[Serusers] Ser+RTPproxy+Asterisk
Alex Bligh
alex at alex.org.uk
Tue Jun 8 13:45:21 CEST 2004
Actually Klaus is right in his later message.
Alex
--On 08 June 2004 12:29 +0100 Alex Bligh <alex at alex.org.uk> wrote:
> A brief inspection suggests the config file is designed for a situation
> where ser is outside the firewall (on "real IPs") and the UA is
> inside the firewall.
>
> It is getting confused at the start of route[1] because it sees the
> next hop as inside the firewall (using a hueristic test based on IPs).
> This is because it seems that ser itself is on RFC1918 space in you
> configuration (from the alias line in your config), and the config
> seems to be designed for a situation where asterisk and ser are
> not in RFC1918 space.
>
> If ser is the same side of the firewall as asterisk and the UA, you should
> not need rtpproxy.
>
> If ser and the UA are one side, and asterisk is the other, you are
> probably better using the NAT tranversal stuff in asterisk.
>
> If what you are trying to do is:
>
> NAT1 NAT2
> UA ----|-----SER-----|----Asterisk
>
> or
> NAT1 NAT2
> UA-----|----SER, Asterisk ----|---- Internet
>
> then the block at the top of route[1] is being triggered falsely,
> and you are probably safe deleting it.
>
> You will need to supply a network diagram for more help.
>
> Alex
>
> --On 08 June 2004 02:49 +0200 Sanjay Duggal <Sanjayd at Pressis.com> wrote:
>
>>
>> Hi All
>>
>> I`m new to this and like to learn how to set up the configure following
>> Ser+RTPproxy+Asterisk
>>
>> Just to clarify the net settings
>>
>> My ser is on a public ip net and has a local address to.
>> I will like to make a phone call from a sip phone which is
>> behind NAT to a PSTN.
>>
>> When I try to call out I get
>>
>> "479", "We don't forward to private IP addresses"
>>
>>
>> I don’t`know what i`m doing wrong
>>
>>
>>
>>
>> Sending a copy of my ser.cfg
>>
>>
>> alias=" mydomian.com "
>> Alias="192.168.10.100" #ser
>> Alias="192.168.10.120" #Asterisk
>>
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> port=5060
>> children=4
>> fifo="/tmp/ser_fifo"
>> fifo_mode=0777
>>
>># ------------------ module loading ----------------------------------
>>
>># Uncomment this if you want to use SQL database
>> loadmodule "/usr/local/lib/ser/modules/mysql.so"
>>
>> loadmodule "/usr/local/lib/ser/modules/sl.so"
>> loadmodule "/usr/local/lib/ser/modules/tm.so"
>> loadmodule "/usr/local/lib/ser/modules/rr.so"
>> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>> loadmodule "/usr/local/lib/ser/modules/registrar.so"
>> loadmodule "/usr/local/lib/ser/modules/textops.so"
>>
>># Uncomment this if you want digest authentication
>># mysql.so must be loaded !
>> loadmodule "/usr/local/lib/ser/modules/auth.so"
>> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>>
>># !! Nathelper
>> loadmodule "/usr/local/lib/ser/modules/nathelper.so"
>>
>># ----------------- setting module-specific parameters ---------------
>>
>># -- usrloc params --
>>
>> modparam("usrloc", "db_mode", 0)
>>
>># Uncomment this if you want to use SQL database
>># for persistent storage and comment the previous line
>> modparam("usrloc", "db_mode", 2)
>>
>># -- auth params --
>># Uncomment if you are using auth module
>>#
>> modparam("auth_db", "calculate_ha1", yes)
>>#
>># If you set "calculate_ha1" parameter to yes (which true in this config),
>># uncomment also the following parameter)
>>#
>> modparam("auth_db", "password_column", "password")
>>
>># -- rr params --
>># add value to ;lr param to make some broken UAs happy
>> modparam("rr", "enable_full_lr", 1)
>>
>>
>># -- rr params --
>># add value to ;lr param to make some broken UAs happy
>> modparam("rr", "enable_full_lr", 1)
>>
>># !! Nathelper
>> modparam("registrar", "nat_flag", 6)
>> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
>> modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind
>> NAT
>>
>># ------------------------- request routing logic -------------------
>>
>># main routing logic
>>
>> route{
>>
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> break;
>> };
>> if (msg:len >= max_len ) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> # !! Nathelper
>> # Special handling for NATed clients; first, NAT test is
>> # executed: it looks for via!=received and RFC1918 addresses
>> # in Contact (may fail if line-folding is used); also,
>> # the received test should, if completed, should check all
>> # vias for rpesence of received
>> if (nat_uac_test("3")) {
>> # Allow RR-ed requests, as these may indicate that
>> # a NAT-enabled proxy takes care of it; unless it is
>> # a REGISTER
>>
>> if (method == "REGISTER" || ! search("^Record-Route:")) {
>> log("LOG: Someone trying to register from private IP,
>> rewriting\n");
>>
>> # This will work only for user agents that support
>> symmetric
>> # communication. We tested quite many of them and
>> majority is
>> # smart enough to be symmetric. In some phones it
>> takes a configuration
>> # option. With Cisco 7960, it is called
>> NAT_Enable=Yes, with kphone it is
>> # called "symmetric media" and "symmetric
>> # signalling".
>>
>> fix_nated_contact(); # Rewrite contact with source IP
>> of signalling
>> if (method == "INVITE") {
>> fix_nated_sdp("1"); # Add direction=active to SDP
>> };
>> force_rport(); # Add rport parameter to topmost Via
>> setflag(6); # Mark as NATed
>> };
>> };
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> if
>> (!method=="REGISTER") record_route();
>>
>> # subsequent messages withing a dialog should take the
>> # path determined by record-routing
>> if (loose_route()) {
>> # mark routing logic in request
>> append_hf("P-hint: rr-enforced\r\n");
>> route(1);
>> break;
>> };
>>
>> if (uri=~"sip:0[0-9]*@mydomian.com"){
>> rewritehostport("192.168.120.:5060");
>> t_relay();
>> # break;
>>
>> # forward(192.168.10.120,5060);
>> # Where local asterisk is listening
>> # break;
>> }
>>
>># if (!uri==myself) {
>> # mark routing logic in request
>># append_hf("P-hint: outbound\r\n");
>># route(1);
>># break;
>># };
>>
>> # if the request is for other domain use UsrLoc
>> # (in case, it does not work, use the following command
>> # with proper names and addresses in it)
>> if (uri==myself) {
>>
>> if (method=="REGISTER") {
>>
>># Uncomment this if you want to use digest authentication
>># if (!www_authorize("iptel.org", "subscriber")) {
>># www_challenge("iptel.org", "0");
>># break;
>># };
>> save("location");
>> break;
>> };
>> lookup("aliases");
>> if (!uri==myself) {
>> append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> break;
>> # native SIP destinations are handled using our USRLOC DB
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> break;
>> };
>> };
>> append_hf("P-hint: usrloc applied\r\n");
>> route(1);
>> }
>> route[1]
>> {
>> # !! Nathelper
>> if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
>> !search("Route:")){
>> sl_send_reply("479", "We don't forward to private IP
>> addresses");
>> break;
>> };
>>
>> # if client or server know to be behind a NAT, enable relay
>> record_route();
>> if (isflagset(6)) {
>> fix_nated_sdp("1");
>> force_rtp_proxy();
>> t_on_reply("1");
>> }
>> # if (isflagset(6)) {
>> # force_rtp_proxy();
>> # };
>>
>> # NAT processing of replies; apply to all transactions (for
>> example, # re-INVITEs from public to private UA are hard to
>> identify as # NATed at the moment of request processing); look at
>> replies t_on_reply("1");
>>
>> # send it out now; use stateful forwarding as it works reliably
>> # even for UDP2TCP
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>> }
>>
>># !! Nathelper
>> onreply_route[1] {
>> # NATed transaction ?
>> if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>> fix_nated_contact();
>> fix_nated_sdp("1");
>> force_rtp_proxy();
>> # otherwise, is it a transaction behind a NAT and we did not
>> # know at time of request processing ? (RFC1918 contacts)
>>
>> } else if (nat_uac_test("1")) {
>> fix_nated_contact();
>> };
>> }
>>
>>
>>
>> regards
>>
>> Sanjay
>>
>>
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system (http://www.grisoft.com).
>> Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004
>>
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>
>
>
> Alex
>
>
More information about the sr-users
mailing list