Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote:
Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES
loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header
ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions
if(!has_totag()) {
record_route();
}
route(RELAY);
exit;
}
/M
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla miconda@gmail.com Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.se Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120 Record-Route: sip:sip-provider.com;lr=on Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: sip:076xxxxxxx@sip-provider.com;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: sip:010xxxxxxx@sbc.coolcompany.com Contact: sip:0101388290@10.3.124.192:5080 Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: sip:010xxxxx@sbc.coolcompany.com;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: sip:076xxxxxx@sip-provider.com;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström martin.nystrom@connectel.se Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.com miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla miconda@gmail.com Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.se Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080.
Cheers, Daniel
On 03.09.25 13:03, Martin Nyström via sr-users wrote:
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
Record-Route: sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120
Record-Route: sip:sip-provider.com;lr=on
Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x
CSeq: 25896 INVITE
From: sip:076xxxxxxx@sip-provider.com;tag=5914da19-6958-4b8f-b521-d74c78af6120
To: sip:010xxxxxxx@sbc.coolcompany.com
Contact: sip:0101388290@10.3.124.192:5080
Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport
Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0
Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b
Max-Forwards: 67
Content-Type: application/sdp
User-Agent: XXXX
Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 --->
BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0
Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7
From: sip:010xxxxx@sbc.coolcompany.com;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6
To: sip:076xxxxxx@sip-provider.com;tag=3c6c6d47-8beb-4c71-a829-15138869defd
Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x
CSeq: 25915 BYE
Route: sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd
Route: sip:x.x.x.x;lr
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: xxxx
Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening
listen=udp:<LOCAL_IP>:5080
listen=tcp:<LOCAL_IP>:5080
listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER);
exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk
ds_select_dst(100, 4);
if(!has_totag()) {
record_route();
}
route(RELAY);
exit;
}
/M
*From: *Martin Nyström martin.nystrom@connectel.se *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Kamailio behind NAT
Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *Re: [SR-Users] Kamailio behind NAT
*CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote:
Hello, I am not successful in my attempts to configure my Kamailio to work behind NAT. The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc. I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing. debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1 listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061 local_rport=on mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/" # MODULES loadmodule "..." route { route(FROM_PROVIDER); } route[RELAY] { if(!t_relay()) { sl_reply_error(); } exit; } route[FROM_PROVIDER] { # The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit; } /M __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
We’re using the dispatcher with MySQL. Here’s the setid from kamcmd dispatcher.list, this dns resolves to the Asterisk local ip 10.2.5.206, are you saying I should use udp: instead of sip: for my DEST entry? Would that really make any difference?
SET: { ID: 100 TARGETS: { DEST: { URI: sip:rtp-media.opm-media-namespace:5080?transport=DNS FLAGS: AX PRIORITY: 0 } } }
/M
From: Daniel-Constantin Mierla miconda@gmail.com Date: Thursday, 4 September 2025 at 09:05 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org, miconda@gmail.com miconda@gmail.com Cc: Martin Nyström martin.nystrom@connectel.se Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080.
Cheers, Daniel
On 03.09.25 13:03, Martin Nyström via sr-users wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120 Record-Route: sip:sip-provider.com;lr=on Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.xmailto:GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: sip:076xxxxxxx@sip-provider.commailto:sip:076xxxxxxx@sip-provider.com;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com Contact: sip:0101388290@10.3.124.192:5080mailto:sip:0101388290@10.3.124.192:5080 Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080mailto:sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: sip:010xxxxx@sbc.coolcompany.commailto:sip:010xxxxx@sbc.coolcompany.com;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: sip:076xxxxxx@sip-provider.commailto:sip:076xxxxxx@sip-provider.com;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.xmailto:2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.commailto:miconda@gmail.com miconda@gmail.commailto:miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
I think you need to use the specific interface created for Asterisk without LB domain advertising. You may still be going through the interface with advertising, and that was what the advice regarding socket parameter in the dispatcher refers to, nothing to do with the uri and the transport...
From: Martin Nyström via sr-users sr-users@lists.kamailio.org Sent: jueves, 4 de septiembre de 2025 9:45 To: miconda@gmail.com; Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.se Subject: [SR-Users] Re: Kamailio behind NAT
This email is from outside the organization. Please verify the sender before you click links and open attachments. If you think this is phishing, submit it using the Report button We're using the dispatcher with MySQL. Here's the setid from kamcmd dispatcher.list, this dns resolves to the Asterisk local ip 10.2.5.206, are you saying I should use udp: instead of sip: for my DEST entry? Would that really make any difference?
SET: { ID: 100 TARGETS: { DEST: { URI: sip:rtp-media.opm-media-namespace:5080?transport=DNS FLAGS: AX PRIORITY: 0 } } }
/M
From: Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> Date: Thursday, 4 September 2025 at 09:05 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org>, miconda@gmail.commailto:miconda@gmail.com <miconda@gmail.commailto:miconda@gmail.com> Cc: Martin Nyström <martin.nystrom@connectel.semailto:martin.nystrom@connectel.se> Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080.
Cheers, Daniel
On 03.09.25 13:03, Martin Nyström via sr-users wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here's the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120 Record-Route: sip:sip-provider.com;lr=on Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.xmailto:GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: sip:076xxxxxxx@sip-provider.commailto:sip:076xxxxxxx@sip-provider.com;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com Contact: sip:0101388290@10.3.124.192:5080mailto:sip:0101388290@10.3.124.192:5080 Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080mailto:sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: sip:010xxxxx@sbc.coolcompany.commailto:sip:010xxxxx@sbc.coolcompany.com;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: sip:076xxxxxx@sip-provider.commailto:sip:076xxxxxx@sip-provider.com;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.xmailto:2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here's again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.commailto:miconda@gmail.com miconda@gmail.commailto:miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
C2 General
It is about setting the socket parameter inside the attributes (the attrs column) -- see:
- https://www.kamailio.org/docs/modules/stable/modules/dispatcher.html#dispatc...
Cheers, Daniel
On 04.09.25 09:44, Martin Nyström wrote:
We’re using the dispatcher with MySQL. Here’s the setid from kamcmd dispatcher.list, this dns resolves to the Asterisk local ip 10.2.5.206, are you saying I should use udp: instead of sip: for my DEST entry? Would that really make any difference?
SET: {
ID: 100
TARGETS: {
DEST: {
URI: sip:rtp-media.opm-media-namespace:5080?transport=DNS
FLAGS: AX
PRIORITY: 0
}
}
}
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Thursday, 4 September 2025 at 09:05 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org, miconda@gmail.com miconda@gmail.com *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *Re: [SR-Users] Re: Kamailio behind NAT
*CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080.
Cheers, Daniel
On 03.09.25 13:03, Martin Nyström via sr-users wrote:
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR. Here’s the INVITE sent to Asterisk from Kamailio: eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: <sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120> Record-Route: <sip:sip-provider.com;lr=on> Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: <sip:076xxxxxxx@sip-provider.com> <mailto:sip:076xxxxxxx@sip-provider.com>;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: <sip:010xxxxxxx@sbc.coolcompany.com> <mailto:sip:010xxxxxxx@sbc.coolcompany.com> Contact: <sip:0101388290@10.3.124.192:5080> <mailto:sip:0101388290@10.3.124.192:5080> Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293 Asterisk attempts to reply to the BYE on the external IP: <--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: <sip:010xxxxx@sbc.coolcompany.com> <mailto:sip:010xxxxx@sbc.coolcompany.com>;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: <sip:076xxxxxx@sip-provider.com> <mailto:sip:076xxxxxx@sip-provider.com>;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: <sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd> Route: <sip:x.x.x.x;lr> Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0 Here’s again my dumbed down CFG with changes: debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1 listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061 # INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081 local_rport=on mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/" loadmodule "rr.so" modparam("rr", "force_send_socket", 1) route { route(FROM_PROVIDER); exit; } route[RELAY] { if(!t_relay()) { sl_reply_error(); } exit; } route[FROM_PROVIDER] { # INFO: The Asterisk ds_select_dst(100, 4); if(!has_totag()) { record_route(); } route(RELAY); exit; } /M *From: *Martin Nyström <martin.nystrom@connectel.se> <mailto:martin.nystrom@connectel.se> *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com <miconda@gmail.com> <mailto:miconda@gmail.com>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org> <mailto:sr-users@lists.kamailio.org> *Subject: *Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions. /M *From: *Daniel-Constantin Mierla <miconda@gmail.com> <mailto:miconda@gmail.com> *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org> <mailto:sr-users@lists.kamailio.org> *Cc: *Martin Nyström <martin.nystrom@connectel.se> <mailto:martin.nystrom@connectel.se> *Subject: *Re: [SR-Users] Kamailio behind NAT *CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello, the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk. The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config. Cheers, Daniel On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello, I am not successful in my attempts to configure my Kamailio to work behind NAT. The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc. I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing. debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1 listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061 local_rport=on mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/" # MODULES loadmodule "..." route { route(FROM_PROVIDER); } route[RELAY] { if(!t_relay()) { sl_reply_error(); } exit; } route[FROM_PROVIDER] { # The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit; } /M __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com
Can this be set on runtime in the Kamailio.cfg? Or do we have to set it in the database?
If we have more than one Kamailio sharing the same database this would fail since it would only be a local socket to one of them.
/M
From: Daniel-Constantin Mierla miconda@gmail.com Date: Friday, 5 September 2025 at 09:45 To: Martin Nyström martin.nystrom@connectel.se, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
It is about setting the socket parameter inside the attributes (the attrs column) -- see:
- https://www.kamailio.org/docs/modules/stable/modules/dispatcher.html#dispatc...
Cheers, Daniel On 04.09.25 09:44, Martin Nyström wrote: We’re using the dispatcher with MySQL. Here’s the setid from kamcmd dispatcher.list, this dns resolves to the Asterisk local ip 10.2.5.206, are you saying I should use udp: instead of sip: for my DEST entry? Would that really make any difference?
SET: { ID: 100 TARGETS: { DEST: { URI: sip:rtp-media.opm-media-namespace:5080?transport=DNS FLAGS: AX PRIORITY: 0 } } }
/M
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Thursday, 4 September 2025 at 09:05 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org, miconda@gmail.commailto:miconda@gmail.com miconda@gmail.commailto:miconda@gmail.com Cc: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080.
Cheers, Daniel
On 03.09.25 13:03, Martin Nyström via sr-users wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120 Record-Route: sip:sip-provider.com;lr=on Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.xmailto:GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: sip:076xxxxxxx@sip-provider.commailto:sip:076xxxxxxx@sip-provider.com;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: sip:010xxxxxxx@sbc.coolcompany.commailto:sip:010xxxxxxx@sbc.coolcompany.com Contact: sip:0101388290@10.3.124.192:5080mailto:sip:0101388290@10.3.124.192:5080 Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080mailto:sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: sip:010xxxxx@sbc.coolcompany.commailto:sip:010xxxxx@sbc.coolcompany.com;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: sip:076xxxxxx@sip-provider.commailto:sip:076xxxxxx@sip-provider.com;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.xmailto:2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.commailto:miconda@gmail.com miconda@gmail.commailto:miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla miconda@gmail.commailto:miconda@gmail.com Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.semailto:martin.nystrom@connectel.se Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
The socket attribute has to be in the database, the alternative there is to set sockname attribute and you set same "name" to the "listen" sockets (e.g., "sockname=internal" in db, and `listen=... name "internal"` in cfg).
You can also do it only in the config, by setting $fs to the socket to be used for sending out, before relaying to asterisk.
Cheers, Daniel
On 05.09.25 15:59, Martin Nyström wrote:
Can this be set on runtime in the Kamailio.cfg? Or do we have to set it in the database?
If we have more than one Kamailio sharing the same database this would fail since it would only be a local socket to one of them.
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Friday, 5 September 2025 at 09:45 *To: *Martin Nyström martin.nystrom@connectel.se, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Re: Kamailio behind NAT
*CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
It is about setting the socket parameter inside the attributes (the attrs column) -- see:
- https://www.kamailio.org/docs/modules/stable/modules/dispatcher.html#dispatc...
Cheers, Daniel
On 04.09.25 09:44, Martin Nyström wrote:
We’re using the dispatcher with MySQL. Here’s the setid from kamcmd dispatcher.list, this dns resolves to the Asterisk local ip 10.2.5.206, are you saying I should use udp: instead of sip: for my DEST entry? Would that really make any difference? SET: { ID: 100 TARGETS: { DEST: { URI: sip:rtp-media.opm-media-namespace:5080?transport=DNS FLAGS: AX PRIORITY: 0 } } } /M *From: *Daniel-Constantin Mierla <miconda@gmail.com> <mailto:miconda@gmail.com> *Date: *Thursday, 4 September 2025 at 09:05 *To: *Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org> <mailto:sr-users@lists.kamailio.org>, miconda@gmail.com <miconda@gmail.com> <mailto:miconda@gmail.com> *Cc: *Martin Nyström <martin.nystrom@connectel.se> <mailto:martin.nystrom@connectel.se> *Subject: *Re: [SR-Users] Re: Kamailio behind NAT *CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. In the dispatcher routing records, be sure you have the attribute socket=udp:localip:5080. Cheers, Daniel On 03.09.25 13:03, Martin Nyström via sr-users wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR. Here’s the INVITE sent to Asterisk from Kamailio: eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: <sip:sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120> Record-Route: <sip:sip-provider.com;lr=on> Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: <sip:076xxxxxxx@sip-provider.com> <mailto:sip:076xxxxxxx@sip-provider.com>;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: <sip:010xxxxxxx@sbc.coolcompany.com> <mailto:sip:010xxxxxxx@sbc.coolcompany.com> Contact: <sip:0101388290@10.3.124.192:5080> <mailto:sip:0101388290@10.3.124.192:5080> Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293 Asterisk attempts to reply to the BYE on the external IP: <--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: <sip:010xxxxx@sbc.coolcompany.com> <mailto:sip:010xxxxx@sbc.coolcompany.com>;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: <sip:076xxxxxx@sip-provider.com> <mailto:sip:076xxxxxx@sip-provider.com>;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: <sip:sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd> Route: <sip:x.x.x.x;lr> Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0 Here’s again my dumbed down CFG with changes: debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1 listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061 # INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081 local_rport=on mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/" loadmodule "rr.so" modparam("rr", "force_send_socket", 1) route { route(FROM_PROVIDER); exit; } route[RELAY] { if(!t_relay()) { sl_reply_error(); } exit; } route[FROM_PROVIDER] { # INFO: The Asterisk ds_select_dst(100, 4); if(!has_totag()) { record_route(); } route(RELAY); exit; } /M *From: *Martin Nyström <martin.nystrom@connectel.se> <mailto:martin.nystrom@connectel.se> *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com <miconda@gmail.com> <mailto:miconda@gmail.com>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org> <mailto:sr-users@lists.kamailio.org> *Subject: *Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions. /M *From: *Daniel-Constantin Mierla <miconda@gmail.com> <mailto:miconda@gmail.com> *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org> <mailto:sr-users@lists.kamailio.org> *Cc: *Martin Nyström <martin.nystrom@connectel.se> <mailto:martin.nystrom@connectel.se> *Subject: *Re: [SR-Users] Kamailio behind NAT *CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello, the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk. The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config. Cheers, Daniel On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello, I am not successful in my attempts to configure my Kamailio to work behind NAT. The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc. I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing. debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1 listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061 local_rport=on mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/" # MODULES loadmodule "..." route { route(FROM_PROVIDER); } route[RELAY] { if(!t_relay()) { sl_reply_error(); } exit; } route[FROM_PROVIDER] { # The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit; } /M __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com
Try the following routing block. It needs to be called before you t_relay() your call. What this does is use the same IP:PORT where your kamailio received the INVITE, but for outbound, so in the case you have Kamailio listening in multiple SIP:PORT sockets, if Kamailio receives the INVITE into Kamailio's 10.0.0.1:5068 it will use that address to also relay the call. If the receiving address is 10.20.0.2:5080 it will also use that same address to relay the call.
route[PIN_SOCKET] { # routing block that sets the socket IP:PORT to SIP messages # sent to the egress side if (is_method("INVITE") && !has_totag()) { dlg_manage(); $var(proto) = $pr; # "udp" / "tcp" xlog("L_DEBUG", "PIN_SOCKET - stored dlg_sock=< $pr:$Ri:$Rp > \n"); $dlg_var(send_sock) = "$pr:$Ri:$Rp"; # e.g. udp:10.20.0.4:5061 }
# choose the socket we’ll force if ($dlg_var(send_sock) != $null) { $var(sock) = $dlg_var(send_sock); } else { $var(proto) = $pr; xlog("L_DEBUG", "PIN_SOCKET - setting $pr:$Ri:$Rp \n"); $var(sock) = "$pr:$Ri:$Rp"; # requests without dialog }
xlog("L_DEBUG", "PIN_SOCKET - forcing <$var(sock)> (recv $pr:$Ri:$Rp)\n"); set_send_socket($var(sock)); # some versions need this form (unquoted) xlog("L_DEBUG", "PIN_SOCKET - $$var(sock) = $var(sock) - $$dlg_var(send_sock) = $dlg_var(send_sock) \n"); }
route[RELAY] { if (is_method("INVITE|UPDATE")) # |BYE { if (!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH"); if (!t_is_set("onreply_route")) t_on_reply("MANAGE_REPLY"); if (!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE"); }
route(PIN_SOCKET);
if (!t_relay()) { xlog("L_INFO","RELAY - Returned from event"); sl_reply_error(); } exit; }
Hope this helps!
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Sep 4, 2025 at 9:23 AM Martin Nyström via sr-users < sr-users@lists.kamailio.org> wrote:
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
Record-Route: sip:sbc.coolcompany.com ;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120
Record-Route: sip:sip-provider.com;lr=on
Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x
CSeq: 25896 INVITE
From: <sip:076xxxxxxx@sip-provider.com
;tag=5914da19-6958-4b8f-b521-d74c78af6120
To: sip:010xxxxxxx@sbc.coolcompany.com
Contact: sip:0101388290@10.3.124.192:5080
Via: SIP/2.0/UDP sbc.coolcompany.com:5060 ;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport
Via: SIP/2.0/UDP sip-provider.com ;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0
Via: SIP/2.0/UDP sip-provider.com:5060 ;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b
Max-Forwards: 67
Content-Type: application/sdp
User-Agent: XXXX
Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 --->
BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0
Via: SIP/2.0/UDP 10.2.5.206:5080 ;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7
From: <sip:010xxxxx@sbc.coolcompany.com
;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6
To: <sip:076xxxxxx@sip-provider.com
;tag=3c6c6d47-8beb-4c71-a829-15138869defd
Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x
CSeq: 25915 BYE
Route: sip:sbc.coolcompany.com ;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd
Route: sip:x.x.x.x;lr
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: xxxx
Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening
listen=udp:<LOCAL_IP>:5080
listen=tcp:<LOCAL_IP>:5080
listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4); if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
*From: *Martin Nyström martin.nystrom@connectel.se *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Kamailio behind NAT
Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *Re: [SR-Users] Kamailio behind NAT
*CAUTION:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote:
Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES
loadmodule "..."
route {
route(FROM_PROVIDER);}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns inthe record route header
ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Hi, since, as suggested, your are using two interfaces for the traffic, you should also configure the "enable_record_route" param ( https://kamailio.org/docs/modules/6.0.x/modules/rr.html#rr.p.enable_double_r...) if you want your asterisk to see, as a first hop, kamailio internal interface.
Best regards,
Federico
On Thu, Sep 4, 2025 at 9:33 AM Martin Nyström via sr-users < sr-users@lists.kamailio.org> wrote:
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
Record-Route: sip:sbc.coolcompany.com ;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120
Record-Route: sip:sip-provider.com;lr=on
Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x
CSeq: 25896 INVITE
From: <sip:076xxxxxxx@sip-provider.com
;tag=5914da19-6958-4b8f-b521-d74c78af6120
To: sip:010xxxxxxx@sbc.coolcompany.com
Contact: sip:0101388290@10.3.124.192:5080
Via: SIP/2.0/UDP sbc.coolcompany.com:5060 ;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport
Via: SIP/2.0/UDP sip-provider.com ;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0
Via: SIP/2.0/UDP sip-provider.com:5060 ;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b
Max-Forwards: 67
Content-Type: application/sdp
User-Agent: XXXX
Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 --->
BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0
Via: SIP/2.0/UDP 10.2.5.206:5080 ;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7
From: <sip:010xxxxx@sbc.coolcompany.com
;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6
To: <sip:076xxxxxx@sip-provider.com
;tag=3c6c6d47-8beb-4c71-a829-15138869defd
Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x
CSeq: 25915 BYE
Route: sip:sbc.coolcompany.com ;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd
Route: sip:x.x.x.x;lr
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: xxxx
Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening
listen=udp:<LOCAL_IP>:5080
listen=tcp:<LOCAL_IP>:5080
listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4); if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
*From: *Martin Nyström martin.nystrom@connectel.se *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Kamailio behind NAT
Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *Re: [SR-Users] Kamailio behind NAT
*CAUTION:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote:
Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES
loadmodule "..."
route {
route(FROM_PROVIDER);}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns inthe record route header
ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
According to the documentation the default value of enable_double_rr is enabled and I have not explicitly disabled it. It feels like I am doing something insanely wrong somewhere if it is this hard to stop Kamailio from adding the Record-Route containing the advertised address towards Asterisk but yet keep it in the responses send to the provider side.
I can share our entire config if someone wishes to look at it. Where can I upload it?
/M
From: Federico Cabiddu federico.cabiddu@gmail.com Date: Thursday, 4 September 2025 at 12:37 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: miconda@gmail.com miconda@gmail.com, Martin Nyström martin.nystrom@connectel.se Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi, since, as suggested, your are using two interfaces for the traffic, you should also configure the "enable_record_route" param (https://kamailio.org/docs/modules/6.0.x/modules/rr.html#rr.p.enable_double_r...) if you want your asterisk to see, as a first hop, kamailio internal interface.
Best regards,
Federico
On Thu, Sep 4, 2025 at 9:33 AM Martin Nyström via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: <sip:sbc.coolcompany.comhttp://sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120> Record-Route: <sip:sip-provider.comhttp://sip-provider.com;lr=on> Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: <sip:076xxxxxxx@sip-provider.commailto:sip%3A076xxxxxxx@sip-provider.com>;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: <sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com> Contact: <sip:0101388290@10.3.124.192:5080http://sip:0101388290@10.3.124.192:5080> Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.comhttp://sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060http://sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080http://sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: <sip:010xxxxx@sbc.coolcompany.commailto:sip%3A010xxxxx@sbc.coolcompany.com>;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: <sip:076xxxxxx@sip-provider.commailto:sip%3A076xxxxxx@sip-provider.com>;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: <sip:sbc.coolcompany.comhttp://sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd> Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström <martin.nystrom@connectel.semailto:martin.nystrom@connectel.se> Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.commailto:miconda@gmail.com <miconda@gmail.commailto:miconda@gmail.com>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Cc: Martin Nyström <martin.nystrom@connectel.semailto:martin.nystrom@connectel.se> Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.comhttp://asipto.com)
twitter.com/micondahttp://twitter.com/miconda -- linkedin.com/in/micondahttp://linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.comhttp://asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
You should use the load balancer’s in the advertise. Ie: if your FQDN say sip.domain.com is not pointing at the load balancer’s, it’s not going to work. You advertise the load balancer.
Enable rr as Federico suggested, and that should be it.
Just in case
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Thu, Sep 4, 2025 at 12:56 PM Federico Cabiddu via sr-users < sr-users@lists.kamailio.org> wrote:
Hi, since, as suggested, your are using two interfaces for the traffic, you should also configure the "enable_record_route" param ( https://kamailio.org/docs/modules/6.0.x/modules/rr.html#rr.p.enable_double_r...) if you want your asterisk to see, as a first hop, kamailio internal interface.
Best regards,
Federico
On Thu, Sep 4, 2025 at 9:33 AM Martin Nyström via sr-users < sr-users@lists.kamailio.org> wrote:
I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
INVITE sip:010xxxxxxx@sbc.coolcompany.com SIP/2.0
Record-Route: sip:sbc.coolcompany.com ;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120
Record-Route: sip:sip-provider.com;lr=on
Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x
CSeq: 25896 INVITE
From: <sip:076xxxxxxx@sip-provider.com
;tag=5914da19-6958-4b8f-b521-d74c78af6120
To: sip:010xxxxxxx@sbc.coolcompany.com
Contact: sip:0101388290@10.3.124.192:5080
Via: SIP/2.0/UDP sbc.coolcompany.com:5060 ;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport
Via: SIP/2.0/UDP sip-provider.com ;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0
Via: SIP/2.0/UDP sip-provider.com:5060 ;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b
Max-Forwards: 67
Content-Type: application/sdp
User-Agent: XXXX
Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060 --->
BYE sip:010xxxx@10.3.124.192:5080 SIP/2.0
Via: SIP/2.0/UDP 10.2.5.206:5080 ;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7
From: <sip:010xxxxx@sbc.coolcompany.com
;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6
To: <sip:076xxxxxx@sip-provider.com
;tag=3c6c6d47-8beb-4c71-a829-15138869defd
Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x
CSeq: 25915 BYE
Route: sip:sbc.coolcompany.com ;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd
Route: sip:x.x.x.x;lr
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: xxxx
Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening
listen=udp:<LOCAL_IP>:5080
listen=tcp:<LOCAL_IP>:5080
listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4); if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
*From: *Martin Nyström martin.nystrom@connectel.se *Date: *Wednesday, 3 September 2025 at 10:59 *To: *miconda@gmail.com miconda@gmail.com, Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject: *Re: [SR-Users] Kamailio behind NAT
Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
*From: *Daniel-Constantin Mierla miconda@gmail.com *Date: *Wednesday, 3 September 2025 at 10:54 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *Re: [SR-Users] Kamailio behind NAT
*CAUTION:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote:
Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2
log_stderror=yes
fork=yes
tcp_accept_no_cl=yes
onsend_route_reply=yes
pv_buffer_size=2048
enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060
listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES
loadmodule "..."
route {
route(FROM_PROVIDER);}
route[RELAY] {
if(!t_relay()) { sl_reply_error(); } exit;}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns inthe record route header
ds_select_dst(100, 4); # INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); } route(RELAY); exit;}
/M
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Hi David! Thanks for your reply.
I am advertising the LB DNS, this is my listen parameters where <DOMAIN> is the FQDN (sbc.coolcompany.com) to the LB while <LOCAL_IP> is the Kamailio internal ip-addr. The provider talk to me on :5060.
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Media gateway (Asterisk) listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
I am seeing double RRs om the INVITE sent to Asterisk, one from our provider, and one with the FQDN. This is the whole issue I am having that I do not wish to have these RRs there at all sent to Asterisk since it messes with the signalling on the Asterisk side, this can be shown in the SIP INVITE I sent in my previous message, again below.
I just need to understand what I am doing, and how setting enable_double_rr = 1 would help me in this case.
INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: <sip:sbc.coolcompany.comhttp://sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120> Record-Route: <sip:sip-provider.comhttp://sip-provider.com;lr=on> Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.xmailto:GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: <sip:076xxxxxxx@sip-provider.commailto:sip%3A076xxxxxxx@sip-provider.com>;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: <sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com> Contact: sip:010xxxxxx@10.3.124.192:5080 Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.comhttp://sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
/M
From: David Villasmil david.villasmil.work@gmail.com Date: Thursday, 4 September 2025 at 14:48 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.se, Federico Cabiddu federico.cabiddu@gmail.com Subject: Re: [SR-Users] Re: Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
You should use the load balancer’s in the advertise. Ie: if your FQDN say sip.domain.comhttp://sip.domain.com is not pointing at the load balancer’s, it’s not going to work. You advertise the load balancer.
Enable rr as Federico suggested, and that should be it.
Just in case
Regards,
David Villasmil email: david.villasmil.work@gmail.commailto:david.villasmil.work@gmail.com
On Thu, Sep 4, 2025 at 12:56 PM Federico Cabiddu via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Hi, since, as suggested, your are using two interfaces for the traffic, you should also configure the "enable_record_route" param (https://kamailio.org/docs/modules/6.0.x/modules/rr.html#rr.p.enable_double_r...) if you want your asterisk to see, as a first hop, kamailio internal interface.
Best regards,
Federico
On Thu, Sep 4, 2025 at 9:33 AM Martin Nyström via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: I did the suggested changes, I think. But the INVITE sent from Kamailio to Asterisk still holds the external advertised DNS in the RR.
Here’s the INVITE sent to Asterisk from Kamailio:
eth1 Out IP 10.3.124.192.5060 > 10.2.5.206.5080: SIP: INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com SIP/2.0 INVITE sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com SIP/2.0 Record-Route: <sip:sbc.coolcompany.comhttp://sbc.coolcompany.com;lr;ftag=5914da19-6958-4b8f-b521-d74c78af6120> Record-Route: <sip:sip-provider.comhttp://sip-provider.com;lr=on> Call-ID: GEWPF3PEVFCQNL7FLWOMPWVH5A@x.x.x.x CSeq: 25896 INVITE From: <sip:076xxxxxxx@sip-provider.commailto:sip%3A076xxxxxxx@sip-provider.com>;tag=5914da19-6958-4b8f-b521-d74c78af6120 To: <sip:010xxxxxxx@sbc.coolcompany.commailto:sip%3A010xxxxxxx@sbc.coolcompany.com> Via: SIP/2.0/UDP sbc.coolcompany.com:5060;branch=z9hG4bKb32c.739784aeb0177ad4d3e181098a071abb.0;rport Via: SIP/2.0/UDP sip-provider.comhttp://sip-provider.com;branch=z9hG4bKb32c.79821495565acb8af61a7ebecb22b26d.0 Via: SIP/2.0/UDP sip-provider.com:5060;branch=z9hG4bK-323035-3a9c396118a108606e6234ff3013ed5b Max-Forwards: 67 Content-Type: application/sdp User-Agent: XXXX Content-Length: 293
Asterisk attempts to reply to the BYE on the external IP:
<--- Transmitting SIP request (616 bytes) to UDP:sbc.coolcompany.com:5060http://sbc.coolcompany.com:5060 ---> BYE sip:010xxxx@10.3.124.192:5080http://sip:010xxxx@10.3.124.192:5080 SIP/2.0 Via: SIP/2.0/UDP 10.2.5.206:5080;rport;branch=z9hG4bKPj917dd0c5-192b-457d-ae1a-ef693895e0c7 From: <sip:010xxxxx@sbc.coolcompany.commailto:sip%3A010xxxxx@sbc.coolcompany.com>;tag=1f88f783-83a4-419f-a7c3-3c37a40dada6 To: <sip:076xxxxxx@sip-provider.commailto:sip%3A076xxxxxx@sip-provider.com>;tag=3c6c6d47-8beb-4c71-a829-15138869defd Call-ID: 2XKUHXTUNNC7HPW7BFTI3TMT2E@x.x.x.x CSeq: 25915 BYE Route: <sip:sbc.coolcompany.comhttp://sbc.coolcompany.com;lr;ftag=3c6c6d47-8beb-4c71-a829-15138869defd> Route: sip:x.x.x.x;lr Reason: Q.850;cause=16 Max-Forwards: 70 User-Agent: xxxx Content-Length: 0
Here’s again my dumbed down CFG with changes:
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <DOMAIN>:5061
# INFO: Asterisk gateway listening listen=udp:<LOCAL_IP>:5080 listen=tcp:<LOCAL_IP>:5080 listen=tls:<LOCAL_IP>:5081
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
loadmodule "rr.so"
modparam("rr", "force_send_socket", 1)
route {
route(FROM_PROVIDER); exit;
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# INFO: The Asterisk ds_select_dst(100, 4);
if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
From: Martin Nyström <martin.nystrom@connectel.semailto:martin.nystrom@connectel.se> Date: Wednesday, 3 September 2025 at 10:59 To: miconda@gmail.commailto:miconda@gmail.com <miconda@gmail.commailto:miconda@gmail.com>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: Re: [SR-Users] Kamailio behind NAT Using a different port for Asterisk is not a bad idea. I might just try that. I will return with the results or any follow up questions.
/M
From: Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> Date: Wednesday, 3 September 2025 at 10:54 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Cc: Martin Nyström <martin.nystrom@connectel.semailto:martin.nystrom@connectel.se> Subject: Re: [SR-Users] Kamailio behind NAT
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
the simplest way is to listen on another port (e.g., 5080) and use that socket to communicate with Asterisk. For that listen parameter, do not set the advertise address. You can use $fs or force_send_socket() to specify the socket to be used for sending out to Asterisk.
The alternative is to play in the config file with the function of the rr module that allow you to set the address in the Record-/Route headers, but it may increase the complexity of the config.
Cheers, Daniel
On 03.09.25 10:42, Martin Nyström via sr-users wrote: Hello,
I am not successful in my attempts to configure my Kamailio to work behind NAT.
The flow of an incoming call is Provider (Internet) -> AWS LoadBalancer -> Kamailio -> Asterisk
Both the Kamailio and Asterisk is on the internal network. The issue I am having is that I need to add Record-Route to the traffic sent back towards the provider, but not to the Asterisk. Currently when I add the record_route() the header is sent to Asterisk which makes it reply to the Kamailio advertised external address for ACKs, BYEs etc.
I have dumbed down my Kamailio config as much as possible for this, to show what I am currently doing.
debug=2 log_stderror=yes fork=yes tcp_accept_no_cl=yes onsend_route_reply=yes pv_buffer_size=2048 enable_tls=1
listen=udp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tcp:<LOCAL_IP>:5060 advertise <EXTERNAL_DOMAIN>:5060 listen=tls:<LOCAL_IP>:5061 advertise <EXTERNAL_DOMAIN>:5061
local_rport=on
mpath="/usr/local/lib/kamailio/modules_k/:/usr/lib/x86_64-linux-gnu/kamailio/modules/"
# MODULES loadmodule "..."
route {
route(FROM_PROVIDER);
}
route[RELAY] {
if(!t_relay()) {
sl_reply_error();
}
exit;
}
route[FROM_PROVIDER] {
# The Asterisk that should not receive the external dns in the record route header ds_select_dst(100, 4);
# INFO: This adds the Record-Route in all directions if(!has_totag()) { record_route(); }
route(RELAY); exit;
}
/M
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
--
Daniel-Constantin Mierla (@ asipto.comhttp://asipto.com)
twitter.com/micondahttp://twitter.com/miconda -- linkedin.com/in/micondahttp://linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.comhttp://asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Daniel-Constantin Mierla -
David Villasmil -
Federico Cabiddu -
Martin Nyström -
RUBEN IÑIGUEZ, Vodafone -
Sergio Charrua