[Serusers] Problem running SER behind firewall
Greger V. Teigre
greger at teigre.com
Wed May 16 09:57:55 CEST 2007
You have to use your public ip by using record_route_preset also for
non-NATed.
As you can see, the Record-Route header contains your private address.
g-)
Wei Wang wrote:
> Greger,
>
> Thanks for the help. I've added advertised_address to the ser.cfg file.
>
> ...
> listen=192.168.4.217
> port=5060
> advertised_address=66.134.1.34
> advertised_port=5060
> ....
>
> But it did not seem to help.
>
> Here is the TCP traffic:
>
> ================= START TCPDUMP =================
> 11:50:38.459320 IP 192.168.4.217.5060 > 66.134.1.34.5060: SIP, length:
> 862
> E..z.. at .@..'....B..".....f..ACK
> sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
> Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
> Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
> Via: SIP/2.0/UDP
> 68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
> port=33341^M
> Max-Forwards: 16^M
> Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
> Contact: <sip:1001 at 68.158.174.169:33341>^M
> To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
> From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
> Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
> CSeq: 2 ACK^M
> Proxy-Authorization: Digest
> username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
> 1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
> 4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
> User-Agent: X-Lite release 1009l stamp 38210^M
> Content-Length: 0^M
>
> 11:50:38.459602 IP 192.168.4.1.5060 > 192.168.4.217.5060: SIP, length:
> 862
> E..z.. at .?..%.............f-.ACK
> sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
> Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
> Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
> Via: SIP/2.0/UDP
> 68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
> port=33341^M
> Max-Forwards: 16^M
> Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
> Contact: <sip:1001 at 68.158.174.169:33341>^M
> To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
> From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
> Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
> CSeq: 2 ACK^M
> Proxy-Authorization: Digest
> username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
> 1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
> 4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
> User-Agent: X-Lite release 1009l stamp 38210^M
> Content-Length: 0^M
>
> 11:50:38.459885 IP 192.168.4.217.5060 > 66.134.1.34.5060: SIP, length:
> 982
> E..... at .@.-.....B.."......^M.ACK
> sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
> Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
> Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
> Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
> Via: SIP/2.0/UDP 66.134.1.34:5060;received=192.168.4.1;branch=0^M
> Via: SIP/2.0/UDP
> 68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
> port=33341^M
> Max-Forwards: 15^M
> Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
> Contact: <sip:1001 at 68.158.174.169:33341>^M
> To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
> From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
> Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
> CSeq: 2 ACK^M
> Proxy-Authorization: Digest
> username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
> 1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
> 4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
> User-Agent: X-Lite release 1009l stamp 38210^M
> Content-Length: 0^M
>
> ================= END TCPDUMP =================
>
> Again, the last ACT was sent to the firewall's external IP
> address(66.134.1.34).
>
>
> -----Original Message-----
> From: Greger V. Teigre [mailto:greger at teigre.com]
> Sent: Tuesday, May 15, 2007 10:53 AM
> To: Wei Wang
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] Problem running SER behind firewall
>
> You need to use advertised_address and advertised_port just below listen
>
> directive.
> g-)
>
> Wei Wang wrote:
>
>> I have a problem running SER behind firewall.
>> Here is the network diagram:
>>
>> |UA1|--|FW1| +--|FW|--|SER|
>> \ /
>> +--+
>> / \
>> |UA2|--|FW2| +--|MediaProxy|
>>
>> Where, UA1 and UA2 are Xlite soft-phones behind their own firewalls.
>>
> SER
>
>> is listening on private IP address 192.168.4.217. FW has public IP
>> address 66.134.1.34 and forwards port 5060 to SER.
>>
>> The ser.cfg file is pretty much copied from SER getting start guide.
>> When UA1 calling UA2, the call established fine but UA1 will hang up
>>
> by
>
>> itself after ~30 seconds. The captured IP packages on SER revealed
>>
> that
>
>> the last ACK received from UA2 by SER was sent to FW IP address. Since
>> port 5060 is forwarded to SER on the FW, it caused a looping
>>
> situation.
>
>> The ser.cfg is listed at the end.
>>
>> Thanks in advance.
>>
>> Wei Wang
>> wwang at m1global.com
>>
>>
>> ======== ser.cfg ============
>> debug=3 # debug level (cmd line: -dddddddddd)
>> fork=yes
>> log_stderror=no # (cmd line: -E)
>>
>> /* Uncomment these lines to enter debugging mode
>> debug=3
>> #debug=9
>> fork=no
>> log_stderror=yes
>> */
>>
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> listen=192.168.4.217
>> #listen=66.134.1.36
>> port=5060
>> children=4
>> fifo="/tmp/ser_fifo"
>> fifo_db_url="mysql://ser:s3rv1c3@localhost/ser"
>>
>> # ------------------ module loading ----------------------------------
>>
>> # Uncomment this if you want to use SQL database
>> loadmodule "/usr/local/lib/ser/modules/mysql.so"
>> loadmodule "/usr/local/lib/ser/modules/sl.so"
>> loadmodule "/usr/local/lib/ser/modules/tm.so"
>> loadmodule "/usr/local/lib/ser/modules/rr.so"
>> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>> loadmodule "/usr/local/lib/ser/modules/registrar.so"
>> loadmodule "/usr/local/lib/ser/modules/textops.so"
>> loadmodule "/usr/local/lib/ser/modules/permissions.so"
>>
>> # Uncomment this if you want digest authentication
>> # mysql.so must be loaded !
>> loadmodule "/usr/local/lib/ser/modules/auth.so"
>> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>> loadmodule "/usr/local/lib/ser/modules/uri.so"
>> loadmodule "/usr/local/lib/ser/modules/uri_db.so"
>> loadmodule "/usr/local/lib/ser/modules/domain.so"
>> loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
>> loadmodule "/usr/local/lib/ser/modules/nathelper.so"
>> loadmodule "/usr/local/lib/ser/modules/print.so"
>> loadmodule "/usr/local/lib/ser/modules/xlog.so"
>>
>> # ----------------- setting module-specific parameters ---------------
>>
>> # -- usrloc params --
>>
>> #modparam("usrloc", "db_mode", 0)
>>
>> # Uncomment this if you want to use SQL database
>> # for persistent storage and comment the previous line
>> modparam("usrloc", "db_mode", 2)
>>
>> # -- auth params --
>> # Uncomment if you are using auth module
>> #
>> modparam("auth_db|permissions|uri_db|usrloc", "db_url",
>> "mysql://ser:s3rv1c3@localhost/ser")
>> modparam("auth_db", "calculate_ha1", 1)
>> #
>> # If you set "calculate_ha1" parameter to yes (which true in this
>> config),
>> # uncomment also the following parameter)
>> #
>> modparam("auth_db", "password_column", "password")
>>
>> modparam("nathelper", "rtpproxy_disable", 1)
>> modparam("nathelper", "natping_interval", 0)
>>
>> modparam("mediaproxy", "natping_interval", 30)
>> #modparam("mediaproxy", "mediaproxy_socket",
>>
> "/var/run/mediaproxy.sock")
>
>> modparam("mediaproxy", "mediaproxy_socket",
>> "/var/run/proxydispatcher.sock")
>> modparam("mediaproxy", "sip_asymmetrics",
>> "/usr/local/etc/ser/sip-clients")
>> modparam("mediaproxy", "rtp_asymmetrics",
>> "/usr/local/etc/ser/rtp-clients")
>>
>> modparam("registrar", "nat_flag", 6)
>>
>> # -- rr params --
>> # add value to ;lr param to make some broken UAs happy
>> modparam("rr", "enable_full_lr", 1)
>>
>> modparam("permissions", "db_mode", 1)
>> modparam("permissions", "trusted_table", "trusted")
>>
>> modparam("xlog", "buf_size", 8192)
>>
>> # ------------------------- request routing logic -------------------
>>
>> # main routing logic
>>
>> route{
>> # xlog("L_INFO", "Main route
>> [From]%fu,[To]%tu,[Req-Method]%rm,[Req-RURI]%ru[IP-src]%is ...\n");
>> if(method != "SUBSCRIBE") {
>> xlog("L_INFO", "\r\n===========SIP
>> MSG==================\r\n%mb\r\n_____END SIP
>> MSG________________________\r\n");
>> };
>>
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> break;
>> };
>> if (msg:len >= 4086 ) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> # use different transport protocol
>> if (method == "INVITE" && client_nat_test("3")) {
>> # xlog("L_INFO", "method==INVITE and nated: calling
>> record_route_preset\n");
>> # IP ADDRESS Here
>> record_route_preset("66.134.1.34:5060;nat=yes");
>> } else if (method!="REGISTER") {
>> record_route();
>> };
>> # -------------------------
>> # Call Tear Down Section
>> #-------------------------
>> if(method=="BYE" || method=="CANCEL") {
>> #xlog("L_INFO", "RECEIVED BYE or CANCEL...");
>> end_media_session();
>> };
>>
>> # subsequent messages withing a dialog should take the
>> # path determined by record-routing
>> if (loose_route()) {
>> xlog("L_INFO", "DEBUG: loose_route...");
>>
>> if((method=="INVITE" || method == "REFER") &&
>> !has_totag()) {
>> sl_send_reply("403", "Forbidden");
>> break;
>> };
>> if(method == "INVITE") {
>> if(!allow_trusted()) {
>> if(!proxy_authorize("", "subscriber"))
>>
> {
>
>> proxy_challenge("", "0");
>> break;
>> } else if(!check_from()) {
>> sl_send_reply("403", "Use
>> From=ID");
>> break;
>> };
>> consume_credentials();
>> }
>> if(client_nat_test("3")
>> || search("^Route:.*;nat=yes")) {
>> setflag(6);
>> use_media_proxy();
>> };
>> };
>> # mark routing logic in request
>> #append_hf("P-hint: rr-enforced\r\n");
>> route(1);
>> break;
>> };
>>
>> if (!uri==myself) {
>> route(4);
>> # mark routing logic in request
>> #append_hf("P-hint: outbound\r\n");
>> route(1);
>> break;
>> };
>>
>> # if the request is for other domain use UsrLoc
>> # (in case, it does not work, use the following command
>> # with proper names and addresses in it)
>> if(method == "ACK") {
>> route(1);
>> break;
>> } else if(method=="CANCEL") {
>> route(1);
>> break;
>> } else if(method == "INVITE") {
>> route(3);
>> break;
>> } else if (method=="REGISTER") {
>> route(2);
>> break;
>> };
>>
>> lookup("aliases");
>> if (!uri==myself) {
>>
>> route(4);
>> #append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> break;
>> };
>>
>> # native SIP destinations are handled using our USRLOC DB
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> break;
>> };
>> append_hf("P-hint: usrloc applied\r\n");
>> route(1);
>> }
>>
>> route[1]
>> {
>> t_on_reply("1");
>>
>> # send it out now; use stateful forwarding as it works
>>
> reliably
>
>> # even for UDP2TCP
>> if (!t_relay()) {
>> if(method=="INVITE" || method == "ACK") {
>> end_media_session();
>> };
>> sl_reply_error();
>> };
>> }
>>
>> route[2]
>> {
>> ############################
>> # REGISTER Message Handler
>> ###########################
>> sl_send_reply("100", "Trying");
>>
>> if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
>> setflag(6);
>> fix_nated_register();
>> force_rport();
>> };
>> if(!www_authorize("", "subscriber")) {
>> www_challenge("", "0");
>> break;
>> };
>>
>> if(!check_to()) {
>> sl_send_reply("401", "Unauthorized");
>> break;
>> };
>> consume_credentials();
>>
>> if(!save("location")) {
>> sl_reply_error();
>> };
>> }
>>
>> route[3]
>> {
>> ############################
>> # INVITE Message Handler
>> ###########################
>> if(client_nat_test("3")) {
>> setflag(7);
>> force_rport();
>> fix_nated_contact();
>> };
>>
>> if(!allow_trusted()) {
>> if(!proxy_authorize("", "subscriber")) {
>> proxy_challenge("", "0");
>> break;
>> } else if(!check_from()) {
>> sl_send_reply("403", "Use From=ID");
>> break;
>> };
>> };
>> consume_credentials();
>>
>> lookup("aliases");
>> if(uri != myself) {
>> route(4);
>> route(1);
>> break;
>> };
>>
>> if(!lookup("location")) {
>> sl_send_reply("404", "User Not Found");
>> break;
>> };
>>
>> route(4);
>> route(1);
>> }
>>
>> route[4] {
>> #----------------------------
>> # NAT Traversal Section
>> #----------------------------
>>
>> if(isflagset(6) || isflagset(7)) {
>> if(!isflagset(8)) {
>> setflag(8);
>> use_media_proxy();
>> };
>> };
>> }
>>
>> onreply_route[1] {
>> if((isflagset(6) || isflagset(7))
>> && (status =~ "(180)|183)|2[0-9][0-9]")) {
>>
>> if(!search("^Content-Length:[ ]*0")) {
>> use_media_proxy();
>> };
>> };
>>
>> if(client_nat_test("1")) {
>> fix_nated_contact();
>> };
>> }
>> =============== END ser.cfg ================
>> _______________________________________________
>> Serusers mailing list
>> Serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20070516/82a3a7e4/attachment.htm>
More information about the sr-users
mailing list