[OpenSER-Users] nat_uac_test("31") not enough to detect with some consumer voip passthrough routers
Hi,
Some of our customers have been connecting behind NAT routers that mangle the sip headers but don't keep the ports open. I've added checks on the source port to catch this case. Has anyone done something similar or better? It'd be nice if this could be added as a flag to nat_uac_test() if it is a common test and there isn't already a better way.
Here is the code I've used to handle my registers. I need to do more testing once I can get some of these routers in my lab to see how this affects call processing, not just registering.
Mike
if (!search("^Contact:\ +*") && nat_uac_test("7")) { xlog("L_INFO", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: matched nat_uac_test7\n"); xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: setbflag(6)\n"); setbflag(6); xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: fix_natted_register()\n"); fix_nated_register(); #xlog("L_INFO", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: force_rport()\n"); #force_rport(); }; #Some NAT devices modify SIP headers to but do not keep the port mappings open, also some UAs detect report the #public IP address. In both cases we need nat ping. Exceptions for default ports. These ports if used as #source ports can be assumed to be at the very least port forwarded. if (!isbflagset(6) && $sp != '5060' && $sp != '5061') { xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: matched !isbflagset(6) && ($sp != '5060' && $sp != '5061')\n"); setbflag(6); };
El Thursday 27 March 2008 17:13:38 Mike Fedyk escribió:
Hi,
Some of our customers have been connecting behind NAT routers that mangle the sip headers but don't keep the ports open. I've added checks on the source port to catch this case. Has anyone done something similar or better? It'd be nice if this could be added as a flag to nat_uac_test() if it is a common test and there isn't already a better way.
Here is the code I've used to handle my registers. I need to do more testing once I can get some of these routers in my lab to see how this affects call processing, not just registering.
Dear Mike, I could save you tons of hours trying to solve that problem, ANY router on the market that do SIP ALG (sip mangling) do it well, ALL of them (cisco, zyxel, netgear, etc.) do it the wrong way or worst than wrong .. :-(
My advice to you, if you have customers that have that broken routers, 2 solutions:
- Disable SIP ALG support (most of them could disable that feature) - If SIP ALG could not be disable, tell your customer to change the router.
Another solution is what it is done by Betamax and it's clones ... just IGNORE all the information on the SDP about IP media sources, tell you customer's UA to send all the traffic to your RTP proxies and then wait for that RTP before knowing to were you have to send yours. Also this "solution" have its own tons of problems, the bigger of them is that it totaly broke SIP standar.
Hi Raul Do you experience with iptables SIP module? Is it broken as well? I have been curious but have not got around to testing it.
Thanks Rob
On Thursday 27 March 2008, Raúl Alexis Betancor Santana wrote:
El Thursday 27 March 2008 17:13:38 Mike Fedyk escribió:
Hi,
Some of our customers have been connecting behind NAT routers that mangle the sip headers but don't keep the ports open. I've added checks on the source port to catch this case. Has anyone done something similar or better? It'd be nice if this could be added as a flag to nat_uac_test() if it is a common test and there isn't already a better way.
Here is the code I've used to handle my registers. I need to do more testing once I can get some of these routers in my lab to see how this affects call processing, not just registering.
Dear Mike, I could save you tons of hours trying to solve that problem, ANY router on the market that do SIP ALG (sip mangling) do it well, ALL of them (cisco, zyxel, netgear, etc.) do it the wrong way or worst than wrong .. :-(
My advice to you, if you have customers that have that broken routers, 2 solutions:
- Disable SIP ALG support (most of them could disable that feature)
- If SIP ALG could not be disable, tell your customer to change the router.
Another solution is what it is done by Betamax and it's clones ... just IGNORE all the information on the SDP about IP media sources, tell you customer's UA to send all the traffic to your RTP proxies and then wait for that RTP before knowing to were you have to send yours. Also this "solution" have its own tons of problems, the bigger of them is that it totaly broke SIP standar.
Hi Mike!
Dealing with SIP ALGs is really PITA. Currently I do not use any NAT tests at all but always do NAT traversal (except I know for sure that the client is asymmetric).
Another useful approach is to open another socket on the SIP proxy with non-standard port, as most SIP ALGs trigger on port 5060.
regards klaus
Mike Fedyk schrieb:
Hi,
Some of our customers have been connecting behind NAT routers that mangle the sip headers but don't keep the ports open. I've added checks on the source port to catch this case. Has anyone done something similar or better? It'd be nice if this could be added as a flag to nat_uac_test() if it is a common test and there isn't already a better way.
Here is the code I've used to handle my registers. I need to do more testing once I can get some of these routers in my lab to see how this affects call processing, not just registering.
Mike
if (!search("^Contact:\ +*") && nat_uac_test("7")) { xlog("L_INFO", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: matched nat_uac_test7\n"); xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: setbflag(6)\n"); setbflag(6); xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: fix_natted_register()\n"); fix_nated_register(); #xlog("L_INFO", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: force_rport()\n"); #force_rport(); }; #Some NAT devices modify SIP headers to but do not keep the port mappings open, also some UAs detect report the #public IP address. In both cases we need nat ping. Exceptions for default ports. These ports if used as #source ports can be assumed to be at the very least port forwarded. if (!isbflagset(6) && $sp != '5060' && $sp != '5061') { xlog("L_NOTICE", "M=$rm RURI=$ru F=$fu IP=$si:$sp CS=$cs route2: matched !isbflagset(6) && ($sp != '5060' && $sp != '5061')\n"); setbflag(6); };
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
-
Klaus Darilion -
Mike Fedyk -
Raúl Alexis Betancor Santana -
Robert Dyck