Hello,
I am running Kamailio behind NAT.
Kanailio has a private IP and I am relaying NAT to internet router.
I am using:
- #!define WITH_NAT - listen=udp:PRIVATE-IP:5060 advertise PUBLIC-IP:5060
- Patched RTP proxy including the advertise option
And everything goes fine. I can make calls and have two way audio.
The problem begins when the callee ends the call. BYE is not received in Kamailio (caller)
I included the public IP using "add_contact_alias" because "set_contact_alias" was not adding the public IP. I included this in in NATDETECT (pre loaded router)
if(is_first_hop()) { xlog("L_NOTICE","Metodo: $rm \n"); xlog("L_NOTICE","is first hop\n"); #set_contact_alias(); if (!add_contact_alias("PUBLIC-IP", "$Rp", "udp")) { xlog("L_ERR", "Error in aliasing contact $ct\n"); send_reply("400", "Bad request"); exit; } }
I think the problem is related to destination that BYE is sent by the vendor. From what I see IP and port is taken from advertised in contact (PUBLIC-IP and 5060). The problem is that internet router changes the source port.
Contact: sip:999999999@PRIVATE-IP:5060;alias=PUBLIC-IP~5060~1
--- Is it correcto to add_contact_alias("PUBLIC-IP", "$Rp", "udp") in order to received new transactions or should I follow a different procedure???
Thank you
AFAIK bye is usually sent to the address stored in record_route. Try setting changing record_route() to record_route_preset("PUBLICIP:5060;nat=yes:)
2015-12-23 16:28 GMT+02:00 Nelson Migliaro eng.migliaro@gmail.com:
Thank you for your answer.
The problem I have is with internet router doing to PAT to SIP port. I am already advertising public IP but unfortunately I cant know the public port I am using.
2015-12-28 18:17 GMT+01:00 Alexandru Covalschi 568691@gmail.com:
Hello,
can you get the SIP trace with all the packets of such dialog outside of the NAT router? It will help to see the headers and based on that we may be able to provide a solution.
Cheers, Daniel
On 12/01/16 19:13, Nelson Migliaro wrote:
When you are running Kamailio behind a NAT you should use advertise parameter of listen address. According to documentation " A typical use case for advertise address is when running SIP server behind a NAT/Firewall, when the local IP address (to be used for bind) is different than the public IP address (to be used for advertising).". For example:
listen=udp:10.10.10.10:5060 advertise 11.11.11.11:5060
For more info refer to http://www.kamailio.org/wiki/cookbooks/3.3.x/core#listen
Regards
Gholamreza Sabery Tabrizy
On Wed, Jan 13, 2016 at 2:39 AM, Daniel-Constantin Mierla <miconda@gmail.com
wrote:
Hello,
I finally were able to run my Kamailio behind NAT but in order to accomplish that I included:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548
52548 is the port my internet router change when doing NAT (5060->52548). I found this port sniffing traffic
Conclusions at this point are:
---------------------------------------------1-------------------------------------------------------------------------------------------------- If I use this line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:5060 it does not work :(
When I dial a call, INVITE / ACK / Trying / OK goes fine because they are part of the same transaction When remote party disconnects the call, BYE goes to PUBLIC-IP port 5060 and router blocks de request. I assume vendor sends BYE to 5060 because it is a new transaction
-----------------------------------------------2-------------------------------------------------------------------------------------------------- If I use this line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548 it work !!!!!!
When I dial a call, INVITE / ACK / Trying / OK goes fine because they are part of the same transaction When remote party disconnects the call, BYE goes to PUBLIC-IP port 52548 and router forward the request to Kamailio. Since there is an open connection.
I need to find the way to find the way to advertise the public port internet router is doing NAT (PAT).
--------------------------------------------------------------------------------------------------------------------------------------------------- This trace is a call that worked fine because I included line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548
This trace is an INVITE with this line: listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548 2016/01/13 20:10:15.793568 PRIVATE-IP-KAMAILIO:5060 -> VENDOR-IP:5060 INVITE sip:NUM-DESTINATION@VENDOR-IP SIP/2.0 Record-Route: sip:PUBLIC-IP:52548;lr=on;ftag=as3b72a453;vsf=AAAAAAEECQkCAgsNAXBeL0NPXVQfU0suMTY5LjIzMQ--;vst=AAAAAAAAAAAAAAAAAABCUEIAX1lKWF5MF0tB A-;nat=yes Via: SIP/2.0/UDP PUBLIC-IP:52548;branch=z9hG4bKdd74.992e238037882e809653f713a5a580a9.0 Via: SIP/2.0/UDP PRIVATE-IP-SOFTPHONE:5060;received=PRIVATE-IP-SOFTPHONE;branch=z9hG4bK2f4e76ba;rport=5060 Max-Forwards: 69 From: NUM-SOURCE sip:NUM-SOURCE@PRIVATE-IP-KAMAILIO;tag=as3b72a453 To: sip:NUM-DESTINATION@sip.VENDOR-IP Contact: sip:NUM-SOURCE@PRIVATE-IP-SOFTPHONE:5060;alias=PUBLIC-IP~5060~1 Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 102 INVITE User-Agent: Kamailio Date: Wed, 13 Jan 2016 19:10:15 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 255
Trying.....
2016/01/13 20:10:15.842055 VENDOR-IP:5060 -> PRIVATE-IP-KAMAILIO:5060 SIP/2.0 100 trying -- your call is important to us Via: SIP/2.0/UDP PUBLIC-IP:52548;branch=z9hG4bKdd74.992e238037882e809653f713a5a580a9.1;rport=52548 Via: SIP/2.0/UDP PRIVATE-IP-SOFTPHONE:5060;received=PRIVATE-IP-SOFTPHONE;branch=z9hG4bK2f4e76ba;rport=5060 From: NUM-SOURCE sip:NUM-SOURCE@PRIVATE-IP-KAMAILIO;tag=as3b72a453 To: sip:NUM-DESTINATION@VENDOR-IP Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 102 INVITE Server: kamailio Content-Length: 0
And finally a BYE
2016/01/13 20:10:28.545526 VENDOR-IP:5060 -> PRIVATE-IP-KAMAILIO:5060 BYE sip:34982298000@PRIVATE-IP-SOFTPHONE:5060;alias=PUBLIC-IP~5060~1 SIP/2.0 Via: SIP/2.0/UDP VENDOR-IP;branch=z9hG4bK26d8.847e6e14eef37e2cfc8b5e81d33de73d.0 From: sip:675896262@PRIVATE-IP-KAMAILIO;tag=gK0293ed93 To: "NUM-SOURCE" sip:NUM-SOURCE@norvoz.es;tag=as3b72a453 Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 28731 BYE Max-Forwards: 69 Route: sip:PUBLIC-IP:52548;lr=on;ftag=as3b72a453;vsf=AAAAAAEECQkCAgsNAXBeL0NPXVQfU0suMTY5LjIzMQ--;vst=AAAAAAAAAAAAAAAAAABCUEIAX1lKWF5MF0tBMzA-;na yes Reason: Q.850;cause=16 Content-Length: 0
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Finally, It is finally working because I hardcoded NAT´d port. I would like to find a way to avoid setting the port in "hard".
Thank you
2016-01-13 12:59 GMT+01:00 Gholamreza Sabery gr.sabery@gmail.com:
Hello,
it looks like you have a symmetric nat router, so the allocated port is randomly selected.
If you don't control the nat router to set a static forwarding rule or it doesn't provide the option to set static forwarding, then you are pretty much left with sniffing the traffic to discover the external port and advertise it.
Cheers, Daniel
On 13/01/16 20:31, Nelson Migliaro wrote:
Thank you Daniel for your answer,
As you mention, there is a symmetric nat and router does not allow a static NAT.
By sniffing traffic I can see the port is using new but in case it change, how can automate the process of advertising the correct port?
Cheers!
---------- Forwarded message ---------- From: Daniel-Constantin Mierla miconda@gmail.com Date: 2016-01-13 23:28 GMT+01:00 Subject: Re: [SR-Users] Kamailio and NAT To: "Kamailio (SER) - Users Mailing List" sr-users@lists.sip-router.org
Hello,
it looks like you have a symmetric nat router, so the allocated port is randomly selected.
If you don't control the nat router to set a static forwarding rule or it doesn't provide the option to set static forwarding, then you are pretty much left with sniffing the traffic to discover the external port and advertise it.
Cheers, Daniel
On 13/01/16 20:31, Nelson Migliaro wrote:
Hello,
I finally were able to run my Kamailio behind NAT but in order to accomplish that I included:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548
52548 is the port my internet router change when doing NAT (5060->52548). I found this port sniffing traffic
Conclusions at this point are:
---------------------------------------------1-------------------------------------------------------------------------------------------------- If I use this line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:5060 it does not work :(
When I dial a call, INVITE / ACK / Trying / OK goes fine because they are part of the same transaction When remote party disconnects the call, BYE goes to PUBLIC-IP port 5060 and router blocks de request. I assume vendor sends BYE to 5060 because it is a new transaction
-----------------------------------------------2--------------------------------------------------------------------------------------------------
If I use this line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548 it work !!!!!!
When I dial a call, INVITE / ACK / Trying / OK goes fine because they are part of the same transaction When remote party disconnects the call, BYE goes to PUBLIC-IP port 52548 and router forward the request to Kamailio. Since there is an open connection.
I need to find the way to find the way to advertise the public port internet router is doing NAT (PAT).
--------------------------------------------------------------------------------------------------------------------------------------------------- This trace is a call that worked fine because I included line:
listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548
This trace is an INVITE with this line: listen=udp:SOURCE-IP:5060 advertise PUBLIC-IP:52548 2016/01/13 20:10:15.793568 PRIVATE-IP-KAMAILIO:5060 -> VENDOR-IP:5060 INVITE sip:NUM-DESTINATION@VENDOR-IP SIP/2.0 Record-Route: < sip:PUBLIC-IP:52548;lr=on;ftag=as3b72a453;vsf=AAAAAAEECQkCAgsNAXBeL0NPXVQfU0suMTY5LjIzMQ--;vst=AAAAAAAAAAAAAAAAAABCUEIAX1lKWF5MF0tB A-;nat=yes> Via: SIP/2.0/UDP PUBLIC-IP:52548;branch=z9hG4bKdd74.992e238037882e809653f713a5a580a9.0 Via: SIP/2.0/UDP PRIVATE-IP-SOFTPHONE:5060;received=PRIVATE-IP-SOFTPHONE;branch=z9hG4bK2f4e76ba;rport=5060 Max-Forwards: 69 From: NUM-SOURCE sip:NUM-SOURCE@PRIVATE-IP-KAMAILIO;tag=as3b72a453 To: sip:NUM-DESTINATION@sip.VENDOR-IP Contact: sip:NUM-SOURCE@PRIVATE-IP-SOFTPHONE:5060;alias=PUBLIC-IP~5060~1 Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 102 INVITE User-Agent: Kamailio Date: Wed, 13 Jan 2016 19:10:15 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 255
Trying.....
2016/01/13 20:10:15.842055 VENDOR-IP:5060 -> PRIVATE-IP-KAMAILIO:5060 SIP/2.0 100 trying -- your call is important to us Via: SIP/2.0/UDP PUBLIC-IP:52548;branch=z9hG4bKdd74.992e238037882e809653f713a5a580a9.1;rport=52548 Via: SIP/2.0/UDP PRIVATE-IP-SOFTPHONE:5060;received=PRIVATE-IP-SOFTPHONE;branch=z9hG4bK2f4e76ba;rport=5060 From: NUM-SOURCE sip:NUM-SOURCE@PRIVATE-IP-KAMAILIO;tag=as3b72a453 To: sip:NUM-DESTINATION@VENDOR-IP Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 102 INVITE Server: kamailio Content-Length: 0
And finally a BYE
2016/01/13 20:10:28.545526 VENDOR-IP:5060 -> PRIVATE-IP-KAMAILIO:5060 BYE sip:34982298000@PRIVATE-IP-SOFTPHONE:5060;alias=PUBLIC-IP~5060~1 SIP/2.0 Via: SIP/2.0/UDP VENDOR-IP;branch=z9hG4bK26d8.847e6e14eef37e2cfc8b5e81d33de73d.0 From: sip:675896262@PRIVATE-IP-KAMAILIO;tag=gK0293ed93 To: "NUM-SOURCE" <sip:NUM-SOURCE@ sip%3ANUM-SOURCE@norvoz.esVENDOR-IP
;tag=as3b72a453
Call-ID: 329950447629810f7bdeaeed0cc034e1@PRIVATE-IP-SOFTPHONE:5060 CSeq: 28731 BYE Max-Forwards: 69 Route: < sip:PUBLIC-IP:52548;lr=on;ftag=as3b72a453;vsf=AAAAAAEECQkCAgsNAXBeL0NPXVQfU0suMTY5LjIzMQ--;vst=AAAAAAAAAAAAAAAAAABCUEIAX1lKWF5MF0tBMzA-;na yes> Reason: Q.850;cause=16 Content-Length: 0
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Finally, It is finally working because I hardcoded NAT´d port. I would like to find a way to avoid setting the port in "hard".
Thank you
Is the kamailio behind nat communicating with another kamailio on a public IP?
Cheers, DAniel
On Thu, Jan 14, 2016 at 1:33 PM, Nelson Migliaro eng.migliaro@gmail.com wrote:
There is not a public Kamailio, only one Kamailio behind NAT,
Right now the configuration is:
Asterisk <-> Kamailio (Private IP + advertise public IP + RTP Proxy ) <-> Internet router (public IP + symmetric na) <-> Internet
Regards,
2016-01-14 15:43 GMT+01:00 Daniel-Constantin Mierla miconda@gmail.com:
Do you control the Asterisk? If yes, depending on Asterisk capabilities of building replies, you may be able to do some automation to detect the external port.
Cheers, Daniel
On Thu, Jan 14, 2016 at 3:47 PM, Nelson Migliaro eng.migliaro@gmail.com wrote:
Yes, I manage all devices, even the internet router but it does not allow static pat.
2016-01-14 16:07 GMT+01:00 Daniel-Constantin Mierla miconda@gmail.com:
Not really up to date with all Asterisk features -- do you know if you can append a custom header to a SIP response that is going to be generated by Asterisk? Eventually the reply for an OPTIONS request.
Cheers, Daniel
On 14/01/16 17:19, Nelson Migliaro wrote:
Yes it is possible, but is there an easy way to workaround the issue using Kamailio.
Because I have the port because vendor is sending that info in Trying:
2016/01/13 20:10:15.842055 VENDOR-IP:5060 -> PRIVATE-IP-KAMAILIO:5060 SIP/2.0 100 trying -- your call is important to us Via: SIP/2.0/UDP PUBLIC-IP:52548;branch= z9hG4bKdd74.992e238037882e809653f713a5a580a9.1;rport=*52548*
I need to find the way to discover the port used by firewall (maybe getting that info from Trying) and then advertise that port.
2016-01-14 18:32 GMT+01:00 Daniel-Constantin Mierla miconda@gmail.com:
Ahh, I thought Asterisk is in the public internet, but actually you connect to a provider (vendor), which seems to run Kamailio as well.
Using information from 100 trying is too late, as the INVITE was already sent... so one more question before trying to propose a solution. Do you have to register to the provider?
Cheers, Daniel
On 14/01/16 18:51, Nelson Migliaro wrote: