[Serusers] NAT Traversal
Thomas Britis
thomas at tcnet.com.br
Sat Nov 12 12:36:54 CET 2005
I tried. Everything goes fine until I change the default configuration
from onsip.org. All the configuration files are basical and needs a lot
of changes to make me happy, heh.
If anyone has an idea, it would be great.
Thank you.
Greger V. Teigre wrote:
> Seems like you could use the Getting Started document from ONsip.org ;-)
> g-)
> ----- Original Message ----- From: "Thomas Britis" <thomas at tcnet.com.br>
> To: <serusers at lists.iptel.org>
> Sent: Friday, November 11, 2005 5:58 PM
> Subject: [Serusers] NAT Traversal
>
>
>> Hi,
>>
>> I'm working on a popular cenario (I think) of SER's implementation but
>> I'm having some difficult on making clients behind NAT to work well.
>> I tried to use rtpproxy and mediaproxy (not together, of course) but
>> without success.
>> Here is my scenario: SER with public IP address with rtpproxy and/or
>> mediaproxy up and running. Clients are behind NAT with NO firewall
>> blocking any ports. Or even one client behind NAT and other with valid
>> IP (by the way, all clients that are not behind nat works fine). The one
>> behind nat do not receive any voice but can send it.
>>
>> I'm attaching my ser.cfg (both, the rtpproxy and mediaproxy one) and
>> appreciate any help.
>>
>> Thank's in advance.
>> --
>> Thomas Storino Britis
>> TCNet Informatica e Telecomunicacoes LTDA
>>
>
>
> --------------------------------------------------------------------------------
>
>
>
>> #
>> # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
>> #
>> # simple quick-start config script
>> #
>>
>> # ----------- global configuration parameters ------------------------
>>
>> debug=3 # debug level (cmd line: -dddddddddd)
>> fork=yes
>> log_stderror=no # (cmd line: -E)
>>
>> # TCNet Configuration
>> # hostname matching an alias will satisfy the condition uri==myself.
>> listen="200.167.20.34"
>> alias="e-voip.com.br"
>> alias="200.167.20.34"
>> uid="ser"
>> gid="ser"
>>
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> port=5060
>> children=4
>> fifo="/tmp/ser_fifo"
>> fifo_db_url="mysql://ser:pass@localhost/ser"
>>
>> # Modules
>> loadmodule "/tcnet/ser/lib/ser/modules/domain.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/mysql.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/sl.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/tm.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/rr.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/registrar.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/auth.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/uri.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/mediaproxy.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/textops.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/avpops.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/acc.so"
>>
>> # Modules parameter
>> # auth_db
>> modparam("auth_db|uri_db|usrloc", "db_url",
>> "mysql://ser:pass@localhost/ser")
>> modparam("auth_db", "calculate_ha1", 1)
>> modparam("auth_db", "password_column", "password")
>>
>> # mediaproxy
>> modparam("mediaproxy", "mediaproxy_socket",
>> "/var/run/proxydispatcher.sock")
>> modparam("mediaproxy", "natping_interval", 30)
>> modparam("mediaproxy", "sip_asymmetrics",
>> "/tcnet/mediaproxy/sip-asymmetrics-clients")
>> modparam("mediaproxy", "rtp_asymmetrics",
>> "/tcnet/mediaproxy/rtp-asymmetrics-clients")
>>
>> # usrloc
>> modparam("usrloc", "db_mode", 2)
>>
>> # rr
>> modparam("rr", "enable_full_lr", 1)
>>
>> # registrar
>> modparam("registrar", "nat_flag", 6)
>>
>> # acc
>> modparam("acc", "radius_config",
>> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>> modparam("acc", "log_level", 1)
>> modparam("acc", "log_flag", 1)
>> modparam("acc", "radius_flag", 1)
>> modparam("acc", "radius_missed_flag", 2)
>> modparam("acc", "log_fmt", "miocfst")
>> modparam("acc", "failed_transactions", 1)
>>
>> # tm
>> modparam("tm", "fr_inv_timer", 27)
>> modparam("tm", "fr_inv_timer_avp", "inv_timeout")
>>
>> # main routing logic
>> route {
>>
>> if (method == "BYE" || method == "CANCEL") {
>> end_media_session();
>> setflag(1); # accounting
>> setflag(2); # missed call
>> };
>>
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> if (method!="ACK") {
>> sl_send_reply("483", "Too Many Hops");
>> break;
>> };
>> };
>> if (msg:len > max_len) {
>> if (method!="ACK") {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>> };
>>
>> if (method!="REGISTER") {
>> record_route ();
>> };
>>
>> if (loose_route()) {
>> if (method=="BYE" || method=="CANCEL") {
>> end_media_session();
>> setflag(1);
>> setflag(2);
>> };
>> if (method=="INVITE" || method=="ACK") {
>> use_media_proxy();
>> };
>> route(1);
>> break;
>> };
>>
>> if (uri == myself) {
>> if (method == "REGISTER") {
>> if (search("^(Contact|m):
>> .*@(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) {
>> log("LOG: alert: someone trying to set aor==contact\n");
>> sl_send_reply("476", "No Server Address in Contacts Allowed");
>> break;
>> };
>>
>> route(2); # WWW authentication
>>
>> if (!save("location")) {
>> sl_reply_error();
>> };
>> break;
>> };
>>
>> if (method == "INVITE") {
>> route(3); # PROXY authentication
>> if (uri=~"^sip:0") {
>> route(4); # Asterisk
>> };
>>
>> consume_credentials();
>>
>> #lookup("location");
>> if (!lookup("location")) {
>> if (!lookup("aliases")) {
>> if (uri=~"^sip:[3789][0-9]") {
>> prefix("035");
>> route(4); # Asterisk
>> } else {
>> sl_send_reply ("404", "Not Found");
>> break;
>> };
>> };
>> };
>> setflag(1);
>> setflag(2);
>> route(1);
>> break;
>> };
>> };
>> route(1);
>> }
>>
>> # Fix NATED client on reply route.
>> onreply_route[1] {
>> if (client_nat_test("1") && status=~"(183)|(2[0-9][0-9])") {
>> fix_contact();
>> };
>> use_media_proxy ();
>> }
>>
>> # Normal relay
>> route[1] {
>>
>> if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) {
>> sl_send_reply("479", "We don't forward to private IP addresses");
>> break;
>> };
>>
>> t_on_reply("1");
>> t_on_failure("1");
>>
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>> }
>>
>> # WWW authentication
>> route[2] {
>> if (client_nat_test("3")) {
>> setflag(6);
>> force_rport();
>> fix_contact();
>> };
>>
>> sl_send_reply("100", "Trying");
>>
>> if (!www_authorize("", "subscriber")) {
>> www_challenge("", "0");
>> break;
>> };
>>
>> if (!check_to()) {
>> sl_send_reply ("401", "Unauthorized");
>> break;
>> };
>>
>> }
>>
>> # PROXY authentication
>> route[3] {
>> if (!proxy_authorize("", "subscriber")) {
>> proxy_challenge("", "0");
>> break;
>> };
>> }
>>
>> # Asterisk - E-Voip
>> route[4] {
>> t_on_reply("1");
>> rewritehost("200.167.20.26");
>> avp_write("i:45", "inv_timeout");
>> }
>>
>> failure_route[1] {
>> end_media_session();
>> }
>>
>
>
> --------------------------------------------------------------------------------
>
>
>
>> #
>> # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
>> #
>> # simple quick-start config script
>> #
>>
>> # ----------- global configuration parameters ------------------------
>>
>> debug=3 # debug level (cmd line: -dddddddddd)
>> fork=yes
>> log_stderror=no # (cmd line: -E)
>>
>> # TCNet Configuration
>> # hostname matching an alias will satisfy the condition uri==myself.
>> listen="200.167.20.34"
>> alias="e-voip.com.br"
>> alias="200.167.20.34"
>> uid="ser"
>> gid="ser"
>>
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> port=5060
>> children=4
>> fifo="/tmp/ser_fifo"
>> fifo_db_url="mysql://ser:pass@localhost/ser"
>>
>> # Modules
>> loadmodule "/tcnet/ser/lib/ser/modules/mysql.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/sl.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/tm.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/rr.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/registrar.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/auth.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/uri.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/textops.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/avpops.so"
>> loadmodule "/tcnet/ser/lib/ser/modules/acc.so"
>>
>> # Modules parameter
>> # auth_db
>> modparam("auth_db|uri_db|usrloc", "db_url",
>> "mysql://ser:pass@localhost/ser")
>> modparam("auth_db", "calculate_ha1", 1)
>> modparam("auth_db", "password_column", "password")
>>
>> # nathelper
>> modparam("nathelper", "natping_interval", 30)
>> modparam("nathelper", "ping_nated_only", 1)
>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
>>
>> # usrloc
>> modparam("usrloc", "db_mode", 2)
>>
>> # rr
>> modparam("rr", "enable_full_lr", 1)
>>
>> # registrar
>> modparam("registrar", "nat_flag", 6)
>>
>> # acc
>> modparam("acc", "radius_config",
>> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>> modparam("acc", "log_level", 1)
>> modparam("acc", "log_flag", 1)
>> modparam("acc", "radius_flag", 1)
>> modparam("acc", "radius_missed_flag", 2)
>> modparam("acc", "log_fmt", "miocfst")
>> modparam("acc", "failed_transactions", 1)
>>
>> # tm
>> modparam("tm", "fr_inv_timer", 27)
>> modparam("tm", "fr_inv_timer_avp", "inv_timeout")
>>
>> # main routing logic
>> route {
>>
>> if (method == "BYE" || method == "CANCEL") {
>> unforce_rtp_proxy();
>> setflag(1); # accounting
>> setflag(2); # missed call
>> };
>>
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483", "Too Many Hops");
>> break;
>> };
>> if (msg:len > max_len) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> if (method!="REGISTER") {
>> record_route ();
>> };
>>
>> if (loose_route()) {
>> if (method == "BYE") {
>> setflag(1);
>> setflag(2);
>> unforce_rtp_proxy();
>> };
>> route(1);
>> break;
>> };
>>
>> if (uri == myself) {
>> if (method=="INVITE") {
>> fix_nated_sdp ("1");
>> };
>>
>> if (method == "REGISTER") {
>> if (search("^(Contact|m):
>> .*@(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) {
>> log("LOG: alert: someone trying to set aor==contact\n");
>> sl_send_reply("476", "No Server Address in Contacts Allowed");
>> break;
>> };
>>
>> route(2); # WWW authentication
>>
>> if (!save("location")) {
>> sl_reply_error();
>> };
>> break;
>> };
>>
>> if (method == "INVITE") {
>> route(3); # PROXY authentication
>> if (uri=~"^sip:0") {
>> route(4); # Asterisk
>> };
>>
>> consume_credentials();
>>
>> #lookup("location");
>> if (!lookup("location")) {
>> if (!lookup("aliases")) {
>> if (uri=~"^sip:[3789][0-9]") {
>> prefix("035");
>> route(4); # Asterisk
>> } else {
>> sl_send_reply ("404", "Not Found");
>> break;
>> };
>> };
>> };
>> setflag(1);
>> setflag(2);
>> route(1);
>> break;
>> };
>> };
>> route(1);
>> }
>>
>> # Fix NATED client on reply route.
>> onreply_route[1] {
>> if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
>> if (!search("Content-Length:[ ]*0")) {
>> force_rtp_proxy();
>> };
>> };
>> }
>>
>> # Normal relay
>> route[1] {
>>
>> if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) {
>> sl_send_reply("479", "We don't forward to private IP addresses");
>> break;
>> };
>>
>> t_on_reply("1");
>>
>> if (isflagset(6) || isflagset(5)) {
>> log (1, "oi");
>> force_rtp_proxy ();
>> };
>>
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>> }
>>
>> # WWW authentication
>> route[2] {
>> if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
>> setflag(6);
>> fix_nated_register();
>> force_rport();
>> };
>>
>> sl_send_reply("100", "Trying");
>>
>> if (!www_authorize("", "subscriber")) {
>> www_challenge("", "0");
>> break;
>> };
>>
>> if (!check_to()) {
>> sl_send_reply ("401", "Unauthorized");
>> break;
>> };
>>
>> if (isflagset(5)) {
>> setflag(6);
>> };
>> }
>>
>> # PROXY authentication
>> route[3] {
>> if (nat_uac_test("19")) {
>> setflag(6);
>> };
>>
>> if (!proxy_authorize("", "subscriber")) {
>> proxy_challenge("", "0");
>> break;
>> };
>> }
>>
>> # Asterisk - E-Voip
>> route[4] {
>> if (isflagset(6)) {
>> force_rport();
>> fix_nated_contact();
>> force_rtp_proxy();
>> };
>>
>> t_on_reply("1");
>> rewritehost("200.167.20.26");
>> avp_write("i:45", "inv_timeout");
>> }
>>
>
>
> --------------------------------------------------------------------------------
>
>
>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>
>
>
--
Thomas Storino Britis
TCNet Informatica e Telecomunicacoes LTDA
More information about the sr-users
mailing list