[Serusers] SER and NAT

XeloQ Communications tjapko at xeloq.com
Thu Jun 3 22:32:09 CEST 2004


Hello Adrian, 

Thanks for your answers. They were very clarifying. I test in my lab
test  environment where i do not have any firewalls or other possible
problem initiators. 

The ser.cfg example that comes with the source with mediaproxy  does not
allow non nated EP's to register. Is it possible for you to update the
example config file so non nated ep's can also register and do not use
mediaproxy when traffic is between non nated ep's. 

NATed    -- NATed mediaproxy
Public C -- NATed mediaproxy.
Public C -- Public C no mediaproxy.

Please just hint me in the correct direction.

Here is my current ser.cfg It is not working the way i want like
mentioned above. .

#
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $
#
# simple quick-start config script
#

# ----------- global configuration parameters ------------------------

#debug=3         # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no	# (cmd line: -E)

/* Uncomment these lines to enter debugging mode 
debug=7
fork=no
log_stderror=yes
*/

check_via=no	# (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"

loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/domain.so"
loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"


# Uncomment this if you want digest authentication
# mysql.so must be loaded !
#loadmodule "/usr/local/lib/ser/modules/auth.so"
#loadmodule "/usr/local/lib/ser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

#modparam("usrloc", "db_mode",   0)

#modparam("domain", "db_url", "sql:ser:heslo at localhost/ser") //now using
default

# Uncomment this if you want to use SQL database 
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 1)

# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), 
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# -------------------------  request routing logic -------------------

# main routing logic

modparam("mediaproxy", "natping_interval", 60)

route{
    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too many hops");
        break;
    };

    if (msg:len >= max_len) {
        sl_send_reply("513", "Message too big");
        break;
    };
    
        if (client_nat_test("3")) {
        if (method == "REGISTER" || ! search("^Record-Route:")) {
	        fix_contact();
            force_rport();
	};
    
    
    if (method=="INVITE") {
        use_media_proxy();
        t_on_reply("1");
    };
 };

     if (method=="REGISTER") {

# Uncomment this if you want to use digest authentication
#	if (!www_authorize("200.84.12.12", "subscriber")) {
#	www_challenge("200.84.12.12", "0");
#	break;
#	};

	save("location");
	break;
	};

	# native SIP destinations are handled using our USRLOC DB
	if (!lookup("location")) {
			sl_send_reply("404", "Not Found");
			break;
	};

    
    
    
    if (method == "BYE" || method == "CANCEL") {
        end_media_session();
    };
   
    if (loose_route()) {
        t_relay();
        break;
    };
   
   if (method == "INVITE") {
        record_route();
    };

    
   
    if (!t_relay()) {
        sl_reply_error();
    };
}

onreply_route[1] {

    if (status=~"(183)|2[0-9][0-9]") {
        if (client_nat_test("1")) {
            fix_contact();
        };
        use_media_proxy();
    };

    if (status=~"[3-4]0[0-9]") {   
        end_media_session();
        break;
    };
}

  
 




On Fri, 2004-06-04 at 00:48, Adrian Georgescu wrote:
> Tjapko,
> 
> See answers inline.
> 
> On Jun 4, 2004, at 12:16 AM, Tjapko ITS Consult at ncy wrote:
> 
> > Thanks a lot,
> >
> > Still I am lost. Mediaproxy works fine when Nated Ep's are calling out  
> > to
> > PSTN or not NAted Ep's but I can't call to any NATed EP with te example
> > ser.cfg that comes with mediaproxy.
> >
> 
> The examples from the documentation are used in production platforms.  
> They do work.
> 
> > Mediaproxy is trying hard and doesn't give any error message but in the
> > sessions.py and the log I can see that the destination address for the  
> > NAted
> > IP (EP) is missing.
> 
> It could be that your end points are behind a blocked firewall. You may  
> start calls from inside to a public gateway but nobody from outside  
> could initiate connections to inside.
> 
> > I read the readme and tried everything possible but unfortunately  
> > without
> > the desired result.
> >
> > Nathelper seems clear on this using the modparam ("registrar",  
> > "natflag",
> > 6).
> 
> The set of such flag is not mandatory.
> 
> > Like the example in the answer from Klaus, registration from any nated  
> > ep
> > will be flagged. Calling to any nated EP will be easy because the
> > destination address is flagged and saved during registration and the
> > t_on_reply will check if the flag is set and subsequently force proxy  
> > on the
> > recorded address. At least this is how I understand it.
> >
> > Studying the readme for mediaproxy tells that nat_uac_test() has to be
> > replaced with client_nat_test() but according the readme the only  
> > difference
> > between the 2 is that the latter function will NOT check if the SDP  
> > body has
> > private IP's.
> >
> > How can I use mediaproxy so that when calling to an NATed EP  
> > mediaproxy will
> > be able to generate the correct destination address. Does anybody has a
> > snippet from a succesfull ser.cfg for me that I can study. The comment  
> > from
> > Adrian to replace fixed_nated_contact with fixed_contact I understand  
> > but
> > not in relation with the setflag mentioned in the same snippet. IMHO  
> > setflag
> > is a nathelper modparam. There must be something else that I overlook.
> >
> 
> Your location table might contain private IP addresses, did you check?  
> Make sure you save the rewritten contacts during REGISTER:
> 
>      if (client_nat_test("3")) {
>          if (method == "REGISTER" || ! search("^Record-Route:")) {
>              force_rport();
>              fix_contact();
>          };
>      };
> 
> 
> > Another issue that I like confirmed is that the readme states that the  
> > Nated
> > EP should have outbound proxy server configured for a symmetric EP not  
> > an
> > a-symmetric EP. . Is this true?
> >
> > To make a long story short...How can call TO a NATed EP with  
> > mediaproxy so
> > it knows the correct destination address and is it neccesary to  
> > configure
> > outbound proxy for a symmetric NAted EP's.
> 
> Just set the outbound proxy to be the same as the SIP Proxy.
> 
> >
> > My gateway provider tells me to drop all this and use a STUN server in
> > stead. :-(
> >
> 
> STUN will not cross your NAT for both signaling and media, it will just  
> give the UA the information of how it looks from the outside world. Try  
> it anyway as you will gain more experience, chose what's best for your  
> network setup.
> 
> 
> > Any comments will be appriciated,
> >
> 
> To wrap it up, it could be a problem with the NAT boxes depending their  
> firewall policies. Try nathelper/rtpproxy combination for a change. If  
> that works there is a problem with mediaproxy if it doesn't there is a  
> problem with your config or your network configuration.
> 
> Try narrow it to something simple that works and then grow your  
> configuration at the same pace with the experience you are building   
> using SER.
> 
> Adrian
> 
> > Tjapko.
> >
> >
> >
> > -----Original Message-----
> > From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org]On
> > Behalf Of Klaus Darilion
> > Sent: Martes, 01 de Junio de 2004 07:10 p.m.
> > To: Adrian Georgescu
> > Cc: serusers at lists.iptel.org
> > Subject: Re: [Serusers] SER and NAT
> >
> >
> > oops, sorry. I'ver never used the mediaproxy module.
> >
> > klaus
> >
> > Adrian Georgescu wrote:
> >> Function fix_contact() is available within mediaproxy.so with same
> >> meaning as its nathelper.so counterpart.
> >>
> >> Adrian
> >>
> >>>
> >>> You have to rewrite the REGISTER message before saving the
> >> locations!
> >>
> >> if (nat_uac_test("2")) {
> >> force_rport();
> >> fix_nated_contact(); # from nathelper module
> >> append_hf("P-Behind-NAT: Yes\r\n");
> >> setflag(5); #natflag
> >> .....
> >> .....
> >> save(location); # user with natflag set will be
> >> # pinged to keep NAT binding alive
> >>
> >>
> >> regards,
> >> klaus
> >> Tjapko ITS Consult at ncy wrote:
> >>> / Hello List,
> >> />/
> >> />/ In my fierce battle to overcome the NAT problem I have now running
> >> SER and
> >> />/ Mediaproxy without any problem. Whenever any Nated EP like to call
> >> to PSTN
> >> />/ or a non nated EP the call goes ok. Whenever I try to call from a
> >> non nated
> >> />/ EP to a NATed EP the call does not go through.
> >> />/
> >> />/ It seems like that the destination address is not known by
> >> mediaproxy so it
> >> />/ can't forward the call to the correct EP.
> >> />/
> >> />/ My question is whether this problem might be caused by my ser.cfg  
> >> or
> >> that
> >> />/ this is typical SIP behaviour.
> >> />/
> >> />/ In other words is it possible to call to any EP that is behind
> >> Symmetric
> >> />/ NAT.
> >>
> >> /
> >>
> >>
> >> ---------------------------------------------------------------------- 
> >> --
> >>
> >> _______________________________________________
> >> Serusers mailing list
> >> serusers at lists.iptel.org
> >> http://lists.iptel.org/mailman/listinfo/serusers
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.693 / Virus Database: 454 - Release Date: 31/05/2004
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.698 / Virus Database: 455 - Release Date: 02/06/2004
> >
> 




More information about the sr-users mailing list