Hi,
While experimenting with the example config nat-mediaproxy.5.0.cfg of onsip.org's GettingStarted document I discovered a problem with NAT handling. Don't blame me if I'm completely wrong, but here is what happens and how it is solved:
I've two phones behind the same NAT (address of phone A is a:5060 and that of phone B is b:5060, the NAT device has ip c) contacting a SER with a public IP.
If A makes a call, it's NATed to c:5060, SER responds with 407 to c:5060, and it's correctly forwarded to a:5060.
If B makes a call, it's NATed to c:1025, but SER responds to c:5060 too, so B never gets the reply.
The original config looks like this:
181 # ---------------------------------------------------------- 182 # INVITE Message Handler 183 # ---------------------------------------------------------- 184 185 if (!proxy_authorize("","subscriber")) { 186 proxy_challenge("","0"); 187 break; 188 } else if (!check_from()) { 189 sl_send_reply("403", "Use From=ID"); 190 break; 191 }; 192 193 consume_credentials(); 194 195 if (client_nat_test("3")) { 196 setflag(7); 197 force_rport(); 198 fix_nated_contact(); 199 };
So the autorization is done before NAT is handled, and I think this is the problem. Because if I move the lines 195-199 before 185, everything works as expected.
Could anyone please be so kind and check that?
Andy
Yes, that's an issue. The client will never reeive the error message (and the challenge).
I use if (client_nat_test("3")) { force_rport(); ...
for every incoming request in the beginning of further processing to avoid this.
regards klaus
Andreas Granig wrote:
Hi,
While experimenting with the example config nat-mediaproxy.5.0.cfg of onsip.org's GettingStarted document I discovered a problem with NAT handling. Don't blame me if I'm completely wrong, but here is what happens and how it is solved:
I've two phones behind the same NAT (address of phone A is a:5060 and that of phone B is b:5060, the NAT device has ip c) contacting a SER with a public IP.
If A makes a call, it's NATed to c:5060, SER responds with 407 to c:5060, and it's correctly forwarded to a:5060.
If B makes a call, it's NATed to c:1025, but SER responds to c:5060 too, so B never gets the reply.
The original config looks like this:
181 # ---------------------------------------------------------- 182 # INVITE Message Handler 183 # ---------------------------------------------------------- 184 185 if (!proxy_authorize("","subscriber")) { 186 proxy_challenge("","0"); 187 break; 188 } else if (!check_from()) { 189 sl_send_reply("403", "Use From=ID"); 190 break; 191 }; 192 193 consume_credentials(); 194 195 if (client_nat_test("3")) { 196 setflag(7); 197 force_rport(); 198 fix_nated_contact(); 199 };So the autorization is done before NAT is handled, and I think this is the problem. Because if I move the lines 195-199 before 185, everything works as expected.
Could anyone please be so kind and check that?
Andy
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Andreas, Thanks for that! Could you please be so kind to register the issue at the onsip.org trac for Getting Started: https://siprouter.onsip.org/trac
It will make it easier to follow up :-) Thanks, Greger
----- Original Message ----- From: "Andreas Granig" andreas.granig@inode.info To: serusers@lists.iptel.org Sent: Thursday, October 13, 2005 08:51 PM Subject: [Serusers] NAT-Issue in onsip.org's GettingStarted?
Hi,
While experimenting with the example config nat-mediaproxy.5.0.cfg of onsip.org's GettingStarted document I discovered a problem with NAT handling. Don't blame me if I'm completely wrong, but here is what happens and how it is solved:
I've two phones behind the same NAT (address of phone A is a:5060 and that of phone B is b:5060, the NAT device has ip c) contacting a SER with a public IP.
If A makes a call, it's NATed to c:5060, SER responds with 407 to c:5060, and it's correctly forwarded to a:5060.
If B makes a call, it's NATed to c:1025, but SER responds to c:5060 too, so B never gets the reply.
The original config looks like this:
181 # ---------------------------------------------------------- 182 # INVITE Message Handler 183 # ---------------------------------------------------------- 184 185 if (!proxy_authorize("","subscriber")) { 186 proxy_challenge("","0"); 187 break; 188 } else if (!check_from()) { 189 sl_send_reply("403", "Use From=ID"); 190 break; 191 }; 192 193 consume_credentials(); 194 195 if (client_nat_test("3")) { 196 setflag(7); 197 force_rport(); 198 fix_nated_contact(); 199 };So the autorization is done before NAT is handled, and I think this is the problem. Because if I move the lines 195-199 before 185, everything works as expected.
Could anyone please be so kind and check that?
Andy
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Greger V. Teigre wrote:
Thanks for that! Could you please be so kind to register the issue at the onsip.org trac for Getting Started: https://siprouter.onsip.org/trac
It will make it easier to follow up :-)
Done.
-
Andreas Granig -
Greger V. Teigre -
Klaus Darilion