[Serusers] nat problem

Pezhman Lali pezhman_lali at yahoo.com
Wed Dec 19 09:19:06 CET 2007 

Dear
I have a lot of problems with nat and registering, 
for example, grandstream does not work with a lot of
internet providers, also linksys and ...
sometimes the sip phone was registered, but the call
is one way or no way.
please help me, if my config has problem.
Best
Mani



listen=1.1.1.1
debug=0   # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
log_facility=LOG_LOCAL5
check_via=no	# (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
port=5060
children=4
fifo="/tmp/ser_fifo"
fifo_db_url="postgres://postgres:mypass@localhost:5432/test"
alias="xxx.com"
alias="xxx.com"
alias="xxx.com"
alias="xxx.com"
alias="xxx.com"
sip_warning=yes

# ------------------ module loading
----------------------------------

loadmodule "/usr/local/lib/ser/modules/postgres.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/nathelper.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/xlog.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"

# ----------------- setting module-specific parameters
---------------

# -- usrloc params --
#modparam("acc", "log_level", 1)
#modparam("acc", "log_flag", 1)
modparam("acc", "db_url",
"postgres://postgres:mypass@localhost:5432/test")
modparam("acc", "db_missed_flag", 2)
modparam("acc", "db_flag", 1)
#modparam("acc", "radius_config",
"/usr/local/etc/radiusclient-ng/radiusclient.conf")
modparam("usrloc", "db_mode", 1)
modparam("usrloc", "user_column", "user_id")
modparam("usrloc", "db_url",
"postgres://postgres:mypass@localhost:5432/test")

# Uncomment this if you want to use SQL database 
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)

modparam("auth_db", "use_domain", 0)
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "user_column", "user_id")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
"postgres://postgres:mypass@localhost:5432/test")

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
modparam("rr", "enable_double_rr", 0)

modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 0)
modparam("usrloc", "use_domain", 0)
modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
modparam("nathelper", "ping_nated_only", 1)   # Ping
only clients behind NAT
modparam("nathelper",
"rtpproxy_sock","unix:/var/run/rtpproxy.sock")

# -------------------------  request routing logic
-------------------

# main routing logic

route{

	# initial sanity checks -- messages with
	# max_forwards==0, or excessively long requests
	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		break;
	};
	if (msg:len >=  2048 ) {
		sl_send_reply("513", "Message too big");
		break;
	};
	if (method=="INVITE" || method=="BYE" ||
method=="ACK") {
		setflag(1);
	};
	
        # !! Nathelper
	# Special handling for NATed clients; first, NAT test
is
	# executed: it looks for via!=received and RFC1918
addresses
	# in Contact (may fail if line-folding is used);
also,
	# the received test should, if completed, should
check all
	# vias for rpesence of received
	if (nat_uac_test("3")) {
		# Allow RR-ed requests, as these may indicate that
		# a NAT-enabled proxy takes care of it; unless it is
		# a REGISTER

		if (method == "REGISTER" || !
search("^Record-Route:")) {
		    log("LOG: Someone trying to register from
private IP, rewriting\n");

		    # This will work only for user agents that
support symmetric
		    # communication. We tested quite many of them
and majority is
		    # smart enough to be symmetric. In some phones
it takes a configuration
		    # option. With Cisco 7960, it is called
NAT_Enable=Yes, with kphone it is
		    # called "symmetric media" and "symmetric
signalling".

		    fix_nated_contact(); # Rewrite contact with
source IP of signalling
		    if (method == "INVITE") {
		        fix_nated_sdp("1"); # Add direction=active
to SDP
		    };
		    force_rport(); # Add rport parameter to topmost
Via
		    setflag(6);    # Mark as NATed
		};
	};

	# we record-route all messages -- to make sure that
	# subsequent messages will go through our proxy;
that's
	# particularly good if upstream and downstream
entities
	# use different transport protocol
	if (!method=="REGISTER") record_route();	

	# subsequent messages withing a dialog should take
the
	# path determined by record-routing
	if (loose_route()) {
		# mark routing logic in request
		append_hf("P-hint: rr-enforced\r\n"); 
		route(1);
		break;
	};
	if (!uri==myself) {
		append_hf("P-hint: outbound\r\n"); 
		route(1);
		break;
	};
	if (method == "INVITE")
	{ 
#		if (!lookup("location")) {
#			xlog("L_ERR","%Tf: Rejecting %ru From %fu To %tu
\n");
#			sl_send_reply("404", "Not Registered");
#			break;
#		};
		if (!uri =~ "sip:43[0-9]{6}@*")
		{ 
        		log(1, "Forwarding to Asterisk\n"); 
        		forward(2.2.2.2,5060); 
        		break; 
    		} 
 	}
	# if the request is for other domain use UsrLoc
	# (in case, it does not work, use the following
command
	# with proper names and addresses in it)
	if (uri==myself) {
		if (method=="REGISTER") {
			if (!www_authorize("xxx.com", "subscriber")) {
				www_challenge("xxx.com", "0");
				break;
			};
			save("location");
			break;
		};
		lookup("aliases");
		if (!lookup("location")) {
			sl_send_reply("404", "Not Found");
			#acc_db_request("404 missed call", "missed_calls");
			break;
		};

		setflag(2);
	};
	append_hf("P-hint: usrloc applied\r\n"); 
	route(1);
}

route[1] 
{
	if
(uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&& !search("^Route:")){
	    sl_send_reply("479", "We don't forward to private
IP addresses");
	    break;
        };
	
	# if client or server know to be behind a NAT, enable
relay
	if (isflagset(6)) {
	    force_rtp_proxy();
	};

	# NAT processing of replies; apply to all
transactions (for example,
	# re-INVITEs from public to private UA are hard to
identify as
	# NATed at the moment of request processing); look at
replies
	t_on_reply("1");

	# send it out now; use stateful forwarding as it
works reliably
	# even for UDP2TCP
	if (!t_relay()) {
		sl_reply_error();
	};
}
onreply_route[1] {
    # NATed transaction ?
    if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
{
        fix_nated_contact();
	force_rtp_proxy();
    # otherwise, is it a transaction behind a NAT and
we did not
    # know at time of request processing ? (RFC1918
contacts)
    } else if (nat_uac_test("1")) {
        fix_nated_contact();
    };
}



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the sr-users mailing list