}

# Dispatch requests
route[DISPATCH] {
	# round robin dispatching on gateways group '1'
	remove_hf_re("Subject|P-.*|X-.*");
        append_hf("X-Auth-IP: $si\r\n");
	#add_rr_param(";nat=yes");
	t_on_reply("LOGRPL");
	if(!ds_select_dst("1", "0")) {
		send_reply("404", "No destination");
		exit;
	}
	#xdbg("--- SCRIPT: going to <$ru> via <$du> (attrs:
$xavp(_dsdst_=>attrs))\n");
	xlog("L_WARN", "--- Going to <$ru>.
src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si; $RAi;
$Ri;\n");
	t_on_failure("RTF_DISPATCH");
	route(RELAY);
}

# Try next destionations in failure route
failure_route[RTF_DISPATCH] {
	if (t_is_canceled()) {
		exit;
	}
	# next DST - only for 500 or local timeout
	if (t_check_status("500")
			or (t_branch_timeout() and !t_branch_replied())) {
		if(ds_next_dst()) {
			xdbg("--- SCRIPT: retrying to <$ru> via <$du> (attrs:
$xavp(_dsdst_=>attrs))\n");
			t_on_failure("RTF_DISPATCH");
			route(RELAY);
			exit;
		}
	}
}

# Manage outgoing branches
branch_route[MANAGE_BRANCH] {
	xdbg("new branch [$T_branch_idx] to $ru\n");
	xlog("L_ALERT", "Marker 20\n");
	route(NATMANAGE);
	return;
}

# Manage incoming replies
reply_route {
	if(!sanity_check("17604", "6")) {
		xlog("Malformed SIP response from $si:$sp\n");
		drop;
	}
	return;
}

# Manage incoming replies in transaction context
onreply_route[MANAGE_REPLY] {
	xdbg("incoming reply\n");
	xlog("L_ALERT", "Marker 21\n");
	if(status=~"[12][0-9][0-9]") {
		route(NATMANAGE);
	}
#	 if (has_body("application/sdp")) {
#                rtpengine_manage();
#        }
	return;
}

# Manage failure routing cases
failure_route[MANAGE_FAILURE] {
	xlog("L_ALERT", "Marker 23\n");
	route(NATMANAGE);

	if (t_is_canceled()) exit;

#!ifdef WITH_BLOCK3XX
	# block call redirect based on 3xx replies.
	if (t_check_status("3[0-9][0-9]")) {
		t_reply("404","Not found");
		exit;
	}
#!endif

#!ifdef WITH_BLOCK401407
	# block call redirect based on 401, 407 replies.
	if (t_check_status("401|407")) {
		t_reply("404","Not found");
		exit;
	}
#!endif

#!ifdef WITH_VOICEMAIL
	# serial forking
	# - route to voicemail on busy or no answer (timeout)
	if (t_check_status("486|408")) {
		$du = $null;
		route(TOVOICEMAIL);
		exit;
	}
#!endif
	return;
}