[OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Joris Dobbelsteen
joris at familiedobbelsteen.nl
Tue Jul 22 12:14:24 CEST 2008
Neill Wilkinson wrote:
> Joris,
>
> I also note that you fix the Contact and the Register in Router(2).
>
> You'll also need to fix_nated_sdp too. The media values in the SDP will need
> to be modified from the private IP Address.
Neil,
Where should I put these, around force_rtp_proxy? Because I thought it
already did this?
Like I said, I'm new to OpenSER and have quite a bit problems
understanding really where all the magic happens.
Thanks,
- Joris
> Neill....;o)
> Neill Wilkinson
> Principal Consultant
>
> Aeonvista Ltd - opening up new ideas
>
>
>
>
> -----Original Message-----
> From: Joris Dobbelsteen [mailto:joris at familiedobbelsteen.nl]
> Sent: 22 July 2008 09:05
> To: Robert Dyck
> Cc: users at lists.openser.org; Neill Wilkinson
> Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>
> Robert Dyck wrote:
>> I understand that the iptables SIP ALG has been much revised this year
>> although I have not tested it myself. I believe you need at least linux
>> 2.6.25.
>
> The unfortunate situtions is that I currently run Debian, which has the
> 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
> not support Xen yet. So I'm out of luck in this department in many ways.
>
> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
> another solutions is more suited for the problem I have?
>
> - Joris
>
>> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>>> Neill Wilkinson wrote:
>>>> If you are using IPtables and are familiar with how to add modules -
>>>> there is a sip connection tracking module that might help:
>>>>
>>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>>
>>>> Neill...;o)
>>>>
>>>> Neill Wilkinson
>>>> Principal Consultant
>>>>
>>>> Aeonvista Ltd - opening up new ideas
>>> I have that installed, but to the outside the SIP packets still carry
>>> the LAN IP address. I'm currently missing audio (at least inbound is
>>> nowhere to be seen) and it doesn't really work reliable at this moment.
>>> That is a real problem currently and must be solved reliably.
>>>
>>> The ZyXEL modem I have was intended to be the NAT router for the
>>> network, but its configured differently in my case, so I can't make that
>>> thing to play nicely with NAT.
>>>
>>> lsmod on the firewall:
>>> ip_nat_sip 8832 0
>>> ip_conntrack_sip 13392 1 ip_nat_sip
>>>
>>> Thanks so far,
>>>
>>> - Joris
>>>
>>>> -----Original Message-----
>>>> From: users-bounces at lists.openser.org
>>>> [mailto:users-bounces at lists.openser.org] On Behalf Of Joris Dobbelsteen
>>>> Sent: 21 July 2008 21:10
>>>> To: users at lists.openser.org
>>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>>
>>>> Dear,
>>>>
>>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
>>>> home phone keeps breaking voice channels (the box was not intended
>>>> behind NAT and I'm, of course, using a configuration that no so well
>>>> supported).
>>>>
>>>> What is the idea:
>>>>
>>>> SIP transactions should travel this way:
>>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
>>>>
>>>> RTP should travel this way:
>>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>>
>>>>
>>>> My current test is using X-Lite with voipbuster, but that doesn't really
>>>> work. It seems that registers are functioning, at least X-Lite reports
>>>> itself being registered.
>>>> Voice calls always end up in timeouts, so something is really going
>>>> wrong here, it might be authentication problems?
>>>>
>>>> An added problem is that I have just sufficient knowledge of SIP to see
>>>> what it is doing, without really knowing what to expect exactly.
>>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
>>>> time even grasping the configuration I typed in. This is not really
>>>> helpful
>>>>
>>>> What I do know:
>>>> * SIP Proxy traffic is flowing.
>>>> * SIP INVITES don't work at all.
>>>> * SIP to RTP is communication, but I don't know if RTP is actually
>>>> flowing.
>>>>
>>>> I stole most of the configuration from the "04 NAT Traversal" slides of
>>>> the "Italy 2007 Admin course", to which there is link on the
>>>> documentation site. I adapted it to make it work with the debian
>>>> supplied OpenSER 1.1.
>>>>
>>>> How do I get this all working?
>>>> What am I getting wrong?
>>>>
>>>> I really really appeciate any help I can get to get it working!
>>>>
>>>> - Joris
>>>>
>>>>
>>>> Config is this:
>>>> # ----------- global configuration parameters ------------------------
>>>>
>>>> debug=4 # debug level (cmd line: -dddddddddd)
>>>> fork=yes # Set to no to enter debugging mode
>>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
>>>>
>>>> check_via=no # (cmd. line: -v)
>>>> dns=no # (cmd. line: -r)
>>>> rev_dns=no # (cmd. line: -R)
>>>> advertised_address="82.168.191.xx"
>>>> advertised_port=5060
>>>> port=5060
>>>> children=4
>>>> fifo="/tmp/openser_fifo"
>>>>
>>>> #
>>>> # ------------------ module loading ----------------------------------
>>>>
>>>> # Uncomment this if you want to use SQL database
>>>> mpath="/usr/lib/openser/modules/"
>>>> loadmodule "mysql.so"
>>>> loadmodule "sl.so"
>>>> loadmodule "tm.so"
>>>> loadmodule "rr.so"
>>>> loadmodule "maxfwd.so"
>>>> loadmodule "usrloc.so"
>>>> loadmodule "registrar.so"
>>>> loadmodule "textops.so"
>>>> loadmodule "nathelper.so"
>>>>
>>>> # Uncomment this if you want digest authentication
>>>> # mysql.so must be loaded !
>>>> loadmodule "auth.so"
>>>> loadmodule "auth_db.so"
>>>>
>>>> # ----------------- setting module-specific parameters ---------------
>>>>
>>>> # -- usrloc params --
>>>>
>>>> modparam("usrloc", "db_mode", 0)
>>>>
>>>> # Uncomment this if you want to use SQL database
>>>> # for persistent storage and comment the previous line
>>>> #modparam("usrloc", "db_mode", 2)
>>>>
>>>> # -- auth params --
>>>> # Uncomment if you are using auth module
>>>> #
>>>> modparam("auth_db", "calculate_ha1", yes)
>>>> #
>>>> # If you set "calculate_ha1" parameter to yes (which true in this
>>>> config), # uncomment also the following parameter)
>>>> #
>>>> modparam("auth_db", "password_column", "password")
>>>>
>>>> # -- rr params --
>>>> # add value to ;lr param to make some broken UAs happy
>>>> modparam("rr", "enable_full_lr", 1)
>>>>
>>>> # -- nathelper params ---
>>>> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
>>>> modparam("nathelper", "natping_interval", 30)
>>>> modparam("nathelper", "ping_nated_only", 1)
>>>> #modparam("nathelper", "sipping_bflag", 7)
>>>> modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
>>>>
>>>> # ------------------------- request routing logic -------------------
>>>>
>>>> # main routing logic
>>>>
>>>> route{
>>>>
>>>> # initial sanity checks -- messages with
>>>> # max_forwards==0, or excessively long requests
>>>> if (!mf_process_maxfwd_header("10")) {
>>>> sl_send_reply("483","Too Many Hops");
>>>> exit;
>>>> };
>>>>
>>>> if (msg:len >= 2048 ) {
>>>> sl_send_reply("513", "Message too big");
>>>> exit;
>>>> };
>>>>
>>>> # NAT detection
>>>> route(2);
>>>>
>>>> # we record-route all messages -- to make sure that
>>>> # subsequent messages will go through our proxy; that's
>>>> # particularly good if upstream and downstream entities
>>>> # use different transport protocol
>>>> if (!method=="REGISTER")
>>>> record_route();
>>>>
>>>> # subsequent messages withing a dialog should take the
>>>> # path determined by record-routing
>>>> if (loose_route()) {
>>>> # mark routing logic in request
>>>> append_hf("P-hint: rr-enforced\r\n");
>>>> route(1);
>>>> };
>>>>
>>>> if (!uri==myself) {
>>>> # mark routing logic in request
>>>> append_hf("P-hint: outbound\r\n");
>>>> # if you have some interdomain connections via TLS
>>>> #if(uri=~"@tls_domain1.net") {
>>>> # t_relay("tls:domain1.net");
>>>> # exit;
>>>> #} else if(uri=~"@tls_domain2.net") {
>>>> # t_relay("tls:domain2.net");
>>>> # exit;
>>>> #}
>>>> route(1);
>>>> };
>>>>
>>>> # if the request is for other domain use UsrLoc
>>>> # (in case, it does not work, use the following command
>>>> # with proper names and addresses in it)
>>>> if (uri==myself) {
>>>>
>>>> if (method=="REGISTER") {
>>>>
>>>> # Uncomment this if you want to use digest
>>>> authentication
>>>> if (!www_authorize("sip.familiedobbelsteen.nl",
>>>> "subscriber")) {
>>>>
>>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>>> exit;
>>>> };
>>>>
>>>> if (isflagset(5)) {
>>>> # set branch flag -- when someone will
>>>> call this user
>>>> # INVITE will have branch flag 6 set
>>>> after loopup("location")
>>>> setflag(6);
>>>> # if you want OPTIONS natpings
>>>> uncomment next
>>>> # setflag(7);
>>>> };
>>>>
>>>> save("location");
>>>> exit;
>>>> };
>>>>
>>>> lookup("aliases");
>>>> if (!uri==myself) {
>>>> append_hf("P-hint: outbound alias\r\n");
>>>> route(1);
>>>> };
>>>>
>>>> # native SIP destinations are handled using our USRLOC
>>>> DB if (!lookup("location")) {
>>>> sl_send_reply("404", "Not Found");
>>>> exit;
>>>> };
>>>> append_hf("P-hint: usrloc applied\r\n");
>>>> };
>>>>
>>>> route(1);
>>>> }
>>>>
>>>>
>>>> route[1] {
>>>> # send it out now; use stateful forwarding as it works reliably
>>>> # even for UDP2TCP
>>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>>> setflag(6);
>>>> };
>>>>
>>>> if (isflagset(5) || isflagset(6)) {
>>>> route(3);
>>>> };
>>>>
>>>> if (!t_relay()) {
>>>> sl_reply_error();
>>>> };
>>>> exit;
>>>> }
>>>>
>>>> route[2] {
>>>> force_rport();
>>>> if(nat_uac_test("19")) {
>>>> if (method=="REGISTER") {
>>>> fix_nated_register();
>>>> } else {
>>>> fix_nated_contact();
>>>> };
>>>> setflag(5);
>>>> };
>>>> }
>>>>
>>>> route[3] {
>>>> if (is_method("BYE")) {
>>>> unforce_rtp_proxy();
>>>> } else if (is_method("INVITE")) {
>>>> force_rtp_proxy("", "82.168.191.xx");
>>>> t_on_failure("2");
>>>> };
>>>> if (isflagset(5))
>>>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>>> ';nat=yes'); t_on_reply("1");
>>>> }
>>>>
>>>> failure_route[2] {
>>>> if (isflagset(6)||isflagset(5)) {
>>>> unforce_rtp_proxy();
>>>> };
>>>> }
>>>>
>>>> onreply_route[1] {
>>>> if ((isflagset(5) || isflagset(6)) && status =~
>>>> "(183)|(2[0-9][0-9])") {
>>>> force_rtp_proxy();
>>>> };
>>>> search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
>>>>
>>>> if (isflagset(6)) {
>>>> fix_nated_contact();
>>>> };
>>>> exit;
>>>> }
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>
>
More information about the sr-users
mailing list