[OpenSER-Users] OpenSER as NAT traversal proxy HELP!

Joris Dobbelsteen joris at familiedobbelsteen.nl
Tue Jul 22 14:25:14 CEST 2008


All right, I have been trying without too much success so far :(

The SIP signalling path seems to be working OK, but not for voice. Some 
magic is going in, for which I cannot really grasp the how and why. I 
got outgoing signalling from my ZyXEL UA to the RTPProxy, which is 
relaying it to the upstream SIP proxy, but NOT the host that SHOULD 
receive the signal.

******************

I have been monitoring the channel between the Internet Firewall and 
ADSL modem (bridge), which also happens to have the VoIP modem 
connected. (Long live SpeedTouch with their switch with port 
mirror/monitor function.)

[UA -> SER-proxy] INVITE
SDP: c=192.168.8.193 : 60026 (RTP)

[SER-proxy -> Inet-server] INVITE
SDP: c=82.168.191.xx : 35120 (RTP)

[Inet-server -> SER-proxy] 183 Session progress
SDP: c=62.41.aa.bb : 9112 (RTP)

[SER-proxy -> UA] 183 Session progress
SDP: c=82.168.191.xx : 35122 (RTP)

=== Looks OK for the untrained eye...

RTP traffic spotted
192.168.8.193:60026 -> 82.168.191.xx:35122
   :: Looks OK
82.168.191.xx:35122 -> 194..221.62.dd:9112
   :: Takes SIP Inet server IP address, but SHOULD take 62.41.aa.bb!

=== Don't see traffic flowing in the other direction, NOT good! Maybe 
its still trying to send to 192.168.8.193, but I can't monitor that in 
any way...

******************

It seems quite hard to get this all working as desired/how it should 
work. And that seems a good reason to try some of the alternatives, like 
siproxd. Maybe thats better suited for my immediate needs...

Still, I like the flexibility you get with OpenSER, but I need a 
"production" installation really really fast! I'll probably be digging 
into this at some later date, when I'm grasping more how everything is 
actually implemented and how it should be working.

Thanks for the help so far!
Of course I'm still open to suggestions and advice.

- Joris

Joris Dobbelsteen wrote:
> Dear,
> 
> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my 
> home phone keeps breaking voice channels (the box was not intended 
> behind NAT and I'm, of course, using a configuration that no so well 
> supported).
> 
> What is the idea:
> 
> SIP transactions should travel this way:
> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
> 
> RTP should travel this way:
> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
> 
> 
> My current test is using X-Lite with voipbuster, but that doesn't really 
> work. It seems that registers are functioning, at least X-Lite reports 
> itself being registered.
> Voice calls always end up in timeouts, so something is really going 
> wrong here, it might be authentication problems?
> 
> An added problem is that I have just sufficient knowledge of SIP to see 
> what it is doing, without really knowing what to expect exactly. 
> Furthermore I have virtually no knowledge of OpenSER. I've quite a hard 
> time even grasping the configuration I typed in. This is not really helpful
> 
> What I do know:
> * SIP Proxy traffic is flowing.
> * SIP INVITES don't work at all.
> * SIP to RTP is communication, but I don't know if RTP is actually flowing.
> 
> I stole most of the configuration from the "04 NAT Traversal" slides of 
> the "Italy 2007 Admin course", to which there is link on the 
> documentation site. I adapted it to make it work with the debian 
> supplied OpenSER 1.1.
> 
> How do I get this all working?
> What am I getting wrong?
> 
> I really really appeciate any help I can get to get it working!
> 
> - Joris
> 
> 
> Config is this:
> # ----------- global configuration parameters ------------------------
> 
> debug=4            # debug level (cmd line: -dddddddddd)
> fork=yes           # Set to no to enter debugging mode
> log_stderror=no    # (cmd line: -E) Set to yes to enter debugging mode
> 
> check_via=no    # (cmd. line: -v)
> dns=no          # (cmd. line: -r)
> rev_dns=no      # (cmd. line: -R)
> advertised_address="82.168.191.xx"
> advertised_port=5060
> port=5060
> children=4
> fifo="/tmp/openser_fifo"
> 
> #
> # ------------------ module loading ----------------------------------
> 
> # Uncomment this if you want to use SQL database
> mpath="/usr/lib/openser/modules/"
> loadmodule "mysql.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "nathelper.so"
> 
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "auth.so"
> loadmodule "auth_db.so"
> 
> # ----------------- setting module-specific parameters ---------------
> 
> # -- usrloc params --
> 
> modparam("usrloc", "db_mode",   0)
> 
> # Uncomment this if you want to use SQL database
> # for persistent storage and comment the previous line
> #modparam("usrloc", "db_mode", 2)
> 
> # -- auth params --
> # Uncomment if you are using auth module
> #
> modparam("auth_db", "calculate_ha1", yes)
> #
> # If you set "calculate_ha1" parameter to yes (which true in this config),
> # uncomment also the following parameter)
> #
> modparam("auth_db", "password_column", "password")
> 
> # -- rr params --
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
> 
> # -- nathelper params ---
> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
> modparam("nathelper", "natping_interval", 30)
> modparam("nathelper", "ping_nated_only", 1)
> #modparam("nathelper", "sipping_bflag", 7)
> modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
> 
> # -------------------------  request routing logic -------------------
> 
> # main routing logic
> 
> route{
> 
>          # initial sanity checks -- messages with
>          # max_forwards==0, or excessively long requests
>          if (!mf_process_maxfwd_header("10")) {
>                  sl_send_reply("483","Too Many Hops");
>                  exit;
>          };
> 
>          if (msg:len >=  2048 ) {
>                  sl_send_reply("513", "Message too big");
>                  exit;
>          };
> 
>          # NAT detection
>          route(2);
> 
>          # we record-route all messages -- to make sure that
>          # subsequent messages will go through our proxy; that's
>          # particularly good if upstream and downstream entities
>          # use different transport protocol
>          if (!method=="REGISTER")
>                  record_route();
> 
>          # subsequent messages withing a dialog should take the
>          # path determined by record-routing
>          if (loose_route()) {
>                  # mark routing logic in request
>                  append_hf("P-hint: rr-enforced\r\n");
>                  route(1);
>          };
> 
>          if (!uri==myself) {
>                  # mark routing logic in request
>                  append_hf("P-hint: outbound\r\n");
>                  # if you have some interdomain connections via TLS
>                  #if(uri=~"@tls_domain1.net") {
>                  #       t_relay("tls:domain1.net");
>                  #       exit;
>                  #} else if(uri=~"@tls_domain2.net") {
>                  #       t_relay("tls:domain2.net");
>                  #       exit;
>                  #}
>                  route(1);
>          };
> 
>          # if the request is for other domain use UsrLoc
>          # (in case, it does not work, use the following command
>          # with proper names and addresses in it)
>          if (uri==myself) {
> 
>                  if (method=="REGISTER") {
> 
>                          # Uncomment this if you want to use digest 
> authentication
>                          if (!www_authorize("sip.familiedobbelsteen.nl", 
> "subscriber")) {
>  
> www_challenge("sip.familiedobbelsteen.nl", "0");
>                                  exit;
>                          };
> 
>                          if (isflagset(5)) {
>                                  # set branch flag -- when someone will 
> call this user
>                                  # INVITE will have branch flag 6 set 
> after loopup("location")
>                                  setflag(6);
>                                  # if you want OPTIONS natpings 
> uncomment next
>                                  # setflag(7);
>                          };
> 
>                          save("location");
>                          exit;
>                  };
> 
>                  lookup("aliases");
>                  if (!uri==myself) {
>                          append_hf("P-hint: outbound alias\r\n");
>                          route(1);
>                  };
> 
>                  # native SIP destinations are handled using our USRLOC DB
>                  if (!lookup("location")) {
>                          sl_send_reply("404", "Not Found");
>                          exit;
>                  };
>                  append_hf("P-hint: usrloc applied\r\n");
>          };
> 
>          route(1);
> }
> 
> 
> route[1] {
>          # send it out now; use stateful forwarding as it works reliably
>          # even for UDP2TCP
>          if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>                  setflag(6);
>          };
> 
>          if (isflagset(5) || isflagset(6)) {
>                  route(3);
>          };
> 
>          if (!t_relay()) {
>                  sl_reply_error();
>          };
>          exit;
> }
> 
> route[2] {
>          force_rport();
>          if(nat_uac_test("19")) {
>                  if (method=="REGISTER") {
>                          fix_nated_register();
>                  } else {
>                          fix_nated_contact();
>                  };
>                  setflag(5);
>          };
> }
> 
> route[3] {
>          if (is_method("BYE")) {
>                  unforce_rtp_proxy();
>          } else if (is_method("INVITE")) {
>                  force_rtp_proxy("", "82.168.191.xx");
>                  t_on_failure("2");
>          };
>          if (isflagset(5))
>                  search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
>          t_on_reply("1");
> }
> 
> failure_route[2] {
>          if (isflagset(6)||isflagset(5)) {
>                  unforce_rtp_proxy();
>          };
> }
> 
> onreply_route[1] {
>          if ((isflagset(5) || isflagset(6)) && status =~ 
> "(183)|(2[0-9][0-9])") {
>                  force_rtp_proxy();
>          };
>          search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
> 
>          if (isflagset(6)) {
>                  fix_nated_contact();
>          };
>          exit;
> }
> 
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users




More information about the sr-users mailing list