[Serusers] NATHELPER/rtpproxy does not work
Walter Willis
walterwn at gmail.com
Thu Feb 24 01:49:38 CET 2005
wath version the SER do you use?
On Wed, 23 Feb 2005 15:15:27 -0500, Freddy - VoiceFinder SA
<freddy2006 at gmail.com> wrote:
> Hello
> My SER implementation includes Asterisk voicemail for unavailable
> users, Radius Accounting, Digest Authentication and PSTN gateway
> forwarding, everything works very well but now I am trying
> NatHelper/rtpproxy for nated endpoints, nated clients are registering
> with public IP but I cannot hear incoming audio in nated X-lite
> clients even if I use Port Forwarding or enable DMZ in NAT device
> (LinkSys), I am very confused because I can hear audio from
> Asterisk... maybe I have some problem in ser, please take a look to my
> configuration file and send me some advice, thanks
>
> rafael
>
> PS: myser.cfg based on
> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/etc/nathelper.cfg?rev=1.1.2.1&content-type=text/vnd.viewcvs-markup
>
> /usr/local/etc/ser/Ser_VM_RadAcc_NatHelp-Test1.cfg
>
> # Version: We are using: Sip EXpress router (0.8.99-dev1 (i386/linux))
> (Agosto 2004)
> # This default script includes nathelper support. To make it work
> # you will also have to install Maxim's RTP proxy. The proxy is enforced
> # if one of the parties is behind a NAT.
> #
> # If you have an endpoing in the public internet which is known to
> # support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
> # then you don't have to force RTP proxy. If you don't want to enforce
> # RTP proxy for some destinations than simply use t_relay() instead of
> # route(1)
> #
> # Sections marked with !! Nathelper contain modifications for nathelper
>
> # ----------- global configuration parameters ------------------------
>
> #/* Uncomment these lines to enter debugging mode
> debug=9
> fork=yes
> log_stderror=yes
> #*/
>
> listen=100.110.*.*
> listen=127.0.0.1
> port=5060
>
> # hostname matching an alias will satisfy the condition uri==myself".
> alias=my.domain.com.pe
> alias=100.110.*.*
>
> check_via=no # (cmd. line: -v)
> dns=no # (cmd. line: -r)
> rev_dns=no # (cmd. line: -R)
> children=4
> fifo="/tmp/ser_fifo"
>
> # sip_warning - Should replies include extensive warnings?
> # By default yes, it is good for trouble-shooting.
> sip_warning=yes
>
> # ------------------ module loading ----------------------------------
> loadmodule "/usr/local/lib/ser/modules/mysql.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/tm.so"
> loadmodule "/usr/local/lib/ser/modules/rr.so"
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
> loadmodule "/usr/local/lib/ser/modules/group.so"
> loadmodule "/usr/local/lib/ser/modules/uri.so"
> loadmodule "/usr/local/lib/ser/modules/uri_db.so"
> loadmodule "/usr/local/lib/ser/modules/acc.so"
> loadmodule "/usr/local/lib/ser/modules/textops.so"
>
> # digest authentication
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>
> # !! Nathelper
> loadmodule "/usr/local/lib/ser/modules/nathelper.so"
>
> # ----------------- setting module-specific parameters ---------------
>
> modparam("usrloc", "db_mode", 2)
>
> # storing passwords in our database in plain text:
> # modparam("auth_db", "calculate_ha1", yes)
> # modparam("auth_db", "password_column", "password")
>
> # For Rad Accounting
> modparam("acc", "radius_config","/usr/local/etc/radiusclient/radiusclient.conf")
> modparam("acc", "service_type", 15)
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 3)
> modparam("acc", "report_ack", 0) # 1 reporta dos starts en acc
>
> modparam("tm", "fr_timer", 20 )
> modparam("tm", "fr_inv_timer", 30 )
> modparam("tm", "wt_timer", 20 )
>
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
>
> modparam("group", "db_url", "mysql://ser:heslo@localhost/ser") #
> "mysql" in cvs head version
> # modparam("uri", "db_url", "sql://ser:heslo@localhost/ser") # "sql" in ser0814
> modparam("uri_db", "db_url", "mysql://ser:heslo@localhost/ser") #
> "mysql" in cvs head version
>
> # ------------- registration parameters
> modparam("registrar", "nat_flag", 6)
> modparam("registrar", "min_expires", 60)
> modparam("registrar", "max_expires", 86400)
> modparam("registrar", "default_expires", 3600)
> modparam("registrar", "desc_time_order", 1)
> modparam("registrar", "append_branches", 1)
>
> # !! Nathelper
> # modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
>
> # -------------------------- request routing logic --------------------------
>
> route {
>
> log(1, "-------------------------------------------\n");
> log(1, "entering main loop\n");
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> break;
> };
> if ( msg:len >= max_len ) {
> sl_send_reply("513", "Message too big");
> break;
> };
>
> # !! Nathelper
> # Special handling for NATed clients; first, NAT test is
> # executed: it looks for via!=received and RFC1918 addresses
> # in Contact (may fail if line-folding is used); also,
> # the received test should, if completed, should check all
> # vias for rpesence of received
> if (nat_uac_test("3")) {
> # Allow RR-ed requests, as these may indicate that
> # a NAT-enabled proxy takes care of it; unless it is
> # a REGISTER
>
> if (method == "REGISTER" || ! search("^Record-Route:")) {
> log("LOG: Someone trying to register from private
> IP, rewriting\n");
>
> # This will work only for user agents that support symmetric
> # communication. We tested quite many of them and
> majority is
> # smart enough to be symmetric. In some phones it
> takes a configuration
> # option. With Cisco 7960, it is called
> NAT_Enable=Yes, with kphone it is
> # called "symmetric media" and "symmetric signalling".
>
> fix_nated_contact(); # Rewrite contact with source
> IP of signalling
> if (method == "INVITE") {
> fix_nated_sdp("1"); # Add direction=active to SDP
> };
> force_rport(); # Add rport parameter to topmost Via
> setflag(6); # Mark as NATed
> };
> };
>
> # record-route all messages -- to make sure that
> # subsequent messages will go through our proxy; that's
> # particularly good if upstream and downstream entities
> # use different transport protocol
>
> if (!method=="REGISTER") record_route();
>
> # subsequent messages withing a dialog should take the
> # path determined by record-routing
>
> if (loose_route()) {
> # mark routing logic in request
> append_hf("P-hint: rr-enforced\r\n");
> # t_relay(); ### use If don't want to enforce RTP proxy
> route(1); ### Nathelper!!
> break;
> };
>
> # set Flag for Radius Accounting:
>
> if (method=="INVITE") {
> log(1, "INVITE MESSAGE RECEIVED - START ACC\n");
> setflag(1); /* set for accounting (the same value as
> in log_flag!) */
> };
>
> if (method=="BYE") {
> log (1, "BYE - STOP ACCOUNTING\n");
> setflag(1);
> };
>
> if (method=="CANCEL") {
> log (1, "CANCEL - STOP ACCOUNTING\n");
> setflag(1);
> };
>
> setflag(3); # Set Radius Missed Flag (radius_missed_flag
> param...)
>
> if (!uri==myself) {
> # mark routing logic in request
> append_hf("P-hint: outbound\r\n");
> # t_relay();
> route(1);
> break;
> };
>
> if (uri==myself) {
>
> if (method == "REGISTER") {
> log(1, "ANALYZING REGISTER REQUEST\n");
> # to use digest authentication
> if (!www_authorize("my.domain.com.pe", "subscriber")) {
> www_challenge("my.domain.com.pe", "0");
> break;
> };
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> /* ***************** very insecure Dial out to PSTN
> logic ****************** */
> ### Pendiente agregar seguridad a esta etapa, usar
> Digest-Auth o "credentials"
> ### ver http://www.voip-info.org/wiki-SER+example+pstn
>
> # forward n digit requests to gateway AS5350
> if(uri=~"^sip:9"){
> log(1,"n digit expression match - Celulares Lima");
> rewritehostport("100.110.*.*:5060");
> route(2);
> break;
> };
>
> # forward international calls to Asterisk (using Oh323
> module to connect with H323 GWs)
> if(uri=~"^sip:00"){
> rewritehostport("100.110.*.*:5060");
> log(1,"n digit expression match - LDI");
> route(2);
> break;
> };
>
> /*
> ********************************************************************
> */
>
> lookup("aliases");
> if (!uri==myself) {
> append_hf("P-hint: outbound alias\r\n");
> # t_relay();
> route(1);
> break;
> };
>
> # does the user wish redirection on no availability?
> (i.e., is he
> # in the voicemail group?) -- determine it now and store it in
> # flag 4, before we rewrite the flag using UsrLoc
>
> if (is_user_in("Request-URI", "voicemail")) {
> log(1, "requested user is in voicemail group");
> setflag(4);
> };
>
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location")) {
> log(1,"unable to locate user");
> # handle user which was not found
> route(4);
> break;
> };
>
> }; # End of "if(uri==myself)"
>
> append_hf("P-hint: usrloc applied\r\n");
> route(1);
>
> # if user is on-line and is in Voicemail group, enable redirection
> if (method == "INVITE" && isflagset(4)) {
> log(1, "invite for voicemail user->initiate failureroute[1]\n");
> t_on_failure("1");
> };
>
> # t_relay();
> }
>
> route[1]
> {
> # !! Nathelper
> if (uri=~"[@:](192\.168\.)" && !search("^Route:")){
> sl_send_reply("479", "We don't forward to private IP addresses");
> break;
> };
>
> # if client or server know to be behind a NAT, enable relay
> if (isflagset(6)) {
> force_rtp_proxy();
> };
>
> # NAT processing of replies; apply to all transactions (for example,
> # re-INVITEs from public to private UA are hard to identify as
> # NATed at the moment of request processing); look at replies
> t_on_reply("1");
>
> # send it out now; use stateful forwarding as it works reliably
> # even for UDP2TCP
> if (!t_relay()) {
> sl_reply_error();
> };
> }
>
> # !! Nathelper
> onreply_route[1] {
> # NATed transaction ?
> if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
> fix_nated_contact();
> force_rtp_proxy();
> # otherwise, is it a transaction behind a NAT and we did not
> # know at time of request processing ? (RFC1918 contacts)
> } else if (nat_uac_test("1")) {
> fix_nated_contact();
> };
> }
>
> # ----------------- SIP-to-PSTN call routed -------------------
>
> route[2]{
> log(1,"route[2]:SIP-to-GW call routed");
> if(!t_relay()){
> sl_reply_error();
> };
> }
>
> # --------------- Handling of Unavailable user ----------------
> route[4] {
>
> # non-Voip -- just send "off-line"
> if (!(method=="INVITE" || method=="ACK" || method=="CANCEL" ||
> method=="BYE")) {
> sl_send_reply("404", "Not Found");
> acc_rad_request("404 Not Found");
> break;
> };
>
> # not voicemail subscriber
> if (!isflagset(4)) {
> sl_send_reply("404", "Not Found and no voicemail turned on");
> acc_rad_request("404 Not Found");
> break;
> };
>
> ### Forward to * voicemail adding prefix "vm" to simplify *
> "extension.conf" to this:
> ### exten => _vmXXXXXXX,1,Voicemail(u${EXTEN:2})
> ### exten => _vmXXXXXXX,2,Hangup
>
> prefix("vm");
> rewritehostport("100.110.**.**:5060");
> t_relay_to_udp("100.110.**.**","5060");
> }
>
> # if forwarding downstream did not succeed, try voicemail running at Asterisk
>
> failure_route[1]{
> if (t_check_status("485")){
> revert_uri ();
> prefix("vm");
> rewritehostport ("100.110.**.**:5060");
> append_branch();
> t_relay();
> break;
> }
> }
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
More information about the sr-users
mailing list