21 Jul
2008
21 Jul
'08
11:10 p.m.
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
22 Jul
22 Jul
1:41 a.m.
If you are using IPtables and are familiar with how to add modules - there
is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
3:25 a.m.
Neill Wilkinson wrote:
If you are using IPtables and are familiar with how to
add modules - there
is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
3:38 a.m.
I understand that the iptables SIP ALG has been much revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
On Monday 21 July 2008, Joris Dobbelsteen wrote:
Neill Wilkinson wrote:
If you are using IPtables and are familiar with
how to add modules -
there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really
helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), # uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC
DB if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes'); t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users 
9:16 a.m.
Robert Dyck wrote:
I understand that the iptables SIP ALG has been much
revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
Really...? That would be a source of immeasurable fascination to me.
Do you have a source for this in the changelogs somewhere?
Last time I used the SIP ALG module was a few months ago, during which
time I noted that it performs no application protocol-level NAT fixups;
all it does is make sure the appropriate ports are mapped to
statefully track NAT'd SIP messages. It neither provides for the
opening of RTP media ports on session establishment, nor rewrite any SIP
headers.
--
Alex Balashov
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599
11:04 a.m.
Robert Dyck wrote:
I understand that the iptables SIP ALG has been much
revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
On Monday 21 July 2008, Joris Dobbelsteen wrote:
Neill Wilkinson wrote:
If you are using IPtables and are familiar with
how to add modules -
there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the
SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really
helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), # uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC
DB if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes'); t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users 
12:26 p.m.
Hi Joris!
This is a normal home user scenario and usually there is no need for an
outbound proxy. Either the SIP UA does NAT traversal (e.g. using STUN)
or the VoIP Service Provider does the NAT traversal on the proxy. As oyu
are using iptables NAT it should work this way (except you have certain
unusual iptables rules).
I suggest to install "winstun"
(http://sourceforge.net/project/showfiles.php?group_id=47735&package_id=…)
and test your NAT device.
If winstun reports that VoIP should work, then using Xlite should be no
problem.
regards
klaus
Joris Dobbelsteen schrieb:
Robert Dyck wrote:
I understand that the iptables SIP ALG has been
much revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
On Monday 21 July 2008, Joris Dobbelsteen wrote:
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users Neill Wilkinson wrote:
If you are using IPtables and are familiar with
how to add modules -
there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the
SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really
helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), # uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC
DB if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes'); t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
1:08 p.m.
Klaus Darilion wrote:
Hi Joris!
This is a normal home user scenario and usually there is no need for an
outbound proxy. Either the SIP UA does NAT traversal (e.g. using STUN)
The SIP UA does NOT. Its a ZyXEL ADSL+VoIP modem that ASSUMES it has an
Internet IP number.
In my installation, it does not, as I have quite high demands on the
number of NATted connections and some special desires for doing tricky
things with the firewall for experimental purposes. These rule out the
ZyXEL solution for large part. Its also inherited from my pre-VoIP era
installation.
or the VoIP Service Provider does the NAT traversal on
the proxy. As oyu
are using iptables NAT it should work this way (except you have certain
unusual iptables rules).
Yeah, it should, but I don't see incoming VoIP traffic flowing. Also the
connection worked a bit before, but its not reliable for voice traffic.
This is a major problem for me.
It has worked somewhat reliable before, but there are occasional
problems with the installation, just mostly missing audio.
The problem is that I think (quite certain) that the UA does NOT do NAT,
and I cannot control what my ISP is actually doing. Futhermore I don't
expect any support from them for my installation. They will assume that
the VoIP box has the public IP address and plays nicely on the Internet.
That the 'provided' and supported solution they give.
So repeating again, I think the only way to properly guarentee reliable
VoIP connection is handling SIP and RTP traffic in such a way that my
ISP does not have to make any NAT assumptions/handling.
I suggest to install "winstun"
(http://sourceforge.net/project/showfiles.php?group_id=47735&package_id=…)
and test your NAT device.
If winstun reports that VoIP should work, then using Xlite should be no
problem.
X-Lite is only a test case, as I don't want to mess with the ZyXEL modem
yet. Its also a hell of a lot easier to control with X-Lite is actually
doing, but its not the solution to be implemented. The ZyXEL modem with
attached analog phones is.
I'm passing XLite though the openser and that doesn't work. It has
worked plainly over NAT before without problems before. This is however
NOT the test case!
regards
klaus
- Joris
Joris Dobbelsteen schrieb:
> Robert Dyck wrote:
>> I understand that the iptables SIP ALG has been much revised this
>> year although I have not tested it myself. I believe you need at
>> least linux 2.6.25.
>
> The unfortunate situtions is that I currently run Debian, which has
> the 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel
> does not support Xen yet. So I'm out of luck in this department in
> many ways.
>
> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
> another solutions is more suited for the problem I have?
>
> - Joris
>
>> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>>> Neill Wilkinson wrote:
>>>> If you are using IPtables and are familiar with how to add modules -
>>>> there is a sip connection tracking module that might help:
>>>>
>>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>>
>>>> Neill...;o)
>>>>
>>>> Neill Wilkinson
>>>> Principal Consultant
>>>>
>>>> Aeonvista Ltd - opening up new ideas
>>> I have that installed, but to the outside the SIP packets still carry
>>> the LAN IP address. I'm currently missing audio (at least inbound is
>>> nowhere to be seen) and it doesn't really work reliable at this moment.
>>> That is a real problem currently and must be solved reliably.
>>>
>>> The ZyXEL modem I have was intended to be the NAT router for the
>>> network, but its configured differently in my case, so I can't make
>>> that
>>> thing to play nicely with NAT.
>>>
>>> lsmod on the firewall:
>>> ip_nat_sip 8832 0
>>> ip_conntrack_sip 13392 1 ip_nat_sip
>>>
>>> Thanks so far,
>>>
>>> - Joris
>>>
>>>> -----Original Message-----
>>>> From: users-bounces(a)lists.openser.org
>>>> [mailto:users-bounces@lists.openser.org] On Behalf Of Joris
>>>> Dobbelsteen
>>>> Sent: 21 July 2008 21:10
>>>> To: users(a)lists.openser.org
>>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>>
>>>> Dear,
>>>>
>>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy,
>>>> since my
>>>> home phone keeps breaking voice channels (the box was not intended
>>>> behind NAT and I'm, of course, using a configuration that no so well
>>>> supported).
>>>>
>>>> What is the idea:
>>>>
>>>> SIP transactions should travel this way:
>>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <->
{Internet}
>>>>
>>>> RTP should travel this way:
>>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>>
>>>>
>>>> My current test is using X-Lite with voipbuster, but that doesn't
>>>> really
>>>> work. It seems that registers are functioning, at least X-Lite reports
>>>> itself being registered.
>>>> Voice calls always end up in timeouts, so something is really going
>>>> wrong here, it might be authentication problems?
>>>>
>>>> An added problem is that I have just sufficient knowledge of SIP to
>>>> see
>>>> what it is doing, without really knowing what to expect exactly.
>>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a
>>>> hard
>>>> time even grasping the configuration I typed in. This is not really
>>>> helpful
>>>>
>>>> What I do know:
>>>> * SIP Proxy traffic is flowing.
>>>> * SIP INVITES don't work at all.
>>>> * SIP to RTP is communication, but I don't know if RTP is actually
>>>> flowing.
>>>>
>>>> I stole most of the configuration from the "04 NAT Traversal"
>>>> slides of
>>>> the "Italy 2007 Admin course", to which there is link on the
>>>> documentation site. I adapted it to make it work with the debian
>>>> supplied OpenSER 1.1.
>>>>
>>>> How do I get this all working?
>>>> What am I getting wrong?
>>>>
>>>> I really really appeciate any help I can get to get it working!
>>>>
>>>> - Joris
>>>>
>>>>
>>>> Config is this:
>>>> # ----------- global configuration parameters ------------------------
>>>>
>>>> debug=4 # debug level (cmd line: -dddddddddd)
>>>> fork=yes # Set to no to enter debugging mode
>>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
>>>>
>>>> check_via=no # (cmd. line: -v)
>>>> dns=no # (cmd. line: -r)
>>>> rev_dns=no # (cmd. line: -R)
>>>> advertised_address="82.168.191.xx"
>>>> advertised_port=5060
>>>> port=5060
>>>> children=4
>>>> fifo="/tmp/openser_fifo"
>>>>
>>>> #
>>>> # ------------------ module loading ----------------------------------
>>>>
>>>> # Uncomment this if you want to use SQL database
>>>> mpath="/usr/lib/openser/modules/"
>>>> loadmodule "mysql.so"
>>>> loadmodule "sl.so"
>>>> loadmodule "tm.so"
>>>> loadmodule "rr.so"
>>>> loadmodule "maxfwd.so"
>>>> loadmodule "usrloc.so"
>>>> loadmodule "registrar.so"
>>>> loadmodule "textops.so"
>>>> loadmodule "nathelper.so"
>>>>
>>>> # Uncomment this if you want digest authentication
>>>> # mysql.so must be loaded !
>>>> loadmodule "auth.so"
>>>> loadmodule "auth_db.so"
>>>>
>>>> # ----------------- setting module-specific parameters ---------------
>>>>
>>>> # -- usrloc params --
>>>>
>>>> modparam("usrloc", "db_mode", 0)
>>>>
>>>> # Uncomment this if you want to use SQL database
>>>> # for persistent storage and comment the previous line
>>>> #modparam("usrloc", "db_mode", 2)
>>>>
>>>> # -- auth params --
>>>> # Uncomment if you are using auth module
>>>> #
>>>> modparam("auth_db", "calculate_ha1", yes)
>>>> #
>>>> # If you set "calculate_ha1" parameter to yes (which true in
this
>>>> config), # uncomment also the following parameter)
>>>> #
>>>> modparam("auth_db", "password_column",
"password")
>>>>
>>>> # -- rr params --
>>>> # add value to ;lr param to make some broken UAs happy
>>>> modparam("rr", "enable_full_lr", 1)
>>>>
>>>> # -- nathelper params ---
>>>> modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
>>>> modparam("nathelper", "natping_interval", 30)
>>>> modparam("nathelper", "ping_nated_only", 1)
>>>> #modparam("nathelper", "sipping_bflag", 7)
>>>> modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
>>>>
>>>> # ------------------------- request routing logic -------------------
>>>>
>>>> # main routing logic
>>>>
>>>> route{
>>>>
>>>> # initial sanity checks -- messages with
>>>> # max_forwards==0, or excessively long requests
>>>> if (!mf_process_maxfwd_header("10")) {
>>>> sl_send_reply("483","Too Many
Hops");
>>>> exit;
>>>> };
>>>>
>>>> if (msg:len >= 2048 ) {
>>>> sl_send_reply("513", "Message too
big");
>>>> exit;
>>>> };
>>>>
>>>> # NAT detection
>>>> route(2);
>>>>
>>>> # we record-route all messages -- to make sure that
>>>> # subsequent messages will go through our proxy; that's
>>>> # particularly good if upstream and downstream entities
>>>> # use different transport protocol
>>>> if (!method=="REGISTER")
>>>> record_route();
>>>>
>>>> # subsequent messages withing a dialog should take the
>>>> # path determined by record-routing
>>>> if (loose_route()) {
>>>> # mark routing logic in request
>>>> append_hf("P-hint: rr-enforced\r\n");
>>>> route(1);
>>>> };
>>>>
>>>> if (!uri==myself) {
>>>> # mark routing logic in request
>>>> append_hf("P-hint: outbound\r\n");
>>>> # if you have some interdomain connections via TLS
>>>> #if(uri=~"(a)tls_domain1.net") {
>>>> # t_relay("tls:domain1.net");
>>>> # exit;
>>>> #} else if(uri=~"(a)tls_domain2.net") {
>>>> # t_relay("tls:domain2.net");
>>>> # exit;
>>>> #}
>>>> route(1);
>>>> };
>>>>
>>>> # if the request is for other domain use UsrLoc
>>>> # (in case, it does not work, use the following command
>>>> # with proper names and addresses in it)
>>>> if (uri==myself) {
>>>>
>>>> if (method=="REGISTER") {
>>>>
>>>> # Uncomment this if you want to use digest
>>>> authentication
>>>> if
>>>> (!www_authorize("sip.familiedobbelsteen.nl",
>>>> "subscriber")) {
>>>>
>>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>>> exit;
>>>> };
>>>>
>>>> if (isflagset(5)) {
>>>> # set branch flag -- when someone
>>>> will
>>>> call this user
>>>> # INVITE will have branch flag 6 set
>>>> after loopup("location")
>>>> setflag(6);
>>>> # if you want OPTIONS natpings
>>>> uncomment next
>>>> # setflag(7);
>>>> };
>>>>
>>>> save("location");
>>>> exit;
>>>> };
>>>>
>>>> lookup("aliases");
>>>> if (!uri==myself) {
>>>> append_hf("P-hint: outbound
alias\r\n");
>>>> route(1);
>>>> };
>>>>
>>>> # native SIP destinations are handled using our
>>>> USRLOC
>>>> DB if (!lookup("location")) {
>>>> sl_send_reply("404", "Not
Found");
>>>> exit;
>>>> };
>>>> append_hf("P-hint: usrloc applied\r\n");
>>>> };
>>>>
>>>> route(1);
>>>> }
>>>>
>>>>
>>>> route[1] {
>>>> # send it out now; use stateful forwarding as it works
>>>> reliably
>>>> # even for UDP2TCP
>>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>>> setflag(6);
>>>> };
>>>>
>>>> if (isflagset(5) || isflagset(6)) {
>>>> route(3);
>>>> };
>>>>
>>>> if (!t_relay()) {
>>>> sl_reply_error();
>>>> };
>>>> exit;
>>>> }
>>>>
>>>> route[2] {
>>>> force_rport();
>>>> if(nat_uac_test("19")) {
>>>> if (method=="REGISTER") {
>>>> fix_nated_register();
>>>> } else {
>>>> fix_nated_contact();
>>>> };
>>>> setflag(5);
>>>> };
>>>> }
>>>>
>>>> route[3] {
>>>> if (is_method("BYE")) {
>>>> unforce_rtp_proxy();
>>>> } else if (is_method("INVITE")) {
>>>> force_rtp_proxy("",
"82.168.191.xx");
>>>> t_on_failure("2");
>>>> };
>>>> if (isflagset(5))
>>>>
search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>>> ';nat=yes'); t_on_reply("1");
>>>> }
>>>>
>>>> failure_route[2] {
>>>> if (isflagset(6)||isflagset(5)) {
>>>> unforce_rtp_proxy();
>>>> };
>>>> }
>>>>
>>>> onreply_route[1] {
>>>> if ((isflagset(5) || isflagset(6)) && status =~
>>>> "(183)|(2[0-9][0-9])") {
>>>> force_rtp_proxy();
>>>> };
>>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
>>>>
>>>> if (isflagset(6)) {
>>>> fix_nated_contact();
>>>> };
>>>> exit;
>>>> }
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users
24 Jul
24 Jul
1:41 p.m.
Hi Joris!
Testing with XLite I meant to find out if the problem is a problem of
the ANT or of the client (zyxel) as Xlite does NAT traversal very well.
If Zyxel does not support NAT traversal and also voipbuster fails to
traverse your special NAT, then you yre right and need your own NAT
traversal solution e.g. as you tried with openser (multihomed) and
rtpproxy in (bridge mode). You could also try
http://sourceforge.net/projects/siproxd/
regards
klasu
Joris Dobbelsteen schrieb:
Klaus Darilion wrote:
Hi Joris!
This is a normal home user scenario and usually there is no need for
an outbound proxy. Either the SIP UA does NAT traversal (e.g. using STUN)
The SIP UA does NOT. Its a ZyXEL ADSL+VoIP modem that ASSUMES it has an
Internet IP number.
In my installation, it does not, as I have quite high demands on the
number of NATted connections and some special desires for doing tricky
things with the firewall for experimental purposes. These rule out the
ZyXEL solution for large part. Its also inherited from my pre-VoIP era
installation.
or the VoIP Service Provider does the NAT
traversal on the proxy. As
oyu are using iptables NAT it should work this way (except you have
certain unusual iptables rules).
Yeah, it should, but I don't see incoming VoIP traffic flowing. Also the
connection worked a bit before, but its not reliable for voice traffic.
This is a major problem for me.
It has worked somewhat reliable before, but there are occasional
problems with the installation, just mostly missing audio.
The problem is that I think (quite certain) that the UA does NOT do NAT,
and I cannot control what my ISP is actually doing. Futhermore I don't
expect any support from them for my installation. They will assume that
the VoIP box has the public IP address and plays nicely on the Internet.
That the 'provided' and supported solution they give.
So repeating again, I think the only way to properly guarentee reliable
VoIP connection is handling SIP and RTP traffic in such a way that my
ISP does not have to make any NAT assumptions/handling.
I suggest to install "winstun"
(http://sourceforge.net/project/showfiles.php?group_id=47735&package_id=…)
and test your NAT device.
If winstun reports that VoIP should work, then using Xlite should be
no problem.
X-Lite is only a test case, as I don't want to mess with the ZyXEL modem
yet. Its also a hell of a lot easier to control with X-Lite is actually
doing, but its not the solution to be implemented. The ZyXEL modem with
attached analog phones is.
I'm passing XLite though the openser and that doesn't work. It has
worked plainly over NAT before without problems before. This is however
NOT the test case!
regards
klaus
- Joris
> Joris Dobbelsteen schrieb:
>> Robert Dyck wrote:
>>> I understand that the iptables SIP ALG has been much revised this
>>> year although I have not tested it myself. I believe you need at
>>> least linux 2.6.25.
>>
>> The unfortunate situtions is that I currently run Debian, which has
>> the 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel
>> does not support Xen yet. So I'm out of luck in this department in
>> many ways.
>>
>> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
>> another solutions is more suited for the problem I have?
>>
>> - Joris
>>
>>> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>>>> Neill Wilkinson wrote:
>>>>> If you are using IPtables and are familiar with how to add modules -
>>>>> there is a sip connection tracking module that might help:
>>>>>
>>>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>>>
>>>>> Neill...;o)
>>>>>
>>>>> Neill Wilkinson
>>>>> Principal Consultant
>>>>>
>>>>> Aeonvista Ltd - opening up new ideas
>>>> I have that installed, but to the outside the SIP packets still carry
>>>> the LAN IP address. I'm currently missing audio (at least inbound is
>>>> nowhere to be seen) and it doesn't really work reliable at this
>>>> moment.
>>>> That is a real problem currently and must be solved reliably.
>>>>
>>>> The ZyXEL modem I have was intended to be the NAT router for the
>>>> network, but its configured differently in my case, so I can't make
>>>> that
>>>> thing to play nicely with NAT.
>>>>
>>>> lsmod on the firewall:
>>>> ip_nat_sip 8832 0
>>>> ip_conntrack_sip 13392 1 ip_nat_sip
>>>>
>>>> Thanks so far,
>>>>
>>>> - Joris
>>>>
>>>>> -----Original Message-----
>>>>> From: users-bounces(a)lists.openser.org
>>>>> [mailto:users-bounces@lists.openser.org] On Behalf Of Joris
>>>>> Dobbelsteen
>>>>> Sent: 21 July 2008 21:10
>>>>> To: users(a)lists.openser.org
>>>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>>>
>>>>> Dear,
>>>>>
>>>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy,
>>>>> since my
>>>>> home phone keeps breaking voice channels (the box was not intended
>>>>> behind NAT and I'm, of course, using a configuration that no so
well
>>>>> supported).
>>>>>
>>>>> What is the idea:
>>>>>
>>>>> SIP transactions should travel this way:
>>>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables)
<-> {Internet}
>>>>>
>>>>> RTP should travel this way:
>>>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>>>
>>>>>
>>>>> My current test is using X-Lite with voipbuster, but that doesn't
>>>>> really
>>>>> work. It seems that registers are functioning, at least X-Lite
>>>>> reports
>>>>> itself being registered.
>>>>> Voice calls always end up in timeouts, so something is really going
>>>>> wrong here, it might be authentication problems?
>>>>>
>>>>> An added problem is that I have just sufficient knowledge of SIP
>>>>> to see
>>>>> what it is doing, without really knowing what to expect exactly.
>>>>> Furthermore I have virtually no knowledge of OpenSER. I've quite
a
>>>>> hard
>>>>> time even grasping the configuration I typed in. This is not really
>>>>> helpful
>>>>>
>>>>> What I do know:
>>>>> * SIP Proxy traffic is flowing.
>>>>> * SIP INVITES don't work at all.
>>>>> * SIP to RTP is communication, but I don't know if RTP is
actually
>>>>> flowing.
>>>>>
>>>>> I stole most of the configuration from the "04 NAT
Traversal"
>>>>> slides of
>>>>> the "Italy 2007 Admin course", to which there is link on
the
>>>>> documentation site. I adapted it to make it work with the debian
>>>>> supplied OpenSER 1.1.
>>>>>
>>>>> How do I get this all working?
>>>>> What am I getting wrong?
>>>>>
>>>>> I really really appeciate any help I can get to get it working!
>>>>>
>>>>> - Joris
>>>>>
>>>>>
>>>>> Config is this:
>>>>> # ----------- global configuration parameters
>>>>> ------------------------
>>>>>
>>>>> debug=4 # debug level (cmd line: -dddddddddd)
>>>>> fork=yes # Set to no to enter debugging mode
>>>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging
>>>>> mode
>>>>>
>>>>> check_via=no # (cmd. line: -v)
>>>>> dns=no # (cmd. line: -r)
>>>>> rev_dns=no # (cmd. line: -R)
>>>>> advertised_address="82.168.191.xx"
>>>>> advertised_port=5060
>>>>> port=5060
>>>>> children=4
>>>>> fifo="/tmp/openser_fifo"
>>>>>
>>>>> #
>>>>> # ------------------ module loading
>>>>> ----------------------------------
>>>>>
>>>>> # Uncomment this if you want to use SQL database
>>>>> mpath="/usr/lib/openser/modules/"
>>>>> loadmodule "mysql.so"
>>>>> loadmodule "sl.so"
>>>>> loadmodule "tm.so"
>>>>> loadmodule "rr.so"
>>>>> loadmodule "maxfwd.so"
>>>>> loadmodule "usrloc.so"
>>>>> loadmodule "registrar.so"
>>>>> loadmodule "textops.so"
>>>>> loadmodule "nathelper.so"
>>>>>
>>>>> # Uncomment this if you want digest authentication
>>>>> # mysql.so must be loaded !
>>>>> loadmodule "auth.so"
>>>>> loadmodule "auth_db.so"
>>>>>
>>>>> # ----------------- setting module-specific parameters
>>>>> ---------------
>>>>>
>>>>> # -- usrloc params --
>>>>>
>>>>> modparam("usrloc", "db_mode", 0)
>>>>>
>>>>> # Uncomment this if you want to use SQL database
>>>>> # for persistent storage and comment the previous line
>>>>> #modparam("usrloc", "db_mode", 2)
>>>>>
>>>>> # -- auth params --
>>>>> # Uncomment if you are using auth module
>>>>> #
>>>>> modparam("auth_db", "calculate_ha1", yes)
>>>>> #
>>>>> # If you set "calculate_ha1" parameter to yes (which true
in this
>>>>> config), # uncomment also the following parameter)
>>>>> #
>>>>> modparam("auth_db", "password_column",
"password")
>>>>>
>>>>> # -- rr params --
>>>>> # add value to ;lr param to make some broken UAs happy
>>>>> modparam("rr", "enable_full_lr", 1)
>>>>>
>>>>> # -- nathelper params ---
>>>>> modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
>>>>> modparam("nathelper", "natping_interval", 30)
>>>>> modparam("nathelper", "ping_nated_only", 1)
>>>>> #modparam("nathelper", "sipping_bflag", 7)
>>>>> modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
>>>>>
>>>>> # ------------------------- request routing logic
>>>>> -------------------
>>>>>
>>>>> # main routing logic
>>>>>
>>>>> route{
>>>>>
>>>>> # initial sanity checks -- messages with
>>>>> # max_forwards==0, or excessively long requests
>>>>> if (!mf_process_maxfwd_header("10")) {
>>>>> sl_send_reply("483","Too Many
Hops");
>>>>> exit;
>>>>> };
>>>>>
>>>>> if (msg:len >= 2048 ) {
>>>>> sl_send_reply("513", "Message too
big");
>>>>> exit;
>>>>> };
>>>>>
>>>>> # NAT detection
>>>>> route(2);
>>>>>
>>>>> # we record-route all messages -- to make sure that
>>>>> # subsequent messages will go through our proxy; that's
>>>>> # particularly good if upstream and downstream entities
>>>>> # use different transport protocol
>>>>> if (!method=="REGISTER")
>>>>> record_route();
>>>>>
>>>>> # subsequent messages withing a dialog should take the
>>>>> # path determined by record-routing
>>>>> if (loose_route()) {
>>>>> # mark routing logic in request
>>>>> append_hf("P-hint: rr-enforced\r\n");
>>>>> route(1);
>>>>> };
>>>>>
>>>>> if (!uri==myself) {
>>>>> # mark routing logic in request
>>>>> append_hf("P-hint: outbound\r\n");
>>>>> # if you have some interdomain connections via TLS
>>>>> #if(uri=~"(a)tls_domain1.net") {
>>>>> # t_relay("tls:domain1.net");
>>>>> # exit;
>>>>> #} else if(uri=~"(a)tls_domain2.net") {
>>>>> # t_relay("tls:domain2.net");
>>>>> # exit;
>>>>> #}
>>>>> route(1);
>>>>> };
>>>>>
>>>>> # if the request is for other domain use UsrLoc
>>>>> # (in case, it does not work, use the following command
>>>>> # with proper names and addresses in it)
>>>>> if (uri==myself) {
>>>>>
>>>>> if (method=="REGISTER") {
>>>>>
>>>>> # Uncomment this if you want to use digest
>>>>> authentication
>>>>> if
>>>>> (!www_authorize("sip.familiedobbelsteen.nl",
>>>>> "subscriber")) {
>>>>>
>>>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>>>> exit;
>>>>> };
>>>>>
>>>>> if (isflagset(5)) {
>>>>> # set branch flag -- when someone
>>>>> will
>>>>> call this user
>>>>> # INVITE will have branch flag 6
set
>>>>> after loopup("location")
>>>>> setflag(6);
>>>>> # if you want OPTIONS natpings
>>>>> uncomment next
>>>>> # setflag(7);
>>>>> };
>>>>>
>>>>> save("location");
>>>>> exit;
>>>>> };
>>>>>
>>>>> lookup("aliases");
>>>>> if (!uri==myself) {
>>>>> append_hf("P-hint: outbound
alias\r\n");
>>>>> route(1);
>>>>> };
>>>>>
>>>>> # native SIP destinations are handled using our
>>>>> USRLOC
>>>>> DB if (!lookup("location")) {
>>>>> sl_send_reply("404", "Not
Found");
>>>>> exit;
>>>>> };
>>>>> append_hf("P-hint: usrloc applied\r\n");
>>>>> };
>>>>>
>>>>> route(1);
>>>>> }
>>>>>
>>>>>
>>>>> route[1] {
>>>>> # send it out now; use stateful forwarding as it works
>>>>> reliably
>>>>> # even for UDP2TCP
>>>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>>>> setflag(6);
>>>>> };
>>>>>
>>>>> if (isflagset(5) || isflagset(6)) {
>>>>> route(3);
>>>>> };
>>>>>
>>>>> if (!t_relay()) {
>>>>> sl_reply_error();
>>>>> };
>>>>> exit;
>>>>> }
>>>>>
>>>>> route[2] {
>>>>> force_rport();
>>>>> if(nat_uac_test("19")) {
>>>>> if (method=="REGISTER") {
>>>>> fix_nated_register();
>>>>> } else {
>>>>> fix_nated_contact();
>>>>> };
>>>>> setflag(5);
>>>>> };
>>>>> }
>>>>>
>>>>> route[3] {
>>>>> if (is_method("BYE")) {
>>>>> unforce_rtp_proxy();
>>>>> } else if (is_method("INVITE")) {
>>>>> force_rtp_proxy("",
"82.168.191.xx");
>>>>> t_on_failure("2");
>>>>> };
>>>>> if (isflagset(5))
>>>>>
search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>>>> ';nat=yes'); t_on_reply("1");
>>>>> }
>>>>>
>>>>> failure_route[2] {
>>>>> if (isflagset(6)||isflagset(5)) {
>>>>> unforce_rtp_proxy();
>>>>> };
>>>>> }
>>>>>
>>>>> onreply_route[1] {
>>>>> if ((isflagset(5) || isflagset(6)) && status =~
>>>>> "(183)|(2[0-9][0-9])") {
>>>>> force_rtp_proxy();
>>>>> };
>>>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
>>>>>
>>>>> if (isflagset(6)) {
>>>>> fix_nated_contact();
>>>>> };
>>>>> exit;
>>>>> }
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users(a)lists.openser.org
>>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)lists.openser.org
>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
26 Jul
26 Jul
2:18 a.m.
Klaus Darilion wrote:
Hi Joris!
Testing with XLite I meant to find out if the problem is a problem of
the ANT or of the client (zyxel) as Xlite does NAT traversal very well.
If Zyxel does not support NAT traversal and also voipbuster fails to
traverse your special NAT, then you yre right and need your own NAT
traversal solution e.g. as you tried with openser (multihomed) and
rtpproxy in (bridge mode). You could also try
http://sourceforge.net/projects/siproxd/
I did, and with both I had several problems I have no knowledge of
understanding what is going wrong and how to solve it.
With siproxd I got to the point that everything should have worked, at
least in my opinion. I could see all the traffic flowing and it seemed
to be OK and with correct IPs and correct ports. Either incoming or
outgoing audio remained to be a problem, so after two and a half day I
gave up and reconfigured the ZyXEL (plus other parts on the network)
into the ISP intended configuration. This at least solved the VoIP
issues I had.
Its not what I had intended though, but its a "production" system and it
just needs to work. I had other people complaining, because VoIP was
down mostly for 2 weeks while I was away.
It used to work before with plain NAT (most of the time) but something
seems to have changed in the meanwhile (my ISP also had a few days
outage on their VoIP service, so its well possible that they made big
changes/replaced equipment to get them resolved). I only had problems
with jitter at that time and I had resolved these.
Maybe I'll try again at some later date. In any case, OpenSER + rtpproxy
don't seem to be really nice for the setup I thought about. NAT seems
mostly an afterthought and I seriously miss control over the UTP ports
to be used. I like to lock down my firewall as tight as possible, but
this just not an option with this software. Its better with siproxd,
where you actually can configure the UTP ports to use.
Nevertheless, its quite nice to see OpenSER a bit and I got an light
impression of what it is capable of. The design allows you to do
everything you could think of. The only other disadvantage is its
unpolished support for postgresql, especially for someone who values
ACID properties and MySQL lacks/violates those mostly. Still I should
complement all the people who have designed and implemented this software.
Also thanks for those who tried to help me with my issues. Its at least
encouraging for taking another attempt to get it to work at some later date.
Regards,
- Joris
[snip]
3:27 a.m.
I have a couple ideas for you if you decide to pursue openser further. It is
not necessary for rtpproxy to be in bridge mode to service your LAN. When you
configure your UA's, point them at the public address of openser for otg
proxy. Secondly the nat travesal functions in openser were not intended for
local UA's but rather on some external LAN. They expect the source address to
be public. You can use the textops module to do your own mangling with
regular expressions ( what a pain ). I have successfully used both ideas but
of course your topology is a bit unusual. Also a minor code change in
rtpproxy may be all that is needed for you to specify the port range.
Good luck
On Friday 25 July 2008, Joris Dobbelsteen wrote:
Klaus Darilion wrote:
Hi Joris!
Testing with XLite I meant to find out if the problem is a problem of
the ANT or of the client (zyxel) as Xlite does NAT traversal very well.
If Zyxel does not support NAT traversal and also voipbuster fails to
traverse your special NAT, then you yre right and need your own NAT
traversal solution e.g. as you tried with openser (multihomed) and
rtpproxy in (bridge mode). You could also try
http://sourceforge.net/projects/siproxd/
I did, and with both I had several problems I have no knowledge of
understanding what is going wrong and how to solve it.
With siproxd I got to the point that everything should have worked, at
least in my opinion. I could see all the traffic flowing and it seemed
to be OK and with correct IPs and correct ports. Either incoming or
outgoing audio remained to be a problem, so after two and a half day I
gave up and reconfigured the ZyXEL (plus other parts on the network)
into the ISP intended configuration. This at least solved the VoIP
issues I had.
Its not what I had intended though, but its a "production" system and it
just needs to work. I had other people complaining, because VoIP was
down mostly for 2 weeks while I was away.
It used to work before with plain NAT (most of the time) but something
seems to have changed in the meanwhile (my ISP also had a few days
outage on their VoIP service, so its well possible that they made big
changes/replaced equipment to get them resolved). I only had problems
with jitter at that time and I had resolved these.
Maybe I'll try again at some later date. In any case, OpenSER + rtpproxy
don't seem to be really nice for the setup I thought about. NAT seems
mostly an afterthought and I seriously miss control over the UTP ports
to be used. I like to lock down my firewall as tight as possible, but
this just not an option with this software. Its better with siproxd,
where you actually can configure the UTP ports to use.
Nevertheless, its quite nice to see OpenSER a bit and I got an light
impression of what it is capable of. The design allows you to do
everything you could think of. The only other disadvantage is its
unpolished support for postgresql, especially for someone who values
ACID properties and MySQL lacks/violates those mostly. Still I should
complement all the people who have designed and implemented this software.
Also thanks for those who tried to help me with my issues. Its at least
encouraging for taking another attempt to get it to work at some later
date.
Regards,
- Joris
[snip] 
30 Jul
30 Jul
6:35 p.m.
New subject: [Kamailio-Users] [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
On Saturday 26 July 2008, Joris Dobbelsteen wrote:
[..]
The only other disadvantage is its
unpolished support for postgresql, especially for someone who values
ACID properties and MySQL lacks/violates those mostly. Still I should
complement all the people who have designed and implemented this software.
Hi Joris,
in the past the postgres module used transactions, but this was deactivated as
it carried a noticable overhead with it. Furthermore, its usage makes not
that much sense, as OpenSER/ Kamailio at the moment is not transaction aware.
This is caused from the mysql centered view that the DB API at the moment
have, as this is what most people use. And the actual state of affairs with
regards to ACID is not that bad, if you use a engine like innodb for MySQL.
Cheers,
Henning
22 Jul
22 Jul
12:52 p.m.
Joris,
I also note that you fix the Contact and the Register in Router(2).
You'll also need to fix_nated_sdp too. The media values in the SDP will need
to be modified from the private IP Address.
Neill....;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
-----Original Message-----
From: Joris Dobbelsteen [mailto:joris@familiedobbelsteen.nl]
Sent: 22 July 2008 09:05
To: Robert Dyck
Cc: users(a)lists.openser.org; Neill Wilkinson
Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Robert Dyck wrote:
I understand that the iptables SIP ALG has been much
revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
On Monday 21 July 2008, Joris Dobbelsteen wrote:
Neill Wilkinson wrote:
If you are using IPtables and are familiar with
how to add modules -
there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the
SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really
helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), # uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC
DB if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes'); t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
1:14 p.m.
Neill Wilkinson wrote:
Joris,
I also note that you fix the Contact and the Register in Router(2).
You'll also need to fix_nated_sdp too. The media values in the SDP will need
to be modified from the private IP Address.
Neil,
Where should I put these, around force_rtp_proxy? Because I thought it
already did this?
Like I said, I'm new to OpenSER and have quite a bit problems
understanding really where all the magic happens.
Thanks,
- Joris
Neill....;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
-----Original Message-----
From: Joris Dobbelsteen [mailto:joris@familiedobbelsteen.nl]
Sent: 22 July 2008 09:05
To: Robert Dyck
Cc: users(a)lists.openser.org; Neill Wilkinson
Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Robert Dyck wrote:
I understand that the iptables SIP ALG has been
much revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
On Monday 21 July 2008, Joris Dobbelsteen wrote:
Neill Wilkinson wrote:
If you are using IPtables and are familiar with
how to add modules -
there is a sip connection tracking module that might help:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
I have that installed, but to the outside the
SIP packets still carry
the LAN IP address. I'm currently missing audio (at least inbound is
nowhere to be seen) and it doesn't really work reliable at this moment.
That is a real problem currently and must be solved reliably.
The ZyXEL modem I have was intended to be the NAT router for the
network, but its configured differently in my case, so I can't make that
thing to play nicely with NAT.
lsmod on the firewall:
ip_nat_sip 8832 0
ip_conntrack_sip 13392 1 ip_nat_sip
Thanks so far,
- Joris
-----Original Message-----
From: users-bounces(a)lists.openser.org
[mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
Sent: 21 July 2008 21:10
To: users(a)lists.openser.org
Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really
helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually
flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), # uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC
DB if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes'); t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
7:39 p.m.
You did not provide many details but I suspect you trying to run a SIP phone
on a typical home LAN with Linux box having a public IP address. Siproxd is a
simple solution which of course does not have the flexibility of openser. I
have used it with multiple phones on the LAN. The main reason I no longer use
it is that it will not fork a call and I wanted more than one phone sharing a
user ID.
On Tuesday 22 July 2008, Joris Dobbelsteen wrote:
Robert Dyck wrote:
I understand that the iptables SIP ALG has been
much revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>> Neill Wilkinson wrote:
>>> If you are using IPtables and are familiar with how to add modules -
>>> there is a sip connection tracking module that might help:
>>>
>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>
>>> Neill...;o)
>>>
>>> Neill Wilkinson
>>> Principal Consultant
>>>
>>> Aeonvista Ltd - opening up new ideas
>>
>> I have that installed, but to the outside the SIP packets still carry
>> the LAN IP address. I'm currently missing audio (at least inbound is
>> nowhere to be seen) and it doesn't really work reliable at this moment.
>> That is a real problem currently and must be solved reliably.
>>
>> The ZyXEL modem I have was intended to be the NAT router for the
>> network, but its configured differently in my case, so I can't make that
>> thing to play nicely with NAT.
>>
>> lsmod on the firewall:
>> ip_nat_sip 8832 0
>> ip_conntrack_sip 13392 1 ip_nat_sip
>>
>> Thanks so far,
>>
>> - Joris
>>
>>> -----Original Message-----
>>> From: users-bounces(a)lists.openser.org
>>> [mailto:users-bounces@lists.openser.org] On Behalf Of Joris Dobbelsteen
>>> Sent: 21 July 2008 21:10
>>> To: users(a)lists.openser.org
>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>
>>> Dear,
>>>
>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
>>> home phone keeps breaking voice channels (the box was not intended
>>> behind NAT and I'm, of course, using a configuration that no so well
>>> supported).
>>>
>>> What is the idea:
>>>
>>> SIP transactions should travel this way:
>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <->
{Internet}
>>>
>>> RTP should travel this way:
>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>
>>>
>>> My current test is using X-Lite with voipbuster, but that doesn't
>>> really work. It seems that registers are functioning, at least X-Lite
>>> reports itself being registered.
>>> Voice calls always end up in timeouts, so something is really going
>>> wrong here, it might be authentication problems?
>>>
>>> An added problem is that I have just sufficient knowledge of SIP to see
>>> what it is doing, without really knowing what to expect exactly.
>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
>>> time even grasping the configuration I typed in. This is not really
>>> helpful
>>>
>>> What I do know:
>>> * SIP Proxy traffic is flowing.
>>> * SIP INVITES don't work at all.
>>> * SIP to RTP is communication, but I don't know if RTP is actually
>>> flowing.
>>>
>>> I stole most of the configuration from the "04 NAT Traversal"
slides of
>>> the "Italy 2007 Admin course", to which there is link on the
>>> documentation site. I adapted it to make it work with the debian
>>> supplied OpenSER 1.1.
>>>
>>> How do I get this all working?
>>> What am I getting wrong?
>>>
>>> I really really appeciate any help I can get to get it working!
>>>
>>> - Joris
>>>
>>>
>>> Config is this:
>>> # ----------- global configuration parameters ------------------------
>>>
>>> debug=4 # debug level (cmd line: -dddddddddd)
>>> fork=yes # Set to no to enter debugging mode
>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
>>>
>>> check_via=no # (cmd. line: -v)
>>> dns=no # (cmd. line: -r)
>>> rev_dns=no # (cmd. line: -R)
>>> advertised_address="82.168.191.xx"
>>> advertised_port=5060
>>> port=5060
>>> children=4
>>> fifo="/tmp/openser_fifo"
>>>
>>> #
>>> # ------------------ module loading ----------------------------------
>>>
>>> # Uncomment this if you want to use SQL database
>>> mpath="/usr/lib/openser/modules/"
>>> loadmodule "mysql.so"
>>> loadmodule "sl.so"
>>> loadmodule "tm.so"
>>> loadmodule "rr.so"
>>> loadmodule "maxfwd.so"
>>> loadmodule "usrloc.so"
>>> loadmodule "registrar.so"
>>> loadmodule "textops.so"
>>> loadmodule "nathelper.so"
>>>
>>> # Uncomment this if you want digest authentication
>>> # mysql.so must be loaded !
>>> loadmodule "auth.so"
>>> loadmodule "auth_db.so"
>>>
>>> # ----------------- setting module-specific parameters ---------------
>>>
>>> # -- usrloc params --
>>>
>>> modparam("usrloc", "db_mode", 0)
>>>
>>> # Uncomment this if you want to use SQL database
>>> # for persistent storage and comment the previous line
>>> #modparam("usrloc", "db_mode", 2)
>>>
>>> # -- auth params --
>>> # Uncomment if you are using auth module
>>> #
>>> modparam("auth_db", "calculate_ha1", yes)
>>> #
>>> # If you set "calculate_ha1" parameter to yes (which true in this
>>> config), # uncomment also the following parameter)
>>> #
>>> modparam("auth_db", "password_column",
"password")
>>>
>>> # -- rr params --
>>> # add value to ;lr param to make some broken UAs happy
>>> modparam("rr", "enable_full_lr", 1)
>>>
>>> # -- nathelper params ---
>>> modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
>>> modparam("nathelper", "natping_interval", 30)
>>> modparam("nathelper", "ping_nated_only", 1)
>>> #modparam("nathelper", "sipping_bflag", 7)
>>> modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
>>>
>>> # ------------------------- request routing logic -------------------
>>>
>>> # main routing logic
>>>
>>> route{
>>>
>>> # initial sanity checks -- messages with
>>> # max_forwards==0, or excessively long requests
>>> if (!mf_process_maxfwd_header("10")) {
>>> sl_send_reply("483","Too Many Hops");
>>> exit;
>>> };
>>>
>>> if (msg:len >= 2048 ) {
>>> sl_send_reply("513", "Message too
big");
>>> exit;
>>> };
>>>
>>> # NAT detection
>>> route(2);
>>>
>>> # we record-route all messages -- to make sure that
>>> # subsequent messages will go through our proxy; that's
>>> # particularly good if upstream and downstream entities
>>> # use different transport protocol
>>> if (!method=="REGISTER")
>>> record_route();
>>>
>>> # subsequent messages withing a dialog should take the
>>> # path determined by record-routing
>>> if (loose_route()) {
>>> # mark routing logic in request
>>> append_hf("P-hint: rr-enforced\r\n");
>>> route(1);
>>> };
>>>
>>> if (!uri==myself) {
>>> # mark routing logic in request
>>> append_hf("P-hint: outbound\r\n");
>>> # if you have some interdomain connections via TLS
>>> #if(uri=~"(a)tls_domain1.net") {
>>> # t_relay("tls:domain1.net");
>>> # exit;
>>> #} else if(uri=~"(a)tls_domain2.net") {
>>> # t_relay("tls:domain2.net");
>>> # exit;
>>> #}
>>> route(1);
>>> };
>>>
>>> # if the request is for other domain use UsrLoc
>>> # (in case, it does not work, use the following command
>>> # with proper names and addresses in it)
>>> if (uri==myself) {
>>>
>>> if (method=="REGISTER") {
>>>
>>> # Uncomment this if you want to use digest
>>> authentication
>>> if
>>> (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
>>>
>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>> exit;
>>> };
>>>
>>> if (isflagset(5)) {
>>> # set branch flag -- when someone will
>>> call this user
>>> # INVITE will have branch flag 6 set
>>> after loopup("location")
>>> setflag(6);
>>> # if you want OPTIONS natpings
>>> uncomment next
>>> # setflag(7);
>>> };
>>>
>>> save("location");
>>> exit;
>>> };
>>>
>>> lookup("aliases");
>>> if (!uri==myself) {
>>> append_hf("P-hint: outbound alias\r\n");
>>> route(1);
>>> };
>>>
>>> # native SIP destinations are handled using our USRLOC
>>> DB if (!lookup("location")) {
>>> sl_send_reply("404", "Not
Found");
>>> exit;
>>> };
>>> append_hf("P-hint: usrloc applied\r\n");
>>> };
>>>
>>> route(1);
>>> }
>>>
>>>
>>> route[1] {
>>> # send it out now; use stateful forwarding as it works
>>> reliably # even for UDP2TCP
>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>> setflag(6);
>>> };
>>>
>>> if (isflagset(5) || isflagset(6)) {
>>> route(3);
>>> };
>>>
>>> if (!t_relay()) {
>>> sl_reply_error();
>>> };
>>> exit;
>>> }
>>>
>>> route[2] {
>>> force_rport();
>>> if(nat_uac_test("19")) {
>>> if (method=="REGISTER") {
>>> fix_nated_register();
>>> } else {
>>> fix_nated_contact();
>>> };
>>> setflag(5);
>>> };
>>> }
>>>
>>> route[3] {
>>> if (is_method("BYE")) {
>>> unforce_rtp_proxy();
>>> } else if (is_method("INVITE")) {
>>> force_rtp_proxy("", "82.168.191.xx");
>>> t_on_failure("2");
>>> };
>>> if (isflagset(5))
>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>> ';nat=yes'); t_on_reply("1");
>>> }
>>>
>>> failure_route[2] {
>>> if (isflagset(6)||isflagset(5)) {
>>> unforce_rtp_proxy();
>>> };
>>> }
>>>
>>> onreply_route[1] {
>>> if ((isflagset(5) || isflagset(6)) && status =~
>>> "(183)|(2[0-9][0-9])") {
>>> force_rtp_proxy();
>>> };
>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
>>>
>>> if (isflagset(6)) {
>>> fix_nated_contact();
>>> };
>>> exit;
>>> }
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)lists.openser.org
>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
8:35 p.m.
Other Option is if you can replace the Firewall with a Vyatta VC4
router/firewall. And set up NAT in that you should be able to successfully
use the IPTables SIP traversal functions.
If you want to go down this route, I can supply the configuration for the
Vyatta firewall.
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
-----Original Message-----
From: Robert Dyck [mailto:rob.dyck@telus.net]
Sent: 22 July 2008 17:39
To: Joris Dobbelsteen
Cc: users(a)lists.openser.org; Neill Wilkinson
Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
You did not provide many details but I suspect you trying to run a SIP phone
on a typical home LAN with Linux box having a public IP address. Siproxd is
a
simple solution which of course does not have the flexibility of openser. I
have used it with multiple phones on the LAN. The main reason I no longer
use
it is that it will not fork a call and I wanted more than one phone sharing
a
user ID.
On Tuesday 22 July 2008, Joris Dobbelsteen wrote:
Robert Dyck wrote:
that
I understand that the iptables SIP ALG has been
much revised this year
although I have not tested it myself. I believe you need at least linux
2.6.25.
The unfortunate situtions is that I currently run Debian, which has the
2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
not support Xen yet. So I'm out of luck in this department in many ways.
Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
- Joris
> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>> Neill Wilkinson wrote:
>>> If you are using IPtables and are familiar with how to add modules -
>>> there is a sip connection tracking module that might help:
>>>
>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>
>>> Neill...;o)
>>>
>>> Neill Wilkinson
>>> Principal Consultant
>>>
>>> Aeonvista Ltd - opening up new ideas
>>
>> I have that installed, but to the outside the SIP packets still carry
>> the LAN IP address. I'm currently missing audio (at least inbound is
>> nowhere to be seen) and it doesn't really work reliable at this moment.
>> That is a real problem currently and must be solved reliably.
>>
>> The ZyXEL modem I have was intended to be the NAT router for the
>> network, but its configured differently in my case, so I can't make
>> thing to play nicely with NAT.
>>
>> lsmod on the firewall:
>> ip_nat_sip 8832 0
>> ip_conntrack_sip 13392 1 ip_nat_sip
>>
>> Thanks so far,
>>
>> - Joris
>>
>>> -----Original Message-----
>>> From: users-bounces(a)lists.openser.org
>>> [mailto:users-bounces@lists.openser.org] On Behalf Of Joris
Dobbelsteen
>>> Sent: 21 July 2008 21:10
>>> To: users(a)lists.openser.org
>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>
>>> Dear,
>>>
>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since
my
>>> home phone keeps breaking voice channels
(the box was not intended
>>> behind NAT and I'm, of course, using a configuration that no so well
>>> supported).
>>>
>>> What is the idea:
>>>
>>> SIP transactions should travel this way:
>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <->
{Internet}
>>>
>>> RTP should travel this way:
>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>
>>>
>>> My current test is using X-Lite with voipbuster, but that doesn't
>>> really work. It seems that registers are functioning, at least X-Lite
>>> reports itself being registered.
>>> Voice calls always end up in timeouts, so something is really going
>>> wrong here, it might be authentication problems?
>>>
>>> An added problem is that I have just sufficient knowledge of SIP to
see
>>> what it is doing, without really knowing
what to expect exactly.
>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a
hard
>>> time even grasping the configuration I
typed in. This is not really
>>> helpful
>>>
>>> What I do know:
>>> * SIP Proxy traffic is flowing.
>>> * SIP INVITES don't work at all.
>>> * SIP to RTP is communication, but I don't know if RTP is actually
>>> flowing.
>>>
>>> I stole most of the configuration from the "04 NAT Traversal"
slides
of
>>> the "Italy 2007 Admin course",
to which there is link on the
>>> documentation site. I adapted it to make it work with the debian
>>> supplied OpenSER 1.1.
>>>
>>> How do I get this all working?
>>> What am I getting wrong?
>>>
>>> I really really appeciate any help I can get to get it working!
>>>
>>> - Joris
>>>
>>>
>>> Config is this:
>>> # ----------- global configuration parameters ------------------------
>>>
>>> debug=4 # debug level (cmd line: -dddddddddd)
>>> fork=yes # Set to no to enter debugging mode
>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
>>>
>>> check_via=no # (cmd. line: -v)
>>> dns=no # (cmd. line: -r)
>>> rev_dns=no # (cmd. line: -R)
>>> advertised_address="82.168.191.xx"
>>> advertised_port=5060
>>> port=5060
>>> children=4
>>> fifo="/tmp/openser_fifo"
>>>
>>> #
>>> # ------------------ module loading ----------------------------------
>>>
>>> # Uncomment this if you want to use SQL database
>>> mpath="/usr/lib/openser/modules/"
>>> loadmodule "mysql.so"
>>> loadmodule "sl.so"
>>> loadmodule "tm.so"
>>> loadmodule "rr.so"
>>> loadmodule "maxfwd.so"
>>> loadmodule "usrloc.so"
>>> loadmodule "registrar.so"
>>> loadmodule "textops.so"
>>> loadmodule "nathelper.so"
>>>
>>> # Uncomment this if you want digest authentication
>>> # mysql.so must be loaded !
>>> loadmodule "auth.so"
>>> loadmodule "auth_db.so"
>>>
>>> # ----------------- setting module-specific parameters ---------------
>>>
>>> # -- usrloc params --
>>>
>>> modparam("usrloc", "db_mode", 0)
>>>
>>> # Uncomment this if you want to use SQL database
>>> # for persistent storage and comment the previous line
>>> #modparam("usrloc", "db_mode", 2)
>>>
>>> # -- auth params --
>>> # Uncomment if you are using auth module
>>> #
>>> modparam("auth_db", "calculate_ha1", yes)
>>> #
>>> # If you set "calculate_ha1" parameter to yes (which true in this
>>> config), # uncomment also the following parameter)
>>> #
>>> modparam("auth_db", "password_column",
"password")
>>>
>>> # -- rr params --
>>> # add value to ;lr param to make some broken UAs happy
>>> modparam("rr", "enable_full_lr", 1)
>>>
>>> # -- nathelper params ---
>>> modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
>>> modparam("nathelper", "natping_interval", 30)
>>> modparam("nathelper", "ping_nated_only", 1)
>>> #modparam("nathelper", "sipping_bflag", 7)
>>> modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
>>>
>>> # ------------------------- request routing logic -------------------
>>>
>>> # main routing logic
>>>
>>> route{
>>>
>>> # initial sanity checks -- messages with
>>> # max_forwards==0, or excessively long requests
>>> if (!mf_process_maxfwd_header("10")) {
>>> sl_send_reply("483","Too Many Hops");
>>> exit;
>>> };
>>>
>>> if (msg:len >= 2048 ) {
>>> sl_send_reply("513", "Message too
big");
>>> exit;
>>> };
>>>
>>> # NAT detection
>>> route(2);
>>>
>>> # we record-route all messages -- to make sure that
>>> # subsequent messages will go through our proxy; that's
>>> # particularly good if upstream and downstream entities
>>> # use different transport protocol
>>> if (!method=="REGISTER")
>>> record_route();
>>>
>>> # subsequent messages withing a dialog should take the
>>> # path determined by record-routing
>>> if (loose_route()) {
>>> # mark routing logic in request
>>> append_hf("P-hint: rr-enforced\r\n");
>>> route(1);
>>> };
>>>
>>> if (!uri==myself) {
>>> # mark routing logic in request
>>> append_hf("P-hint: outbound\r\n");
>>> # if you have some interdomain connections via TLS
>>> #if(uri=~"(a)tls_domain1.net") {
>>> # t_relay("tls:domain1.net");
>>> # exit;
>>> #} else if(uri=~"(a)tls_domain2.net") {
>>> # t_relay("tls:domain2.net");
>>> # exit;
>>> #}
>>> route(1);
>>> };
>>>
>>> # if the request is for other domain use UsrLoc
>>> # (in case, it does not work, use the following command
>>> # with proper names and addresses in it)
>>> if (uri==myself) {
>>>
>>> if (method=="REGISTER") {
>>>
>>> # Uncomment this if you want to use digest
>>> authentication
>>> if
>>> (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
>>>
>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>> exit;
>>> };
>>>
>>> if (isflagset(5)) {
>>> # set branch flag -- when someone
will
>>> call this user
>>> # INVITE will have branch flag 6 set
>>> after loopup("location")
>>> setflag(6);
>>> # if you want OPTIONS natpings
>>> uncomment next
>>> # setflag(7);
>>> };
>>>
>>> save("location");
>>> exit;
>>> };
>>>
>>> lookup("aliases");
>>> if (!uri==myself) {
>>> append_hf("P-hint: outbound alias\r\n");
>>> route(1);
>>> };
>>>
>>> # native SIP destinations are handled using our
USRLOC
>>> DB if (!lookup("location")) {
>>> sl_send_reply("404", "Not
Found");
>>> exit;
>>> };
>>> append_hf("P-hint: usrloc applied\r\n");
>>> };
>>>
>>> route(1);
>>> }
>>>
>>>
>>> route[1] {
>>> # send it out now; use stateful forwarding as it works
>>> reliably # even for UDP2TCP
>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>> setflag(6);
>>> };
>>>
>>> if (isflagset(5) || isflagset(6)) {
>>> route(3);
>>> };
>>>
>>> if (!t_relay()) {
>>> sl_reply_error();
>>> };
>>> exit;
>>> }
>>>
>>> route[2] {
>>> force_rport();
>>> if(nat_uac_test("19")) {
>>> if (method=="REGISTER") {
>>> fix_nated_register();
>>> } else {
>>> fix_nated_contact();
>>> };
>>> setflag(5);
>>> };
>>> }
>>>
>>> route[3] {
>>> if (is_method("BYE")) {
>>> unforce_rtp_proxy();
>>> } else if (is_method("INVITE")) {
>>> force_rtp_proxy("", "82.168.191.xx");
>>> t_on_failure("2");
>>> };
>>> if (isflagset(5))
>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>> ';nat=yes'); t_on_reply("1");
>>> }
>>>
>>> failure_route[2] {
>>> if (isflagset(6)||isflagset(5)) {
>>> unforce_rtp_proxy();
>>> };
>>> }
>>>
>>> onreply_route[1] {
>>> if ((isflagset(5) || isflagset(6)) && status =~
>>> "(183)|(2[0-9][0-9])") {
>>> force_rtp_proxy();
>>> };
>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
>>>
>>> if (isflagset(6)) {
>>> fix_nated_contact();
>>> };
>>> exit;
>>> }
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)lists.openser.org
>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
26 Jul
26 Jul
2:35 p.m.
Joris Dobbelsteen <joris(a)familiedobbelsteen.nl> writes:
Can't I get OpenSER to work, or any (maybe
simpler) SIP proxy? Maybe
another solutions is more suited for the problem I have?
I ended up using a B2BUA (asterisk) for this.
See also the thread "kagoor voiceflow replacement" on the OpenSER-Users
mailing list.
Message-ID: <424bdbb90804111305l4a86774dhf16f890acdffbcdc(a)mail.gmail.com>
Greetings,
Jens
22 Jul
22 Jul
3:25 p.m.
All right, I have been trying without too much success so far :(
The SIP signalling path seems to be working OK, but not for voice. Some
magic is going in, for which I cannot really grasp the how and why. I
got outgoing signalling from my ZyXEL UA to the RTPProxy, which is
relaying it to the upstream SIP proxy, but NOT the host that SHOULD
receive the signal.
******************
I have been monitoring the channel between the Internet Firewall and
ADSL modem (bridge), which also happens to have the VoIP modem
connected. (Long live SpeedTouch with their switch with port
mirror/monitor function.)
[UA -> SER-proxy] INVITE
SDP: c=192.168.8.193 : 60026 (RTP)
[SER-proxy -> Inet-server] INVITE
SDP: c=82.168.191.xx : 35120 (RTP)
[Inet-server -> SER-proxy] 183 Session progress
SDP: c=62.41.aa.bb : 9112 (RTP)
[SER-proxy -> UA] 183 Session progress
SDP: c=82.168.191.xx : 35122 (RTP)
=== Looks OK for the untrained eye...
RTP traffic spotted
192.168.8.193:60026 -> 82.168.191.xx:35122
:: Looks OK
82.168.191.xx:35122 -> 194..221.62.dd:9112
:: Takes SIP Inet server IP address, but SHOULD take 62.41.aa.bb!
=== Don't see traffic flowing in the other direction, NOT good! Maybe
its still trying to send to 192.168.8.193, but I can't monitor that in
any way...
******************
It seems quite hard to get this all working as desired/how it should
work. And that seems a good reason to try some of the alternatives, like
siproxd. Maybe thats better suited for my immediate needs...
Still, I like the flexibility you get with OpenSER, but I need a
"production" installation really really fast! I'll probably be digging
into this at some later date, when I'm grasping more how everything is
actually implemented and how it should be working.
Thanks for the help so far!
Of course I'm still open to suggestions and advice.
- Joris
Joris Dobbelsteen wrote:
Dear,
I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
home phone keeps breaking voice channels (the box was not intended
behind NAT and I'm, of course, using a configuration that no so well
supported).
What is the idea:
SIP transactions should travel this way:
ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
RTP should travel this way:
ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
My current test is using X-Lite with voipbuster, but that doesn't really
work. It seems that registers are functioning, at least X-Lite reports
itself being registered.
Voice calls always end up in timeouts, so something is really going
wrong here, it might be authentication problems?
An added problem is that I have just sufficient knowledge of SIP to see
what it is doing, without really knowing what to expect exactly.
Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
time even grasping the configuration I typed in. This is not really helpful
What I do know:
* SIP Proxy traffic is flowing.
* SIP INVITES don't work at all.
* SIP to RTP is communication, but I don't know if RTP is actually flowing.
I stole most of the configuration from the "04 NAT Traversal" slides of
the "Italy 2007 Admin course", to which there is link on the
documentation site. I adapted it to make it work with the debian
supplied OpenSER 1.1.
How do I get this all working?
What am I getting wrong?
I really really appeciate any help I can get to get it working!
- Joris
Config is this:
# ----------- global configuration parameters ------------------------
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes # Set to no to enter debugging mode
log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
advertised_address="82.168.191.xx"
advertised_port=5060
port=5060
children=4
fifo="/tmp/openser_fifo"
#
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
mpath="/usr/lib/openser/modules/"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "nathelper.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- nathelper params ---
modparam("nathelper", "rtpproxy_sock",
"udp:192.168.10.6:22222")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
#modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@82.168.191.xx")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
#if(uri=~"(a)tls_domain1.net") {
# t_relay("tls:domain1.net");
# exit;
#} else if(uri=~"(a)tls_domain2.net") {
# t_relay("tls:domain2.net");
# exit;
#}
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("sip.familiedobbelsteen.nl",
"subscriber")) {
www_challenge("sip.familiedobbelsteen.nl", "0");
exit;
};
if (isflagset(5)) {
# set branch flag -- when someone will
call this user
# INVITE will have branch flag 6 set
after loopup("location")
setflag(6);
# if you want OPTIONS natpings
uncomment next
# setflag(7);
};
save("location");
exit;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
setflag(6);
};
if (isflagset(5) || isflagset(6)) {
route(3);
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2] {
force_rport();
if(nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
route[3] {
if (is_method("BYE")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")) {
force_rtp_proxy("", "82.168.191.xx");
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*',
';nat=yes');
t_on_reply("1");
}
failure_route[2] {
if (isflagset(6)||isflagset(5)) {
unforce_rtp_proxy();
};
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status =~
"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
};
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
};
exit;
}
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
5965
days inactive
5974
days old
17 comments
7 participants
participants (7)
-
Alex Balashov -
Henning Westerholt -
Jens Thiele -
Joris Dobbelsteen -
Klaus Darilion -
Neill Wilkinson -
Robert Dyck