[Users] Disabling rtpproxy or mediaproxy when both SIP UA are behind same NAT
Rafael Risco GV
rafael.risco at gmail.com
Thu Dec 29 15:45:38 CET 2005
Hi
I think I am very close to solve this issue, based on suggestions of Tavis
and Klaus for openser in:
http://openser.org/dokuwiki/doku.php?id=how_to_set_up_nathelper_rtpproxy_when_both_sip_ua_s_are_behind_same_nat
I´ve been able to disable rtpproxy in this cases but I have a problem with
accounting, if the callee hungup first appears an error and no cdr for BYE
is generated until caller hungup the call, bellow the errors and config.
thanks for any help
rafael
4(22193) BYE - STOP ACCOUNTING
4(22193) DEBUG: add_param: tag=3658302912
4(22193) grep_sock_info - checking if host==us: 13==13 && [192.168.1.205]
== [10.0.2.130]
4(22193) grep_sock_info - checking if port 5060 matches port 5060
4(22193) grep_sock_info - checking if host==us: 13==9 && [192.168.1.205]
== [127.0.0.1]
4(22193) grep_sock_info - checking if port 5060 matches port 5060
4(22193) check_self: host != me
4(22193) grep_sock_info - checking if host==us: 13==13 && [10.0.2.130] ==
[10.0.2.130]
4(22193) grep_sock_info - checking if port 5060 matches port 5060
4(22193) check_via_address(10.0.1.25, 192.168.1.100, 0)
4(22193) ERROR: udp_send: sendto(sock,0x4051e800,588,0,0x4051f2ac,16):
Operation not permitted(1)
4(22193) msg_send: ERROR: udp_send failed
4(22193) ERROR:tm:t_forward_nonack: sending request failed
4(22193) DEBUG: add_to_tail_of_timer[4]: 0x4051f2cc
4(22193) DEBUG: add_to_tail_of_timer[0]: 0x4051f2dc
4(22193) ERROR:tm:t_relay_to: t_forward_nonack returned error
4(22193) parse_headers: flags=ffffffffffffffff
4(22193) check_via_address(10.0.1.25, 192.168.1.100, 0)
4(22193) WARNING:vqm_resize: resize(0) called
.
.
.
# ----------- global configuration parameters ------------------------
#/* Uncomment these lines to enter debugging mode
debug=6
fork=yes
log_stderror=yes
#*/
listen=10.0.2.130
listen=127.0.0.1
port=5060
# hostname matching an alias will satisfy the condition uri==myself".
alias=mydomain.com.pe
alias=10.0.2.130
alias=127.0.0.1
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
children=4
fifo="/tmp/openser_fifo"
fifo_mode=0666 # Fifo permissions can be changes from here.
# sip_warning - Should replies include extensive warnings?
# By default yes, it is good for trouble-shooting.
sip_warning=yes
# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/openser/modules/domain.so"
loadmodule "/usr/local/lib/openser/modules/avpops.so"
loadmodule "/usr/local/lib/openser/modules/mysql.so"
loadmodule "/usr/local/lib/openser/modules/sl.so"
loadmodule "/usr/local/lib/openser/modules/tm.so"
loadmodule "/usr/local/lib/openser/modules/rr.so"
loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
loadmodule "/usr/local/lib/openser/modules/usrloc.so"
loadmodule "/usr/local/lib/openser/modules/registrar.so"
loadmodule "/usr/local/lib/openser/modules/group.so"
loadmodule "/usr/local/lib/openser/modules/uri.so"
loadmodule "/usr/local/lib/openser/modules/uri_db.so"
loadmodule "/usr/local/lib/openser/modules/acc.so"
loadmodule "/usr/local/lib/openser/modules/textops.so"
loadmodule "/usr/local/lib/openser/modules/xlog.so"
# digest authentication
loadmodule "/usr/local/lib/openser/modules/auth.so"
loadmodule "/usr/local/lib/openser/modules/auth_db.so"
# !! Nathelper
loadmodule "/usr/local/lib/openser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 10)
# database location
modparam("usrloc", "db_url", "mysql://admin:heslo@localhost/openser")
modparam("usrloc", "use_domain", 1)
modparam("auth_db", "use_domain", 1)
modparam("domain", "db_mode", 1)
modparam("domain", "domain_table", "domain")
modparam("domain", "domain_col", "domain")
# ------------- Mysql Accounting parameters
modparam("acc", "log_flag", 1)
modparam("acc", "log_level", 2)
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 3)
modparam("acc", "log_missed_flag", 3)
modparam("acc", "db_url", "mysql://admin:heslo@localhost/openser")
modparam("acc", "report_ack", 0)
modparam("acc", "log_fmt", "miocfsputdr")
modparam("tm", "fr_timer", 20 )
modparam("tm", "fr_inv_timer", 40 ) # Timer which hits if no final reply for
an INVITE
modparam("tm", "wt_timer", 20 )
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
modparam("group", "db_url", "mysql://seradmin:heslo@localhost/openser")
modparam("uri_db", "db_url", "mysql://seradmin:heslo@localhost/openser")
# ------------- registration parameters
modparam("registrar", "nat_flag", 6)
modparam("registrar", "min_expires", 60)
modparam("registrar", "max_expires", 86400)
modparam("registrar", "default_expires", 3600)
modparam("registrar", "desc_time_order", 1)
modparam("registrar", "append_branches", 1)
modparam("registrar", "use_domain", 1)
# !! Nathelper
# modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# -------------------------- request routing logic
--------------------------
route {
log(1, "-------------------------------------------\n");
log(1, "entering main loop\n");
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
return;
};
if ( msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
return;
};
# set flag for Radius Accounting:
if (!method=="OPTIONS") setflag(3);
if (method=="INVITE") {
log(1, "INVITE MESSAGE RECEIVED - START ACC\n");
setflag(1); /* set for accounting (the same value as in
log_flag!) */
};
if (method=="BYE") {
log (1, "BYE - STOP ACCOUNTING\n");
setflag(1);
};
if (method=="CANCEL") {
log (1, "CANCEL - STOP ACCOUNTING\n");
setflag(1);
};
# -----------------------------------------------------------------
# Record Route Section
# -----------------------------------------------------------------
# record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
if (method=="BYE" || method=="CANCEL") {
unforce_rtp_proxy();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route() && (!src_ip==10.0.2.130 && !src_port==5070)) {
if (has_totag() && (method=="INVITE" || method=="ACK")) {
if (nat_uac_test("19")) {
setflag(7);
force_rport();
fix_nated_contact();
};
force_rtp_proxy("l");
};
route(2);
return;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (!uri==myself && (!src_ip==10.0.2.130 && !src_port==5070)) {
route(1);
return;
};
if (method=="CANCEL") {
route(2);
return;
};
if (method == "REGISTER") {
if (!search("^Contact:[ ]*\*") &&
nat_uac_test("19")) {
setflag(6);
fix_nated_register();
force_rport();
};
sl_send_reply("100", "Trying");
log(1, "ANALYZING REGISTER REQUEST\n");
# ... to use digest authentication
if (is_user_in("Request-URI", "desactivado")) {
sl_send_reply("402", "Su cuenta fue
desactivada por falta de pago");
return;
};
if (!www_authorize("", "subscriber")) {
log(1," ----- Fails to Register \n");
www_challenge("", "0");
return;
};
# only signed users are allowed
if (!check_to()) {
log(1, "LOG: Hijack!!!--> unsigned user
registration attempt\n");
sl_send_reply("403", "hijack attempt!!!!
Only signed users are allowed");
return;
};
consume_credentials();
log(1," Registered!!! \n");
if (!save("location")) {
sl_reply_error();
};
return;
};
# INVITE ? First check the source of the call
#********************************************
# If the call comes from the gateways, no authentication is
required.
if (method == "INVITE" && (src_ip==10.0.2.145 ||
src_ip==10.0.2.132|| src_ip==
10.0.2.131)) {
log(1,"Call from pstn|*, no authentication is required.
\n");
# If the call comes from B2BUA, no authentication is required.
# The first leg of the call has already been authenticated.
} else if (src_ip==10.0.2.130 && src_port==5070) {
log(1,"Call from B2BUA, no authentication is required.
\n");
} else {
log(1, "ANALYZING INVITE REQUESTs\n");
if (method == "INVITE" && !src_ip==10.0.2.130 &&
!src_port==5070){
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
return;
} else {
if (!check_from()) {
sl_send_reply("403", "Only
registered users are allowed");
log(1," ----> Only registered users
are allowed \n");
return;
};
consume_credentials();
if (nat_uac_test("19")) {
setflag(7);
};
};
# Not all the users are PREPAID, so we check the database
# to see if the call will be routed through B2BUA.
# If every call is to be routed through B2BUA the
"is_user_in"
# conditional is not required.
# Do not use b2bua for local calls (660++++)
if (is_user_in("From", "prepaidb") &&
uri=~"^sip:00") {
log(1," ----> Usuario PREPAGO!!! enviando a
b2bua... \n");
rewritehostport("10.0.2.130:5070");
t_relay_to_udp("10.0.2.130", "5070");
return;
};
};
}; # End of if (method == "INVITE" |...
/* *********** Dial out to Local and PSTN logic *********
*/
if(uri=~"^sip:00"){
log(1,"00N match - Larga Distancia Internacional \n");
if (!is_user_in("from", "ldix")) {
log(1,"No permission for international calls \n");
sl_send_reply("403", "No permission for
international calls");
acc_db_request("403 Forbidden", "missed_calls");
return;
};
rewritehostport("10.0.2.131:5070");
strip(2);
route(1);
return;
};
/*
******************************************************************** */
lookup("aliases");
if (uri!=myself) {
route(1);
return;
};
# does the user wish redirection on no availability? (i.e.,
is he
# in the voicemail group?) -- determine it now and store it
in
# flag 4, before we rewrite the flag using UsrLoc
if (is_user_in("Request-URI", "voicemail")) {
log(1, "requested user is in voicemail group \n");
setflag(4);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
log(1,"unable to locate user X ... sending to
route(4)! \n");
# handle user which was not found
route(4);
return;
};
### Check if UAS are behind the same NAT system: ###
if (isflagset(6) && isflagset(7)){
log(2, "Both Clients are behind NAT");
# Store the destination domain into an AVP
avp_printf("i:450", "$dd");
if (avp_check("i:450", "eq/$src_ip/g")){
log(3, "Detected Two Clients Behind the Same NAT -
Disabling Mediaproxy");
# Do not use media-proxy as the clients seem to be
behind the same NAT
resetflag(6);
resetflag(7);
route(2);
return;
};
};
route(1);
# if user is on-line and is in Voicemail group, enable redirection
if (method == "INVITE" && isflagset(4)) {
log(1, "invite for voicemail user->initiate
failureroute[1]\n");
t_on_failure("1");
};
}
### ##### ####### ########## ########### ############### #################
#####################
route[1]
{
# if client or server know to be behind a NAT, enable relay
if (isflagset(6) || isflagset(7)) {
force_rport();
fix_nated_contact();
force_rtp_proxy();
};
# NAT processing of replies; apply to all transactions (for example,
# re-INVITEs from public to private UA are hard to identify as
# NATed at the moment of request processing); look at replies
t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
if (method=="INVITE" && (isflagset(6) || isflagset(7))) {
unforce_rtp_proxy();
};
sl_reply_error();
};
log(1, "Route[1]: Send it out now!!!\n");
}
# !! Nathelper
onreply_route[1] {
# NATed transaction ?
# Not all 2xx messages have a content body so here we
# make sure our Content-Length > 0 to avoid a parse error
if ((isflagset(6) || isflagset(7)) && status =~ "(183)|2[0-9][0-9]") {
fix_nated_contact();
if (!search("^Content-Length:\ 0")) {
force_rtp_proxy();
log(1, "onreply_route1: force rtp proxy!!!\n");
};
# otherwise, is it a transaction behind a NAT and we did not
# know at time of request processing ? (RFC1918 contacts)
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
}
# -------------- Default Message Handler ---------------------
route[2]{
# ----------------------------------------------------
# Default Message Handler
# ----------------------------------------------------
t_on_reply("1");
if (!t_relay()) {
if (method=="INVITE" && isflagset(7)) {
unforce_rtp_proxy();
};
sl_reply_error();
};
}
# --------------- Handling of Unavailable user ----------------
route[4] {
# non-Voip -- just send "off-line"
if (!(method=="INVITE" || method=="ACK" || method=="CANCEL" ||
method=="BYE" || method=="OPTIONS")) {
sl_send_reply("404", "Not Found");
acc_db_request("404 Not Found", "missed_calls");
log(1, "acc 404 Not Found 1 \n");
return;
};
# not voicemail subscriber
if (!isflagset(4) && !method=="OPTIONS" && !method=="ACK" &&
!method=="BYE") {
sl_send_reply("404", "Not Found and no voicemail turned on
!! ");
acc_db_request("404 Not Found", "missed_calls");
log(1, " acc 404 Not Found and no voicemail \n");
return;
};
# forward to voicemail adding prefix to simplify asterisk "
extension.conf" ::
# exten => _vmXXXXXXX,1,SetLanguage(es)
# exten => _vmXXXXXXX,2,Voicemail(u${EXTEN:2})
# exten => _vmXXXXXXX,3,Hangup
prefix("vm");
acc_db_request("404 Not Found -> Vm", "missed_calls");
rewritehostport("10.0.2.131:5070");
t_relay_to_udp("10.0.2.131", "5070");
}
# If forwarding downstream did not succeed, try voicemail running at
Asterisk
failure_route[1]{
if (t_check_status("408")){
# revert_uri (); back to the original URI, makes me loose
all lookup/rewrite stuff
prefix("vm");
rewritehostport ("10.0.2.131:5070");
acc_db_request("408 Timeout -> Vm", "missed_calls");
append_branch();
t_relay();
return;
} else if (t_check_status("486")){
# revert_uri (); back to the original URI, makes me loose
all lookup/rewrite stuff
prefix("vm");
rewritehostport ("10.0.2.131:5070");
acc_db_request("486 Busy -> Vm", "missed_calls");
append_branch();
t_relay();
return;
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20051229/6b6d4805/attachment.htm>
More information about the sr-users
mailing list