[Serusers] FW: SER and NAT
Ashling O'Driscoll
ashling.odriscoll at cit.ie
Sat Jan 22 15:18:31 CET 2005
Hi all,
I would like to thank everyone for their help to date answering my
questions (particularly Giovanni). The clients now register with SER
despite the NAT issues. I have yet to test a call so I may be back
with more queries if the voice doesnt transmit!!
I used the default NAT script provided on the voip inof wiki. However
I want my clients to authenticate before they are allowed to
register. If I enable authentication in the ser.cfg script,
registration fails. I do not understand why as the mysql database is
set up and I have created user accounts.
I have included my ser.cfg script below with the authentication part
and the mysql load module part commented out. Users only authenticate
at the moment if these parts are commented. Any help would be greatly
appreciated.
Also on a slightly unrelated note, I am trying to test this system
with Grandstream Budgetone 100 hardphones (Its so far tested with
XLite)I plug these hones into a hub which is in turn plugged into a
router,however the phone wont obtain an IP address through dhcp or
take its statically assigned one. Shouldn't an ip phone act like any
other IP device on a network i.e. a pc etc??
Thanks as always,
Aisling.
#
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
#children=4
fifo="/tmp/ser_fifo"
alias=84.203.148.14
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
#loadmodule "/usr/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/ser/modules/sl.so"
loadmodule "/usr/lib/ser/modules/tm.so"
loadmodule "/usr/lib/ser/modules/rr.so"
loadmodule "/usr/lib/ser/modules/maxfwd.so"
loadmodule "/usr/lib/ser/modules/usrloc.so"
loadmodule "/usr/lib/ser/modules/registrar.so"
loadmodule "/usr/lib/ser/modules/nathelper.so"
#loadmodule "/usr/lib/ser/modules/mediaproxy.so"
loadmodule "/usr/lib/ser/modules/textops.so"
#loadmodule "/usr/lib/ser/modules/maxfwd.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
#loadmodule "/usr/lib/ser/modules/auth.so"
#loadmodule "/usr/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config),
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
#!!Nathelper
#modparam("registrar","nat_flag",6)
#modparam("nathelper","natping_interval",30) #Ping intervals 30
seconds
#modparam("nathelper","ping_nated_only",1) #Ping only clinets
behind NAT
# -------------------------request routing logic-------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too big");
break;
};
#############Aisling Insert################
# #!Nat Insert
# #the below line tests if the IP of the received packet is different
from the IP in the via header and also
# #sees if the IP address in the contact header is private
# if (nat_uac_test("3")){
# if (method == "REGISTER" || ! search("^Record-Route:")){
# log("Log: Someone trying to register from private
IP,rewriting\n");
# # fixed_nated_contact(); #Rewrite contact with source IP
# if (method == "INVITE"){
# fix_nated_sdp("1"); #Add direction=active to SDP
# };
# force_rport(); # Add rport parameter to topmost Via
# setflag(6); # Mark as Nated
# };
# };
###################End#####################
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method == "REGISTER") record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
# if (!www_authorize("84.203.148.14", "subscriber")) {
# www_challenge("84.203.148.14", "0");
# break;
# };
save("location");
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
#inserted by klaus
if (method == "INVITE"){
record_route();
force_rtp_proxy();
/* set up reply processing*/
t_on_reply("1");
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if (!t_relay()) {
sl_reply_error();
};
}
#insert by klaus
onreply_route[1]{
if (status=~"[12][0-9][0-9]")
force_rtp_proxy();
}
#route[1]
#{
#if client or server know to be behind NAT, enable relay
# if (isflagset(6)){
# force_rtp_proxy();
# };
#
# #NAT processing of replies; apply to all transaction (for example,
# #reinvites from public to private UA are hard to identify as
# #Nated at the moment of request processing); look at replies
# t_on_reply("1");
#
# #send it out now; use stateful forwarding as it works reliably
# #even for UDP2TCP
# if(!t_relay()){
# sl_reply_error();
# };
#}
#!!NatHelper
#onreply_route[1]{
#Nated Transaction??
#if (isflagset(6) && status =~ "(183)\2[0-9][0-9]"){
# #fixed_nated_contact();
# force_rtp_proxy();
# }
#else if (nat_uac_test("1")){
# fix_nated_contact();
# };
#}
---- Original Message ----
From: jev at emmplus.ie
To: ashling.odriscoll at cit.ie
Subject: Re: [Serusers] FW: SER and NAT
Date: Fri, 21 Jan 2005 13:47:47 -0800
>Hi Ashling,
>
>Running ser behind NAT is a big pain in the ass, and I would suggest
>you
>do what ever you can to avoid that situation. I have played a little
>with such a set up, and it's just a crap situation.
>
>Best thing to do is get your ser on a public IP, or at least a IP
>that
>is routable through out the entire CIT campus.
>
>What type of router have you in front of ser? If it's some linux host
>
>doing routing, maybe you could put ser right on it. If it's a cisco
>or
>something, then maybe not ;)
>
>Let me know how it goes....
>
>Good luck,
>-Jev
>
>Ashling O'Driscoll wrote:
>> Just to give more information on the below problem...This is what I
>> saw in the xlite diagnostic log...Does the warning at the timeoue
>> message mean something to anyone??
>>
>> Thanks again,
>> Aisling.
>>
>>
>> SEND TIME: 325416584
>> SEND >> 84.203.148.14:5060
>> REGISTER sip:84.203.148.14 SIP/2.0
>> Via: SIP/2.0/UDP
>>
>157.190.70.231:5061;rport;branch=z9hG4bK7BFAD25591E34485B5C67454E24B9
>B
>> EB
>> From: Aisling O' Driscoll <sip:2000 at 84.203.148.14>;tag=1976120825
>> To: Aisling O' Driscoll <sip:2000 at 84.203.148.14>
>> Contact: "Aisling O' Driscoll" <sip:2000 at 157.190.70.231:5061>
>> Call-ID: 2B12EE2F1DA64C11984134EF0CE89DC1 at 84.203.148.14
>> CSeq: 5729 REGISTER
>> Expires: 1800
>> Max-Forwards: 70
>> User-Agent: X-Lite release 1103m
>> Content-Length: 0
>>
>>
>> RECEIVE TIME: 325434169
>> RECEIVE << 84.203.148.14:5060
>> SIP/2.0 408 Request Timeout
>> Via: SIP/2.0/UDP
>>
>157.190.70.231:5061;rport=5061;branch=z9hG4bKFDD40D52818B4721AF5F83D3
>0
>> A7D526F
>> From: Aisling O' Driscoll <sip:2000 at 84.203.148.14>;tag=3316651270
>> To: Aisling O' Driscoll
>> <sip:2000 at 84.203.148.14>;tag=a6a1c5f60faecf035a1ae5b6e96e979a-a63b
>> Call-ID: E8E25C47488A4E958F4BE8293AF7E1F3 at 84.203.148.14
>> CSeq: 16015 REGISTER
>> Server: Sip EXpress router (0.8.14 (i386/linux))
>> Content-Length: 0
>> Warning: 392 172.16.3.15:5060 "Noisy feedback tells: pid=19819
>> req_src_ip=157.190.70.231 req_src_port=5061
>in_uri=sip:84.203.148.14
>> out_uri=sip:84.203.148.14 via_cnt==0"
>>
>> ---- Original Message ----
>> From: ashling.odriscoll at cit.ie
>> To: serusers at iptel.org
>> Subject: FW: SER and NAT
>> Date: Fri, 21 Jan 2005 09:49:56 -0000
>>
>> Hi,
>>
>> Hope someone can help me. I have a fairly bad NAT situation.
>>
>> Clients are behind NAT and SER is behind NAT. The idea is that the
>> clients will register to the public address which is assigned to my
>> router and I have enable port-forwarding to send the packets onto
>the
>> pc running SER listening on 5060. This situation worked when
>clients
>> registered with Asterisk but I would rather them to register with
>SER
>> and just use Asterisk for voicemail etc.
>>
>> My config is like the default except the nathelper and mysql
>modules
>> are loaded. I have looked at the following websites but all the
>> configs are very different and use different rtp proxys..I am also
>> confused as to how much configuration is required to accommodate
>nat
>>
>>
>http://lists.cs.columbia.edu/pipermail/sip-implementors/2004-February
>/
>> 006179.html
>> http://voip-info.org/wiki-SER+example+NAThelper
>>
>> Could someone give me an idea of how the script should be modified,
>> what else must be installed (rtp proxy wise)or any ideas as to why
>my
>> clients cant register?....Im presuming its nat...
>>
>> Thanks a million,
>> Aisling.
>>
>>
>>
>> -------------------Legal
>Disclaimer---------------------------------------
>>
>> The above electronic mail transmission is confidential and intended
>only for the person to whom it is addressed. Its contents may be
>protected by legal and/or professional privilege. Should it be
>received by you in error please contact the sender at the above
>quoted email address. Any unauthorised form of reproduction of this
>message is strictly prohibited. The Institute does not guarantee the
>security of any information electronically transmitted and is not
>liable if the information contained in this communication is not a
>proper and complete record of the message as transmitted by the
>sender nor for any delay in its receipt.
>>
>> _______________________________________________
>> Serusers mailing list
>> Serusers at iptel.org
>> http://mail.iptel.org/mailman/listinfo/serusers
>>
>
>-------------------Legal
>Disclaimer---------------------------------------
>
>The above electronic mail transmission is confidential and intended
>only for the person to whom it is addressed. Its contents may be
>protected by legal and/or professional privilege. Should it be
>received by you in error please contact the sender at the above
>quoted email address. Any unauthorised form of reproduction of this
>message is strictly prohibited. The Institute does not guarantee the
>security of any information electronically transmitted and is not
>liable if the information contained in this communication is not a
>proper and complete record of the message as transmitted by the
>sender nor for any delay in its receipt.
-------------------Legal Disclaimer---------------------------------------
The above electronic mail transmission is confidential and intended only for the person to whom it is addressed. Its contents may be protected by legal and/or professional privilege. Should it be received by you in error please contact the sender at the above quoted email address. Any unauthorised form of reproduction of this message is strictly prohibited. The Institute does not guarantee the security of any information electronically transmitted and is not liable if the information contained in this communication is not a proper and complete record of the message as transmitted by the sender nor for any delay in its receipt.
More information about the sr-users
mailing list