Hi Rafael,
You would use the "example code snippet" when you want to decide whether or not to use rtpproxy or mediaproxy based on the fact that both the caller and the callee are behind the same NAT device. Please review the mailing lists as this topic has been discussed many times.
I added some additional comments in regard to the setting of flags 2 and 3 in the posted example at: http://openser.org/dokuwiki/doku.php?id=avp_examples
Generally, I have found that if OpenSER fails to start with an error indicating that the function can't be found, it's time to find the correct module to add.
In response to your last question "etc." I suggest that you review the three web sites: openser.org, iptel.org and onsip.org. The last one has some really great material that explains alot.
Regards, Norm
Rafael R. GV wrote:
Hi I am using nathelper/rtpproxy in ser , please see my ser.cfg attached and tell me where do I have to use this code snippet? where did you set flags 2 and 3?, what other modules I need?, etc.
thank you Rafael Lima-Peru
On 12/7/05, *Norman Brandinger* <norm@goes.com mailto:norm@goes.com> wrote:
Thanks go out to Klaus and Tavis. I took the results of this thread and placed it in the docuwiki for the rest of the user community to use (at least, the rest of the user community that reads the docuwiki :) http://openser.org/dokuwiki/doku.php?id=avp_examples If I made any typos, please feel free to correct them. Regards, Norm _______________________________________________ Users mailing list Users@openser.org <mailto:Users@openser.org> http://openser.org/cgi-bin/mailman/listinfo/users <http://openser.org/cgi-bin/mailman/listinfo/users>
# # If you don't want to enforce RTP proxy for some destinations # then simply use t_relay() instead of route(1) # # Modificado para MYSQL_ACC support # Handling of Unavailable user and Voicemail redirection (404|408|486) # # Log Missed Calls (403|404|408|415|484|486|487). # # Group checking and PSTN credentials. # # 18/07/2005 Prepaid & B2bua support added # 11/11/2005 LDI a 192.168.2.132 with a2billing # # Pendientes !! - Administrar Multi-Dominio para otros Códigos de Area. # - Completar Logica para tratamiento de llamadas entre # un mismo NAT usando avpops. # # ----------- global configuration parameters ------------------------
#/* Uncomment these lines to enter debugging mode debug=2 fork=yes log_stderror=yes #*/
listen=192.168.2.130 listen=127.0.0.1 port=5060
# hostname matching an alias will satisfy the condition uri==myself". alias=mydomain.com.pe alias=127.0.0.1
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) children=4 fifo="/tmp/ser_fifo" fifo_mode=0666 # Fifo permissions can be changes from here.
# sip_warning - Should replies include extensive warnings? # By default yes, it is good for trouble-shooting. sip_warning=yes
# ------------------ module loading ---------------------------------- loadmodule "/usr/local/lib/ser/modules/domain.so" loadmodule "/usr/local/lib/ser/modules/avpops.so" loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/group.so" loadmodule "/usr/local/lib/ser/modules/uri.so" loadmodule "/usr/local/lib/ser/modules/uri_db.so" loadmodule "/usr/local/lib/ser/modules/acc.so" loadmodule "/usr/local/lib/ser/modules/textops.so"
# digest authentication loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# !! Nathelper loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 10)
# database location modparam("usrloc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("usrloc", "use_domain", 1) modparam("auth_db", "use_domain", 1)
modparam("domain", "db_mode", 1) modparam("domain", "domain_table", "domain") modparam("domain", "domain_col", "domain")
# ------------- Mysql Accounting parameters modparam("acc", "log_flag", 1) modparam("acc", "log_level", 2) modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 3) modparam("acc", "log_missed_flag", 3) modparam("acc", "db_url", "mysql://seradmin:heslo@localhost/ser") modparam("acc", "report_ack", 0) # 1 reporta dos starts en acc (para INVITE y ACK) modparam("acc", "failed_transactions", 1) # *all* non-200 transactions marked for acc will be logged too.
modparam("acc", "log_fmt", "miocfsputdr")
modparam("tm", "fr_timer", 20 ) modparam("tm", "fr_inv_timer", 40 ) # Timer which hits if no final reply for an INVITE modparam("tm", "wt_timer", 20 )
# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
modparam("group", "db_url", "mysql://seradmin:heslo@localhost/ser") modparam("uri_db", "db_url", "mysql://seradmin:heslo@localhost/ser")
# ------------- registration parameters modparam("registrar", "nat_flag", 6) modparam("registrar", "min_expires", 60) modparam("registrar", "max_expires", 86400) modparam("registrar", "default_expires", 3600) modparam("registrar", "desc_time_order", 1) modparam("registrar", "append_branches", 1)
modparam("registrar", "use_domain", 1)
# !! Nathelper # modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# -------------------------- request routing logic --------------------------
route {
log(1, "-------------------------------------------\n"); log(1, "entering main loop\n"); # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len >= max_len ) { sl_send_reply("513", "Message too big"); break; }; # !! Nathelper # Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("19")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling". fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # set flag for Radius Accounting: if (!method=="OPTIONS") setflag(3); # SET MISSED_CALLS FLAG FOR ACC if (method=="INVITE") { log(1, "INVITE MESSAGE RECEIVED - START ACC\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ }; if (method=="BYE") { log (1, "BYE - STOP ACCOUNTING\n"); setflag(1); }; if (method=="CANCEL") { log (1, "CANCEL - STOP ACCOUNTING\n"); setflag(1); }; # record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing # Excluding packets from b2bua (port 5070) if (loose_route() ) { log(1," Mark routing logic in request --> rr-enforced \n"); append_hf("P-hint: rr-enforced\r\n"); # t_relay(); route(1); # Nathelper!! break; }; if (!uri==myself ) { log(1," Mark routing logic in request --> outbound\r \n"); append_hf("P-hint: outbound\r\n"); # t_relay(); route(1); # Nathelper!! break; }; if (uri==myself) { if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (is_user_in("Request-URI", "desactivado")) { sl_send_reply("402", "Su cuenta fue desactivada"); break; }; if (!www_authorize("mydomain.com.pe", "subscriber")) { log(1," ----- Fails to Register \n"); www_challenge("mydomain.com.pe", "0"); break; }; # only signed users are allowed if (!check_to()) { log(1, "LOG: Hijack!!!--> unsigned user registration attempt\n"); sl_send_reply("403", "hijack attempt!!!! Only signed users are allowed"); break; }; log(1," Registered!!! \n"); if (!save("location")) { sl_reply_error(); }; break; }; #For *B2bua: First check the source of the call #********************************************** # If the call comes from the gateways, no authentication is required. if (src_ip==192.168.2.145 || src_ip==192.168.2.132 || src_ip==192.168.2.131) { log(1,"Call from pstn|*, no authentication is required. \n"); # If the call comes from B2BUA, no authentication is required, # The first leg of the call has already been authenticated. } else if (src_ip==192.168.2.130 && src_port==5070) { log(1,"Call from B2BUA, no authentication is required. \n"); } else { # We check user credentials if ((method == "INVITE" || method== "CANCEL" || method== "BYE" || method== "ACK") && (!src_ip==192.168.2.130 && !src_port==5070)){ log(1, "ANALYZING INVITE||CANCEL REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { # log(1," ----- Fails to ...proxy_authorize \n"); proxy_challenge("mydomain.com.pe", "0"); break; } else { if (method == "INVITE" && !check_from()) { sl_send_reply("403", "Only registered users are allowed"); log(1," ----> Only registered users are allowed \n"); break; }; }; # Not all the users are PREPAID, so we check the database # to see if the call will be routed through B2BUA. # If every call is to be routed through B2BUA the "is_user_in" # conditional is not required. # Do not use b2bua for local calls if (is_user_in("From", "prepaidb") && uri=~"^sip:00") { log(1," ----> Usuario PREPAGO!!! enviando a b2bua... \n"); rewritehostport("192.168.2.130:5070"); t_relay_to_udp("192.168.2.130", "5070"); break; }; };# End of if (method == "INVITE" |... }; /* *********** Dial out to Local and PSTN logic ********* */ # Forward +9n digit requests to gateway Cisco-AS5350 (Celulares): if(uri=~"^sip:9" ){ log(1," digit expression match - Celulares \n"); if (!is_user_in("from", "movlim")) { sl_send_reply("403", "No permission for mobile calls"); acc_db_request("403 Forbidden", "missed_calls"); break; }; rewritehostport("192.168.2.145:5060"); route(1); break; }; /* ******************************************************************** */ lookup("aliases"); # does the user wish redirection on no availability? (i.e., is he # in the voicemail group?) -- determine it now and store it in # flag 4, before we rewrite the flag using UsrLoc if (is_user_in("Request-URI", "voicemail")) { log(1, "requested user is in voicemail group \n"); setflag(4); }; # native SIP destinations are handled using our USRLOC DB: # LOOKUP (location)!!!! if (!lookup("location")) { log(1,"unable to locate user X ... sending to route(4)! \n"); # handle user which was not found route(4); break; }; ### Test if UAS are in the same NAT: # get the host part of the final uri (IP part) and store it in AVP ID 13 avp_write("$ruri/domain", "i:13"); if (avp_check("i:13","eq/$src_ip/i")) { log(1, "source IP is the same as destination IP\n"); route(3); break; }; avp_delete("i:13/g"); }; # End of "if(uri==myself)" append_hf("P-hint: usrloc applied\r\n"); route(1); # if user is on-line and is in Voicemail group, enable redirection if (method == "INVITE" && isflagset(4)) { log(1, "invite for voicemail user->initiate failureroute[1]\n"); t_on_failure("1"); };}
### ##### ####### ########## - ROUTES - ############### ################# ##################
route[1] {
# if client or server know to be behind a NAT, enable relay if (isflagset(6)) { log(1, "Route1: force rtp proxy!!!\n"); force_rtp_proxy(); }; # NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1"); # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; log(1, "Route[1]: Send it out now!!!\n"); break;}
# !! Nathelper onreply_route[1] { # NATed transaction ? # Not all 2xx messages have a content body so here we # make sure our Content-Length > 0 to avoid a parse error
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); if (!search("^Content-Length:\ 0")) { force_rtp_proxy(); }; # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); };}
# -------------- SIP-to-PSTN call routed ---------------------
route[2]{ log(1,"route[2]:SIP-to-GW call routed \n"); if(!t_relay()){ sl_reply_error(); }; log(1, "Route[2]: Send it out now!!!\n"); }
# -------------- Same NAT Call Routing (no force rtpproxy) ----
route[3]{ log(1," route[3]: UAs are in the same nat, NO force_rtp_proxy ");
# What do I have to do here? if(!t_relay()){ sl_reply_error(); }; log(1, "Route[3]: Send it out now!!!\n");}
# --------------- Handling of Unavailable user ---------------- route[4] {
# non-Voip -- just send "off-line" if (!(method=="INVITE" || method=="ACK" || method=="CANCEL" || method=="BYE" || method=="OPTIONS")) { sl_send_reply("404", "Not Found"); acc_db_request("404 Not Found", "missed_calls"); log(1, "acc 404 Not Found 1 \n"); break; }; if (!isflagset(4) && !method=="OPTIONS" && !method=="ACK" && !method=="BYE") { sl_send_reply("404", "Not Found and no voicemail turned on !! "); acc_db_request("404 Not Found", "missed_calls"); log(1, " acc 404 Not Found and no voicemail \n"); break; }; # forward to voicemail adding prefix to simplify asterisk "extension.conf" prefix("vm"); acc_db_request("404 Not Found -> Vm", "missed_calls"); rewritehostport("192.168.2.131:5070"); t_relay_to_udp("192.168.2.131", "5070");}
# if forwarding downstream did not succeed, try voicemail running at Asterisk
failure_route[1]{ if (t_check_status("408")){ # revert_uri (); back to the original URI, makes me loose all lookup/rewrite stuff prefix("vm"); rewritehostport ("192.168.2.131:5070"); acc_db_request("408 Timeout -> Vm", "missed_calls"); append_branch(); t_relay(); break; } else if (t_check_status("486")){ # revert_uri (); back to the original URI, makes me loose all lookup/rewrite stuff prefix("vm"); rewritehostport ("192.168.2.131:5070"); acc_db_request("486 Busy -> Vm", "missed_calls"); append_branch(); t_relay(); break; } }
### The End ###
Hi thank you!, now i am using Openser, it was easy to move from ser, just some minor changes like 'break' to 'return' etc, my nathelper implementation is based on a ser example and it works very well, just made some minor changes to set flag 6 and flag 7 to 'Register' and 'Invites' when 'nat_uac_test("19")' in order to try Tavis code snippet, in my tests there is no audio when reset flag 6 and 7 after detected the two clients behind the same NAT and can't hungup or cancel calls properly, please someone see my cfg attached and send some advice, what I am missing?
thanks rafael
On 12/7/05, Norman Brandinger norm@goes.com wrote:
Hi Rafael,
You would use the "example code snippet" when you want to decide whether or not to use rtpproxy or mediaproxy based on the fact that both the caller and the callee are behind the same NAT device. Please review the mailing lists as this topic has been discussed many times.
I added some additional comments in regard to the setting of flags 2 and 3 in the posted example at: http://openser.org/dokuwiki/doku.php?id=avp_examples
Generally, I have found that if OpenSER fails to start with an error indicating that the function can't be found, it's time to find the correct module to add.
In response to your last question "etc." I suggest that you review the three web sites: openser.org, iptel.org and onsip.org. The last one has some really great material that explains alot.
Regards, Norm
Rafael R. GV wrote:
Hi I am using nathelper/rtpproxy in ser , please see my ser.cfg attached and tell me where do I have to use this code snippet? where did you set flags 2 and 3?, what other modules I need?, etc.
thank you Rafael Lima-Peru
Hello Rafael,
I took a very quick look at your conifguration and noticed that you have commented out the "nat_flag" line. This setting is documented here: http://www.openser.org/docs/modules/1.1.x/registrar.html#AEN103 I believe that you should, at a minimum, uncomment this line.
# modparam("registrar", "nat_flag", 6)
Your configuration looks as though it is based on information from the iptel.org site. I would suggest that you also review the NAT example configuration from the onsip.org site. The onsip.org configurations are a little more current. The nice part of the onsip.org configurations is that they are provided with line-by-line explanations.
Regards, Norm
Rafael R. GV wrote:
Hi thank you!, now i am using Openser, it was easy to move from ser, just some minor changes like 'break' to 'return' etc, my nathelper implementation is based on a ser example and it works very well, just made some minor changes to set flag 6 and flag 7 to 'Register' and 'Invites' when 'nat_uac_test("19")' in order to try Tavis code snippet, in my tests there is no audio when reset flag 6 and 7 after detected the two clients behind the same NAT and can't hungup or cancel calls properly, please someone see my cfg attached and send some advice, what I am missing?
thanks rafael
On 12/7/05, *Norman Brandinger* <norm@goes.com mailto:norm@goes.com> wrote:
Hi Rafael, You would use the "example code snippet" when you want to decide whether or not to use rtpproxy or mediaproxy based on the fact that both the caller and the callee are behind the same NAT device. Please review the mailing lists as this topic has been discussed many times. I added some additional comments in regard to the setting of flags 2 and 3 in the posted example at: http://openser.org/dokuwiki/doku.php?id=avp_examples Generally, I have found that if OpenSER fails to start with an error indicating that the function can't be found, it's time to find the correct module to add. In response to your last question "etc." I suggest that you review the three web sites: openser.org <http://openser.org>, iptel.org <http://iptel.org> and onsip.org <http://onsip.org>. The last one has some really great material that explains alot. Regards, Norm Rafael R. GV wrote: > Hi > I am using nathelper/rtpproxy in ser , please see my ser.cfg attached > and tell me where do I have to use this code snippet? where did you > set flags 2 and 3?, what other modules I need?, etc. > > thank you > Rafael > Lima-Peru >
No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
yes, actually 'nat_flag' parameter its uncommented lines above, as I told in my last post this configuration works very well, in fact I'am using it in a production sip proxy that serve lots of UA´s like Linksys-PAP, Sipura, Addpac, X-pro, Snom phones and asterisk, With those UA´s that support STUN there is no problem because my Stun can find its public ip/port and then openser will not detect a NATed client and do not enforce rtpproxy/nathelper, the problem appears only for UA´s behind same nat and this nat doesn't support hairpinning (send back data in the source direction to reach the target), so this new solution using avp in combination with nathelper and STUN will cover a 100% of Nated UA cases and I´d like to complete and share my configuration that support other useful features the can be useful for this community, I will appreciate your help in this issue.
thank you Rafael
On 12/13/05, Norman Brandinger norm@goes.com wrote:
Hello Rafael,
I took a very quick look at your conifguration and noticed that you have commented out the "nat_flag" line. This setting is documented here: http://www.openser.org/docs/modules/1.1.x/registrar.html#AEN103 I believe that you should, at a minimum, uncomment this line.
# modparam("registrar", "nat_flag", 6)
Your configuration looks as though it is based on information from the iptel.org site. I would suggest that you also review the NAT example configuration from the onsip.org site. The onsip.org configurations are a little more current. The nice part of the onsip.org configurations is that they are provided with line-by-line explanations.
Regards, Norm
Rafael R. GV wrote:
Hi thank you!, now i am using Openser, it was easy to move from ser, just some minor changes like 'break' to 'return' etc, my nathelper implementation is based on a ser example and it works very well, just made some minor changes to set flag 6 and flag 7 to 'Register' and 'Invites' when 'nat_uac_test("19")' in order to try Tavis code snippet, in my tests there is no audio when reset flag 6 and 7 after detected the two clients behind the same NAT and can't hungup or cancel calls properly, please someone see my cfg attached and send some advice, what I am missing?
thanks rafael
On 12/7/05, *Norman Brandinger* <norm@goes.com mailto:norm@goes.com> wrote:
Hi Rafael, You would use the "example code snippet" when you want to decide whether or not to use rtpproxy or mediaproxy based on the fact that both the caller and the callee are behind the same NAT device. Please review the mailing lists as this topic has been discussed many times. I added some additional comments in regard to the setting of flags 2 and 3 in the posted example at: http://openser.org/dokuwiki/doku.php?id=avp_examples Generally, I have found that if OpenSER fails to start with an error indicating that the function can't be found, it's time to find the correct module to add. In response to your last question "etc." I suggest that you reviewthe
three web sites: openser.org <http://openser.org>, iptel.org <http://iptel.org> and onsip.org <http://onsip.org>. The last onehas
some really great material that explains alot. Regards, Norm Rafael R. GV wrote: > Hi > I am using nathelper/rtpproxy in ser , please see my ser.cfg attached > and tell me where do I have to use this code snippet? where didyou
> set flags 2 and 3?, what other modules I need?, etc. > > thank you > Rafael > Lima-Peru >
No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date:
12/13/2005
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Norman Brandinger -
Rafael R. GV