[Serusers] NATHELPER/rtpproxy does not work

Walter Willis walterwn at gmail.com
Thu Feb 24 01:49:38 CET 2005


wath  version the SER do you use?


On Wed, 23 Feb 2005 15:15:27 -0500, Freddy - VoiceFinder SA
<freddy2006 at gmail.com> wrote:
> Hello
> My SER implementation includes Asterisk voicemail for unavailable
> users, Radius Accounting, Digest Authentication and PSTN gateway
> forwarding, everything works very well but now I am trying
> NatHelper/rtpproxy for nated endpoints, nated clients are registering
> with public IP but I cannot hear incoming audio in nated X-lite
> clients even if I use Port Forwarding or enable DMZ in NAT device
> (LinkSys), I am very confused because I can hear audio from
> Asterisk... maybe I have some problem in ser, please take a look to my
> configuration file and send me some advice, thanks
> 
> rafael
> 
> PS: myser.cfg based on
> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/etc/nathelper.cfg?rev=1.1.2.1&content-type=text/vnd.viewcvs-markup
> 
> /usr/local/etc/ser/Ser_VM_RadAcc_NatHelp-Test1.cfg
> 
> # Version: We are using: Sip EXpress router (0.8.99-dev1 (i386/linux))
>  (Agosto 2004)
> # This default script includes nathelper support. To make it work
> # you will also have to install Maxim's RTP proxy. The proxy is enforced
> # if one of the parties is behind a NAT.
> #
> # If you have an endpoing in the public internet which is known to
> # support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
> # then you don't have to force RTP proxy. If you don't want to enforce
> # RTP proxy for some destinations than simply use t_relay() instead of
> # route(1)
> #
> # Sections marked with !! Nathelper contain modifications for nathelper
> 
> # ----------- global configuration parameters ------------------------
> 
> #/* Uncomment these lines to enter debugging mode
> debug=9
> fork=yes
> log_stderror=yes
> #*/
> 
> listen=100.110.*.*
> listen=127.0.0.1
> port=5060
> 
> # hostname matching an alias will satisfy the condition uri==myself".
> alias=my.domain.com.pe
> alias=100.110.*.*
> 
> check_via=no    # (cmd. line: -v)
> dns=no          # (cmd. line: -r)
> rev_dns=no      # (cmd. line: -R)
> children=4
> fifo="/tmp/ser_fifo"
> 
> # sip_warning - Should replies include extensive warnings?
> # By default yes, it is good for trouble-shooting.
> sip_warning=yes
> 
> # ------------------ module loading ----------------------------------
> loadmodule "/usr/local/lib/ser/modules/mysql.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/tm.so"
> loadmodule "/usr/local/lib/ser/modules/rr.so"
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
> loadmodule "/usr/local/lib/ser/modules/group.so"
> loadmodule "/usr/local/lib/ser/modules/uri.so"
> loadmodule "/usr/local/lib/ser/modules/uri_db.so"
> loadmodule "/usr/local/lib/ser/modules/acc.so"
> loadmodule "/usr/local/lib/ser/modules/textops.so"
> 
> # digest authentication
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
> 
> # !! Nathelper
> loadmodule "/usr/local/lib/ser/modules/nathelper.so"
> 
> # ----------------- setting module-specific parameters ---------------
> 
> modparam("usrloc", "db_mode",   2)
> 
> # storing passwords in our database in plain text:
> # modparam("auth_db", "calculate_ha1", yes)
> # modparam("auth_db", "password_column", "password")
> 
> # For Rad Accounting
> modparam("acc", "radius_config","/usr/local/etc/radiusclient/radiusclient.conf")
> modparam("acc", "service_type", 15)
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 3)
> modparam("acc", "report_ack", 0) # 1 reporta dos starts en acc
> 
> modparam("tm", "fr_timer", 20 )
> modparam("tm", "fr_inv_timer", 30 )
> modparam("tm", "wt_timer", 20 )
> 
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
> 
> modparam("group", "db_url", "mysql://ser:heslo@localhost/ser")  #
> "mysql" in cvs head version
> # modparam("uri", "db_url", "sql://ser:heslo@localhost/ser") # "sql" in ser0814
> modparam("uri_db", "db_url", "mysql://ser:heslo@localhost/ser") #
> "mysql" in cvs head version
> 
> # ------------- registration parameters
> modparam("registrar", "nat_flag", 6)
> modparam("registrar", "min_expires", 60)
> modparam("registrar", "max_expires", 86400)
> modparam("registrar", "default_expires", 3600)
> modparam("registrar", "desc_time_order", 1)
> modparam("registrar", "append_branches", 1)
> 
> # !! Nathelper
> # modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind NAT
> 
> # -------------------------- request routing logic --------------------------
> 
> route {
> 
>         log(1, "-------------------------------------------\n");
>         log(1, "entering main loop\n");
> 
>         # initial sanity checks -- messages with
>         # max_forwards==0, or excessively long requests
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483","Too Many Hops");
>                 break;
>         };
>         if ( msg:len >= max_len ) {
>                 sl_send_reply("513", "Message too big");
>                 break;
>         };
> 
>         # !! Nathelper
>         # Special handling for NATed clients; first, NAT test is
>         # executed: it looks for via!=received and RFC1918 addresses
>         # in Contact (may fail if line-folding is used); also,
>         # the received test should, if completed, should check all
>         # vias for rpesence of received
>         if (nat_uac_test("3")) {
>                 # Allow RR-ed requests, as these may indicate that
>                 # a NAT-enabled proxy takes care of it; unless it is
>                 # a REGISTER
> 
>                 if (method == "REGISTER" || ! search("^Record-Route:")) {
>                     log("LOG: Someone trying to register from private
> IP, rewriting\n");
> 
>                     # This will work only for user agents that support symmetric
>                     # communication. We tested quite many of them and
> majority is
>                     # smart enough to be symmetric. In some phones it
> takes a configuration
>                     # option. With Cisco 7960, it is called
> NAT_Enable=Yes, with kphone it is
>                     # called "symmetric media" and "symmetric signalling".
> 
>                     fix_nated_contact(); # Rewrite contact with source
> IP of signalling
>                     if (method == "INVITE") {
>                         fix_nated_sdp("1"); # Add direction=active to SDP
>                     };
>                     force_rport(); # Add rport parameter to topmost Via
>                     setflag(6);    # Mark as NATed
>                 };
>         };
> 
>         # record-route all messages -- to make sure that
>         # subsequent messages will go through our proxy; that's
>         # particularly good if upstream and downstream entities
>         # use different transport protocol
> 
>         if (!method=="REGISTER") record_route();
> 
>         # subsequent messages withing a dialog should take the
>         # path determined by record-routing
> 
>         if (loose_route()) {
>                 # mark routing logic in request
>                 append_hf("P-hint: rr-enforced\r\n");
>                 # t_relay(); ### use If don't want to enforce RTP proxy
>                 route(1);    ### Nathelper!!
>                 break;
>         };
> 
>         # set Flag for Radius Accounting:
> 
>                 if (method=="INVITE") {
>                 log(1, "INVITE MESSAGE RECEIVED - START ACC\n");
>                 setflag(1); /* set for accounting (the same value as
> in log_flag!) */
>                 };
> 
>                 if (method=="BYE") {
>                 log (1, "BYE  - STOP ACCOUNTING\n");
>                 setflag(1);
>                 };
> 
>                 if (method=="CANCEL") {
>                 log (1, "CANCEL - STOP ACCOUNTING\n");
>                 setflag(1);
>                 };
> 
>         setflag(3); # Set Radius Missed Flag (radius_missed_flag
> param...)
> 
>         if (!uri==myself) {
>                 # mark routing logic in request
>                 append_hf("P-hint: outbound\r\n");
>                 # t_relay();
>                 route(1);
>                 break;
>         };
> 
>         if (uri==myself) {
> 
>                 if (method == "REGISTER") {
>                         log(1, "ANALYZING REGISTER REQUEST\n");
>                         # to use digest authentication
>                         if (!www_authorize("my.domain.com.pe", "subscriber")) {
>                                 www_challenge("my.domain.com.pe", "0");
>                                 break;
>                         };
>                         if (!save("location")) {
>                                 sl_reply_error();
>                         };
>                         break;
>                 };
> 
>                 /* ***************** very insecure Dial out to PSTN
> logic ****************** */
>                 ### Pendiente agregar seguridad a esta etapa, usar
> Digest-Auth o "credentials"
>                 ### ver http://www.voip-info.org/wiki-SER+example+pstn
> 
>                 # forward n digit requests to gateway AS5350
>                 if(uri=~"^sip:9"){
>                         log(1,"n digit expression match - Celulares Lima");
>                         rewritehostport("100.110.*.*:5060");
>                         route(2);
>                         break;
>                 };
> 
>                 # forward international calls to Asterisk (using Oh323
> module to connect with H323 GWs)
>                 if(uri=~"^sip:00"){
>                         rewritehostport("100.110.*.*:5060");
>                         log(1,"n digit expression match - LDI");
>                         route(2);
>                         break;
>                 };
> 
>                 /*
> ********************************************************************
> */
> 
>                 lookup("aliases");
>                 if (!uri==myself) {
>                         append_hf("P-hint: outbound alias\r\n");
>                         # t_relay();
>                         route(1);
>                         break;
>                 };
> 
>                 # does the user wish redirection on no availability?
> (i.e., is he
>                 # in the voicemail group?) -- determine it now and store it in
>                 # flag 4, before we rewrite the flag using UsrLoc
> 
>                 if (is_user_in("Request-URI", "voicemail")) {
>                         log(1, "requested user is in voicemail group");
>                         setflag(4);
>                 };
> 
>                 # native SIP destinations are handled using our USRLOC DB
>                 if (!lookup("location")) {
>                         log(1,"unable to locate user");
>                         # handle user which was not found
>                         route(4);
>                         break;
>                 };
> 
>         }; # End of "if(uri==myself)"
> 
>         append_hf("P-hint: usrloc applied\r\n");
>         route(1);
> 
>         # if user is on-line and is in Voicemail group, enable redirection
>         if (method == "INVITE" && isflagset(4)) {
>                 log(1, "invite for voicemail user->initiate failureroute[1]\n");
>                 t_on_failure("1");
>         };
> 
>         # t_relay();
> }
> 
> route[1]
> {
>         # !! Nathelper
>         if (uri=~"[@:](192\.168\.)" && !search("^Route:")){
>             sl_send_reply("479", "We don't forward to private IP addresses");
>             break;
>         };
> 
>         # if client or server know to be behind a NAT, enable relay
>         if (isflagset(6)) {
>             force_rtp_proxy();
>         };
> 
>         # NAT processing of replies; apply to all transactions (for example,
>         # re-INVITEs from public to private UA are hard to identify as
>         # NATed at the moment of request processing); look at replies
>         t_on_reply("1");
> 
>         # send it out now; use stateful forwarding as it works reliably
>         # even for UDP2TCP
>         if (!t_relay()) {
>                 sl_reply_error();
>         };
> }
> 
> # !! Nathelper
> onreply_route[1] {
>     # NATed transaction ?
>     if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>         fix_nated_contact();
>         force_rtp_proxy();
>     # otherwise, is it a transaction behind a NAT and we did not
>     # know at time of request processing ? (RFC1918 contacts)
>     } else if (nat_uac_test("1")) {
>         fix_nated_contact();
>     };
> }
> 
> # ----------------- SIP-to-PSTN call routed -------------------
> 
> route[2]{
>         log(1,"route[2]:SIP-to-GW call routed");
>         if(!t_relay()){
>                 sl_reply_error();
>         };
> }
> 
> # --------------- Handling of Unavailable user ----------------
> route[4] {
> 
>         # non-Voip -- just send "off-line"
>         if (!(method=="INVITE" || method=="ACK" || method=="CANCEL" ||
> method=="BYE")) {
>                 sl_send_reply("404", "Not Found");
>                 acc_rad_request("404 Not Found");
>                 break;
>         };
> 
>         # not voicemail subscriber
>         if (!isflagset(4)) {
>                 sl_send_reply("404", "Not Found and no voicemail turned on");
>                 acc_rad_request("404 Not Found");
>                 break;
>         };
> 
>       ### Forward to * voicemail adding prefix "vm" to simplify *
> "extension.conf" to this:
>         ### exten => _vmXXXXXXX,1,Voicemail(u${EXTEN:2})
>         ### exten => _vmXXXXXXX,2,Hangup
> 
>         prefix("vm");
>         rewritehostport("100.110.**.**:5060");
>         t_relay_to_udp("100.110.**.**","5060");
> }
> 
> # if forwarding downstream did not succeed, try voicemail running at Asterisk
> 
> failure_route[1]{
>         if (t_check_status("485")){
>                 revert_uri ();
>                 prefix("vm");
>                 rewritehostport ("100.110.**.**:5060");
>                 append_branch();
>                 t_relay();
>                 break;
>         }
> }
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>




More information about the sr-users mailing list