[Serusers] IP phones - NAT - Internet - NAT - SER/MediaProxy - IP phones

Bastian Schern ml01 at in-bln.de
Sun Oct 17 01:18:36 CEST 2004


Hello list members,

since a while I'm working with SER and if all IP phones are on the same
Network everything works fine. But now I try to get the Following
configuration working:

+--------------+   +--------------+
| IP-Tel   #96 |   | IP-Tel   #97 |
| 192.168.0.96 |   | 192.168.0.97 |
+-------#------+   +------#-------+
         |                 |
         +-----+     +-----+
               |     |
         +--#--#--#--#--#--+
         |   192.168.0.1   |
         +-----------------+
         |    Hardware:    |
         |   NAT/Firewall  |
         +-----------------+
         |   213.191.x.x   |
         +--------#--------+
                  |
               Internet
                  |
         +--------#--------+
         |   212.202.x.x   |
         +-----------------+
         |      Linux:     |
         |   NAT/Firewall  |
         |  SER/MediaProxy |
         +-----------------+
         |   192.168.1.1   |
         +--------#--------+
                  |
         +--------#--------+
         |     Switch      |
         +--#--#--#--#--#--+
               |     |
         +-----+     +-----+
         |                 |
+-------#------+   +------#-------+
| IP-Tel   #16 |   | IP-Tel   #17 |
| 192.168.1.16 |   | 192.168.1.17 |
+--------------+   +--------------+


I have chosen the SER MediaProxy to solve the NAT problem with this config:

--- snip ---
debug=8
fork=yes
log_stderror=yes
check_via=no
dns=no
rev_dns=no
port=5060
children=4
fifo="/tmp/ser_fifo"

alias="universe"

loadmodule "/lib/ser/modules/mysql.so"
loadmodule "/lib/ser/modules/sl.so"
loadmodule "/lib/ser/modules/tm.so"
loadmodule "/lib/ser/modules/rr.so"
loadmodule "/lib/ser/modules/maxfwd.so"
loadmodule "/lib/ser/modules/usrloc.so"
loadmodule "/lib/ser/modules/domain.so"
loadmodule "/lib/ser/modules/uri.so"
loadmodule "/lib/ser/modules/registrar.so"
loadmodule "/lib/ser/modules/textops.so"
loadmodule "/lib/ser/modules/mediaproxy.so"
loadmodule "/lib/ser/modules/auth.so"
loadmodule "/lib/ser/modules/auth_db.so"

modparam("usrloc", "db_mode",   0)
modparam("usrloc", "db_mode", 2)
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("rr", "enable_full_lr", 1)
modparam("mediaproxy", "natping_interval", 60)
modparam("registrar", "nat_flag", 2)

route {

     # initial sanity checks -- messages with
     # max_forwards==0, or excessively long requests
     if (!mf_process_maxfwd_header("10")) {
         sl_send_reply("483","Too Many Hops");
         break;
     };
     if (msg:len >=  max_len ) {
         sl_send_reply("513", "Message too big");
         break;
     };

     if (method=="REGISTER") {
         if (uri==myself) {
             # Mark as NAT'ed
             if (client_nat_test("3")) {
                 setflag(2);
                 force_rport();
                 fix_contact();
             };

             if (!www_authorize("universe", "subscriber")) {
                 www_challenge("universe", "0");
                 break;
             } else if (!check_to()) {
                 sl_send_reply("403", "Username!=To not allowed");
                 break;
             };

             if (!save("location")) {
                 sl_reply_error();
             };
         } else {
             sl_send_reply("403", "This domain is not served here");
         };

         break;
     };

     if (method=="INVITE") {
         if (!(is_from_local() || is_uri_host_local())) {
             sl_send_reply("403", "Relaying is forbidden");
             break;
         };
         t_on_failure("1");
     } else if (method == "BYE" || method == "CANCEL") {
         end_media_session();
     };

     if (loose_route()) {
         if (method=="INVITE" || method=="ACK") {
             use_media_proxy();
         };
         # end media session for BYE and CANCEL is done above
         # before entering the loose route. no need to call it here
         t_relay();
         break;
     };

     # Force subsequent messages to pass trough this proxy
     if (method == "INVITE") {
         record_route();
     };

     if (client_nat_test("3") && !search("^Record-Route:")) {
         # Mark as NAT'ed
         force_rport();
         fix_contact();
     };

     if (method=="INVITE") {
         t_on_reply("1");
     };

     if (is_uri_host_local()) {
         if (!lookup("location")) {
             sl_send_reply("404", "User not found");
             break;
         };
     };

     if (method=="INVITE" || method=="ACK") {
         use_media_proxy();
     };

     if (!t_relay()) {
         if (method=="INVITE" || method=="ACK") {
             end_media_session();
         };
         sl_reply_error();
     };
}

failure_route[1] {
     end_media_session();
}

onreply_route[1] {
     if (status=~"(183)|(2[0-9][0-9])") {
         if (client_nat_test("1")) {
             fix_contact();
         };
         use_media_proxy();
     };
}
--- snap ---

But if I try to make a call e.g. from #97 to #16 or any other 
destination, I get this Message on the Phones:
"Relaying is forbidden"
It's also the same, if I try to call from #17 to #16 or the other Direction.

What is wrong?
Is there a big mistake in my config?

Thanks for your support
	Bastian




More information about the sr-users mailing list