16 Aug
2018
16 Aug
'18
12:57 p.m.
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall
with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP via
rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup as
DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
16 Aug
16 Aug
1:27 p.m.
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup as
DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
1:32 p.m.
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup as
DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1:32 p.m.
Sorry, following -> flowing.
Am Do., 16. Aug. 2018 um 12:32 Uhr schrieb Kevin Olbrich <ko(a)sv01.de>de>:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio
is the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup
as DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1:45 p.m.
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich <ko(a)sv01.de> wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
--
Savolainen Dmitri
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio
is the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup
as DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
3 Oct
3 Oct
10:44 p.m.
Hi!
Sorry if you received an empty email, accidently clicked the send button
when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on public
network.
Currently I struggle with RTP flow - what do I need to change to have rtp
flow directly to asterisk instead of rtpproxy?
Rtpproxy is working fine but when I disable NAT, there is no audio (did not
yet check SDP).
Kind regards
Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich <ko(a)sv01.de> wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio
is the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==>
Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup
as DMZ (SBC) proxy.
Thank you very much.
Kind regards
Kevin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
11:47 p.m.
Hi Kevin,
Main objective would be to detect NAT, and if so, fix SDP instead of
involving rtpproxy. Both ways of course, requests and replies.
Something like this:
if (nat_uac_test("8"))
fix_nated_sdp("15");
Cheers!
On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich <ko(a)sv01.de> wrote:
Hi!
Sorry if you received an empty email, accidently clicked the send button
when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on
public network.
Currently I struggle with RTP flow - what do I need to change to have rtp
flow directly to asterisk instead of rtpproxy?
Rtpproxy is working fine but when I disable NAT, there is no audio (did
not yet check SDP).
Kind regards
Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich <ko(a)sv01.de> wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Kevin.
I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
is used only in some specific cases). All in public IPs.
I just tune FS SIP profile to let it get requests only from Kamailio
IP:PORT and add same firewall rules also.
All RPC commands work via local interface only.
PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
(PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
> Hi!
>
> I am working successfully with Kamailio in my lab setup where Kamailio
> is the SBC for Asterisk.
> The network layout is looking like this:
>
> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==>
> Asterisk <== PUBLIC NET ==> Carrier
>
> Each public network is reachable from the internet and has a local
> firewall with IP whitelists.
> The internal SIP transactions are UDP-only but for external phones I
> would like to also listen for TCP/TLS.
>
> For this layout to work with rtpproxy (before we move on to
> RTPengine), we have to enable mhomed in Kamailio.
> We also have some routing issues with packets leaving with the wrong
> IP via rtpproxy (when call between carrier and external phone needs to be
> bridged).
>
> Most examples show that Asterisk is deployed on the same network as
> the external interface of Kamailio (-> Asterisk exposed to the public
> network).
> In our tests, this works much better but I have great security
> concerns because this Asterisk instance itself does not need to be
> reachable from external.
>
> How do other users deploy Kamailio in front of Asterisk or similar as
> SBC to secure internals?
> There is lot of docs for Kamailio's config but IMHO less for the setup
> as DMZ (SBC) proxy.
>
> Thank you very much.
>
> Kind regards
> Kevin
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
4 Oct
4 Oct
12:39 a.m.
Am Mi., 3. Okt. 2018 um 22:50 Uhr schrieb Sergiu Pojoga <pojogas(a)gmail.com>om>:
Hi Kevin,
Main objective would be to detect NAT, and if so, fix SDP instead of
involving rtpproxy. Both ways of course, requests and replies.
Something like this:
if (nat_uac_test("8"))
fix_nated_sdp("15");
Thank you very much! This works perfectly fine!
Cheers!
On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich <ko(a)sv01.de> wrote:
Hi!
Sorry if you received an empty email, accidently clicked the send button
when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on
public network.
Currently I struggle with RTP flow - what do I need to change to have rtp
flow directly to asterisk instead of rtpproxy?
Rtpproxy is working fine but when I disable NAT, there is no audio (did
not yet check SDP).
Kind regards
Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich <ko(a)sv01.de> wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use
STUN as well as ICE, etc. from Asterisk (which is currently the case
without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen <
savolainen(a)erinaco.ru>gt;:
> Hi Kevin.
> I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine
> is used only in some specific cases). All in public IPs.
> I just tune FS SIP profile to let it get requests only from Kamailio
> IP:PORT and add same firewall rules also.
> All RPC commands work via local interface only.
> PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio
> (PUBLIC) ==> Carrier
>
>
> On 16 August 2018 at 12:57, Kevin Olbrich <ko(a)sv01.de> wrote:
>
>> Hi!
>>
>> I am working successfully with Kamailio in my lab setup where
>> Kamailio is the SBC for Asterisk.
>> The network layout is looking like this:
>>
>> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==>
>> Asterisk <== PUBLIC NET ==> Carrier
>>
>> Each public network is reachable from the internet and has a local
>> firewall with IP whitelists.
>> The internal SIP transactions are UDP-only but for external phones I
>> would like to also listen for TCP/TLS.
>>
>> For this layout to work with rtpproxy (before we move on to
>> RTPengine), we have to enable mhomed in Kamailio.
>> We also have some routing issues with packets leaving with the wrong
>> IP via rtpproxy (when call between carrier and external phone needs to be
>> bridged).
>>
>> Most examples show that Asterisk is deployed on the same network as
>> the external interface of Kamailio (-> Asterisk exposed to the public
>> network).
>> In our tests, this works much better but I have great security
>> concerns because this Asterisk instance itself does not need to be
>> reachable from external.
>>
>> How do other users deploy Kamailio in front of Asterisk or similar as
>> SBC to secure internals?
>> There is lot of docs for Kamailio's config but IMHO less for the
>> setup as DMZ (SBC) proxy.
>>
>> Thank you very much.
>>
>> Kind regards
>> Kevin
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users(a)lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
>
> --
> Savolainen Dmitri
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Savolainen Dmitri
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
16 Aug
16 Aug
1:33 p.m.
On Thu, Aug 16, 2018 at 11:57:03AM +0200, Kevin Olbrich wrote:
Most examples show that Asterisk is deployed on the
same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
Having a public IP doesn't mean this IP is reachable externally. If this
is your concern (rightfully): firewall access to anything that doesn't
need to be able to access.
8:12 p.m.
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab
setup where Kamailio is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall
with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP via
rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public network).
In our tests, this works much better but I have great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much
greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the
talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as
Edge Proxy, and also on astricon there were some talks about this scenario if
I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of
information about this scenario. You find all the talks available from
Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
--
Henning Westerholt
https://skalatan.de/blog/
20 Aug
20 Aug
2:22 p.m.
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Buil…
- interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the
proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-A…
At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.
Kind regards,
Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw(a)kamailio.org>gt;:
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb
Kevin Olbrich:
I am working successfully with Kamailio in my lab
setup where Kamailio is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via
rtpproxy (when call between carrier and external
phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have
great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much
greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available
here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk,
the
talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as
Edge Proxy, and also on astricon there were some talks about this
scenario if
I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of
information about this scenario. You find all the talks available from
Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
--
Henning Westerholt
https://skalatan.de/blog/
6:23 p.m.
For what it's worth, we've set up a network/system where Asterisk resides
completely on a private network with Kamailio acting as an edge proxy.
RTPEngine is necessary as well to help the media through to the private
network, but that's probably not surprising. It is completely doable,
although the suggestions below about simply restricting Asterisk on a
public network to the locations of the Kamailio proxies also works quite
well.
Matching inbound requests in Asterisk to only the pool of Kamailio proxies
can be done in a variety of fashions - IP address matching being the
simplest. You will obviously need to think carefully about how Asterisk
handles its outbound calling. If Kamailio is going to act as your
registrar, then you will need to find some way to expose the registered
contacts to Asterisk - we chose this route, and wrote a small REST sidecar
to Kamailio for that purpose. If Asterisk is going to act as your
registrar, you will need to fork the REGISTER requests to all of the
Asterisk instances. Additionally, for INVITE requests being initiated by
Asterisk, you will want to force those to flow through your edge proxies.
This can be done using Asterisk's outbound_proxy setting on the AOR object
in pjsip.conf.
On Mon, Aug 20, 2018 at 6:23 AM Kevin Olbrich <ko(a)sv01.de> wrote:
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Buil…
- interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had
the proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-A…
At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.
Kind regards,
Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw(a)kamailio.org>gt;:
--
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
Am Donnerstag, 16. August 2018, 11:57:03 CEST
schrieb Kevin Olbrich:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I am working successfully with Kamailio in my lab
setup where Kamailio
is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong IP
via
rtpproxy (when call between carrier and external
phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have
great security concerns
because this Asterisk instance itself does not need to be reachable from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup
as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much
greater flexibility with regards to balancing and/or SIP message
adaptions.
To get some ideas, have a look to the last years conferences available
here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk,
the
talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio
as
Edge Proxy, and also on astricon there were some talks about this
scenario if
I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of
information about this scenario. You find all the talks available from
Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
--
Henning Westerholt
https://skalatan.de/blog/
9:01 p.m.
If Kamailio is going to act as your registrar, then you will need to
find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts in
you approch? Asterisk just may sends all to Kamailio (second call leg)
and let Kamailio route this call to appropriate contact.
On 20 August 2018 at 18:23, Matthew Jordan <mjordan(a)digium.com> wrote:
For what it's worth, we've set up a
network/system where Asterisk resides
completely on a private network with Kamailio acting as an edge proxy.
RTPEngine is necessary as well to help the media through to the private
network, but that's probably not surprising. It is completely doable,
although the suggestions below about simply restricting Asterisk on a
public network to the locations of the Kamailio proxies also works quite
well.
Matching inbound requests in Asterisk to only the pool of Kamailio proxies
can be done in a variety of fashions - IP address matching being the
simplest. You will obviously need to think carefully about how Asterisk
handles its outbound calling. If Kamailio is going to act as your
registrar, then you will need to find some way to expose the registered
contacts to Asterisk - we chose this route, and wrote a small REST sidecar
to Kamailio for that purpose. If Asterisk is going to act as your
registrar, you will need to fork the REGISTER requests to all of the
Asterisk instances. Additionally, for INVITE requests being initiated by
Asterisk, you will want to force those to flow through your edge proxies.
This can be done using Asterisk's outbound_proxy setting on the AOR object
in pjsip.conf.
On Mon, Aug 20, 2018 at 6:23 AM Kevin Olbrich <ko(a)sv01.de> wrote:
--
Savolainen Dmitri
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
https://www.kamailio.org/events/2017-KamailioWorld/
Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf - interesting
solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had
the proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/
Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf
At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.
Kind regards,
Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw(a)kamailio.org>gt;:
--
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Am Donnerstag, 16. August 2018, 11:57:03 CEST
schrieb Kevin Olbrich:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I am working successfully with Kamailio in my lab
setup where Kamailio
is
the SBC for Asterisk.
The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==>
Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists.
The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to
RTPengine), we
have to enable mhomed in Kamailio.
We also have some routing issues with packets leaving with the wrong
IP via
rtpproxy (when call between carrier and external
phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the
external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have
great security concerns
because this Asterisk instance itself does not need to be reachable
from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC
to secure internals?
There is lot of docs for Kamailio's config but IMHO less for the setup
as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much
greater flexibility with regards to balancing and/or SIP message
adaptions.
To get some ideas, have a look to the last years conferences available
here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk,
the
talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio
as
Edge Proxy, and also on astricon there were some talks about this
scenario if
I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of
information about this scenario. You find all the talks available from
Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
--
Henning Westerholt
https://skalatan.de/blog/
9:04 p.m.
On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri Savolainen wrote:
The historical problem with this "dial endpoints over a trunk peer"
approach is that such endpoints are not as privileged by Asterisk as
local AstDB bindings for various Class 5 / application purposes, e.g.
hints, voicemail, MWI, etc.
But as I understand it, PJSIP is supposed to fix this problem and make
use of an outboard registrar a lot more transparent.
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
If Kamailio is going to act as your registrar, then you will need to
find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts in
you approch? Asterisk just may sends all to Kamailio (second call leg)
and let Kamailio route this call to appropriate contact.
9:17 p.m.
On Mon, Aug 20, 2018 at 1:04 PM Alex Balashov <abalashov(a)evaristesys.com>
wrote:
On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri
Savolainen wrote:
in
This is fine, and you can make your outbound calls in that fashion. You do
need to have Asterisk present enough information that Kamailio is aware of
how to route that outbound INVITE request, but if you have sufficient
information in the request URI, it can certainly make that decision.
If, however, you wanted to dial PJSIP/1000 - which no other information and
where 1000 is some registered device - Asterisk will need the registered
contact that the device has presented to the registrar. In which case, you
have to have some mechanism for Asterisk to get at that information.
If Kamailio is going to act as your registrar, then you will need to
find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts you approch? Asterisk just may sends all to
Kamailio (second call leg)
and let Kamailio route this call to appropriate contact.
The historical problem with this "dial endpoints over a trunk peer"
approach is that such endpoints are not as privileged by Asterisk as
local AstDB bindings for various Class 5 / application purposes, e.g.
hints, voicemail, MWI, etc.
But as I understand it, PJSIP is supposed to fix this problem and make
use of an outboard registrar a lot more transparent.
Yup - it all depends on how you configure / use things.
--
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
9:33 p.m.
Am Montag, 20. August 2018, 13:22:30 CEST schrieb Kevin Olbrich:
I browsed the files but was unable to find one using
Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Build
ing-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we
would also be able to deploy).
There was just a single presentation that I was able to locate that had the
proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-An
ti-Fraud-With-HTables.pdf At least it looks like they are located behind the
SBC.
After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.
[..]
Hi Kevin,
here you find a (older) presentation about a setup with private asterisk and
kamailio as network edge. This is the one that we build back in the days at
1&1, slide 19 has a schematic diagram of the setup:
https://skalatan.de/archive/presentations/kamailio-world-2013-presentation.…
Best regards,
Henning
--
Henning Westerholt
https://skalatan.de/blog/
2248
days inactive
2296
days old
15 comments
7 participants
participants (7)
-
Alex Balashov -
Daniel Tryba -
Dmitri Savolainen -
Henning Westerholt -
Kevin Olbrich -
Matthew Jordan -
Sergiu Pojoga