[OpenSER-Users] OpenSER as NAT traversal proxy HELP!

Robert Dyck rob.dyck at telus.net
Tue Jul 22 02:38:21 CEST 2008


I understand that the iptables SIP ALG has been much revised this year 
although I have not tested it myself. I believe you need at least linux 
2.6.25.

On Monday 21 July 2008, Joris Dobbelsteen wrote:
> Neill Wilkinson wrote:
> > If you are using IPtables and are familiar with how to add modules -
> > there is a sip connection tracking module that might help:
> >
> > http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
> >
> > Neill...;o)
> >
> > Neill Wilkinson
> > Principal Consultant
> >
> > Aeonvista Ltd - opening up new ideas
>
> I have that installed, but to the outside the SIP packets still carry
> the LAN IP address. I'm currently missing audio (at least inbound is
> nowhere to be seen) and it doesn't really work reliable at this moment.
> That is a real problem currently and must be solved reliably.
>
> The ZyXEL modem I have was intended to be the NAT router for the
> network, but its configured differently in my case, so I can't make that
> thing to play nicely with NAT.
>
> lsmod on the firewall:
> ip_nat_sip              8832  0
> ip_conntrack_sip       13392  1 ip_nat_sip
>
> Thanks so far,
>
> - Joris
>
> > -----Original Message-----
> > From: users-bounces at lists.openser.org
> > [mailto:users-bounces at lists.openser.org] On Behalf Of Joris Dobbelsteen
> > Sent: 21 July 2008 21:10
> > To: users at lists.openser.org
> > Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
> >
> > Dear,
> >
> > I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
> > home phone keeps breaking voice channels (the box was not intended
> > behind NAT and I'm, of course, using a configuration that no so well
> > supported).
> >
> > What is the idea:
> >
> > SIP transactions should travel this way:
> > ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
> >
> > RTP should travel this way:
> > ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
> >
> >
> > My current test is using X-Lite with voipbuster, but that doesn't really
> > work. It seems that registers are functioning, at least X-Lite reports
> > itself being registered.
> > Voice calls always end up in timeouts, so something is really going
> > wrong here, it might be authentication problems?
> >
> > An added problem is that I have just sufficient knowledge of SIP to see
> > what it is doing, without really knowing what to expect exactly.
> > Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
> > time even grasping the configuration I typed in. This is not really
> > helpful
> >
> > What I do know:
> > * SIP Proxy traffic is flowing.
> > * SIP INVITES don't work at all.
> > * SIP to RTP is communication, but I don't know if RTP is actually
> > flowing.
> >
> > I stole most of the configuration from the "04 NAT Traversal" slides of
> > the "Italy 2007 Admin course", to which there is link on the
> > documentation site. I adapted it to make it work with the debian
> > supplied OpenSER 1.1.
> >
> > How do I get this all working?
> > What am I getting wrong?
> >
> > I really really appeciate any help I can get to get it working!
> >
> > - Joris
> >
> >
> > Config is this:
> > # ----------- global configuration parameters ------------------------
> >
> > debug=4            # debug level (cmd line: -dddddddddd)
> > fork=yes           # Set to no to enter debugging mode
> > log_stderror=no    # (cmd line: -E) Set to yes to enter debugging mode
> >
> > check_via=no    # (cmd. line: -v)
> > dns=no          # (cmd. line: -r)
> > rev_dns=no      # (cmd. line: -R)
> > advertised_address="82.168.191.xx"
> > advertised_port=5060
> > port=5060
> > children=4
> > fifo="/tmp/openser_fifo"
> >
> > #
> > # ------------------ module loading ----------------------------------
> >
> > # Uncomment this if you want to use SQL database
> > mpath="/usr/lib/openser/modules/"
> > loadmodule "mysql.so"
> > loadmodule "sl.so"
> > loadmodule "tm.so"
> > loadmodule "rr.so"
> > loadmodule "maxfwd.so"
> > loadmodule "usrloc.so"
> > loadmodule "registrar.so"
> > loadmodule "textops.so"
> > loadmodule "nathelper.so"
> >
> > # Uncomment this if you want digest authentication
> > # mysql.so must be loaded !
> > loadmodule "auth.so"
> > loadmodule "auth_db.so"
> >
> > # ----------------- setting module-specific parameters ---------------
> >
> > # -- usrloc params --
> >
> > modparam("usrloc", "db_mode",   0)
> >
> > # Uncomment this if you want to use SQL database
> > # for persistent storage and comment the previous line
> > #modparam("usrloc", "db_mode", 2)
> >
> > # -- auth params --
> > # Uncomment if you are using auth module
> > #
> > modparam("auth_db", "calculate_ha1", yes)
> > #
> > # If you set "calculate_ha1" parameter to yes (which true in this
> > config), # uncomment also the following parameter)
> > #
> > modparam("auth_db", "password_column", "password")
> >
> > # -- rr params --
> > # add value to ;lr param to make some broken UAs happy
> > modparam("rr", "enable_full_lr", 1)
> >
> > # -- nathelper params ---
> > modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
> > modparam("nathelper", "natping_interval", 30)
> > modparam("nathelper", "ping_nated_only", 1)
> > #modparam("nathelper", "sipping_bflag", 7)
> > modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
> >
> > # -------------------------  request routing logic -------------------
> >
> > # main routing logic
> >
> > route{
> >
> >          # initial sanity checks -- messages with
> >          # max_forwards==0, or excessively long requests
> >          if (!mf_process_maxfwd_header("10")) {
> >                  sl_send_reply("483","Too Many Hops");
> >                  exit;
> >          };
> >
> >          if (msg:len >=  2048 ) {
> >                  sl_send_reply("513", "Message too big");
> >                  exit;
> >          };
> >
> >          # NAT detection
> >          route(2);
> >
> >          # we record-route all messages -- to make sure that
> >          # subsequent messages will go through our proxy; that's
> >          # particularly good if upstream and downstream entities
> >          # use different transport protocol
> >          if (!method=="REGISTER")
> >                  record_route();
> >
> >          # subsequent messages withing a dialog should take the
> >          # path determined by record-routing
> >          if (loose_route()) {
> >                  # mark routing logic in request
> >                  append_hf("P-hint: rr-enforced\r\n");
> >                  route(1);
> >          };
> >
> >          if (!uri==myself) {
> >                  # mark routing logic in request
> >                  append_hf("P-hint: outbound\r\n");
> >                  # if you have some interdomain connections via TLS
> >                  #if(uri=~"@tls_domain1.net") {
> >                  #       t_relay("tls:domain1.net");
> >                  #       exit;
> >                  #} else if(uri=~"@tls_domain2.net") {
> >                  #       t_relay("tls:domain2.net");
> >                  #       exit;
> >                  #}
> >                  route(1);
> >          };
> >
> >          # if the request is for other domain use UsrLoc
> >          # (in case, it does not work, use the following command
> >          # with proper names and addresses in it)
> >          if (uri==myself) {
> >
> >                  if (method=="REGISTER") {
> >
> >                          # Uncomment this if you want to use digest
> > authentication
> >                          if (!www_authorize("sip.familiedobbelsteen.nl",
> > "subscriber")) {
> >
> > www_challenge("sip.familiedobbelsteen.nl", "0");
> >                                  exit;
> >                          };
> >
> >                          if (isflagset(5)) {
> >                                  # set branch flag -- when someone will
> > call this user
> >                                  # INVITE will have branch flag 6 set
> > after loopup("location")
> >                                  setflag(6);
> >                                  # if you want OPTIONS natpings
> > uncomment next
> >                                  # setflag(7);
> >                          };
> >
> >                          save("location");
> >                          exit;
> >                  };
> >
> >                  lookup("aliases");
> >                  if (!uri==myself) {
> >                          append_hf("P-hint: outbound alias\r\n");
> >                          route(1);
> >                  };
> >
> >                  # native SIP destinations are handled using our USRLOC
> > DB if (!lookup("location")) {
> >                          sl_send_reply("404", "Not Found");
> >                          exit;
> >                  };
> >                  append_hf("P-hint: usrloc applied\r\n");
> >          };
> >
> >          route(1);
> > }
> >
> >
> > route[1] {
> >          # send it out now; use stateful forwarding as it works reliably
> >          # even for UDP2TCP
> >          if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
> >                  setflag(6);
> >          };
> >
> >          if (isflagset(5) || isflagset(6)) {
> >                  route(3);
> >          };
> >
> >          if (!t_relay()) {
> >                  sl_reply_error();
> >          };
> >          exit;
> > }
> >
> > route[2] {
> >          force_rport();
> >          if(nat_uac_test("19")) {
> >                  if (method=="REGISTER") {
> >                          fix_nated_register();
> >                  } else {
> >                          fix_nated_contact();
> >                  };
> >                  setflag(5);
> >          };
> > }
> >
> > route[3] {
> >          if (is_method("BYE")) {
> >                  unforce_rtp_proxy();
> >          } else if (is_method("INVITE")) {
> >                  force_rtp_proxy("", "82.168.191.xx");
> >                  t_on_failure("2");
> >          };
> >          if (isflagset(5))
> >                  search_append('Contact:.*sip:[^>[:cntrl:]]*',
> > ';nat=yes'); t_on_reply("1");
> > }
> >
> > failure_route[2] {
> >          if (isflagset(6)||isflagset(5)) {
> >                  unforce_rtp_proxy();
> >          };
> > }
> >
> > onreply_route[1] {
> >          if ((isflagset(5) || isflagset(6)) && status =~
> > "(183)|(2[0-9][0-9])") {
> >                  force_rtp_proxy();
> >          };
> >          search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
> >
> >          if (isflagset(6)) {
> >                  fix_nated_contact();
> >          };
> >          exit;
> > }
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.openser.org
> > http://lists.openser.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users






More information about the sr-users mailing list