[OpenSER-Users] OpenSER as NAT traversal proxy HELP!
Neill Wilkinson
neillw at aeonvista.com
Tue Jul 22 19:35:27 CEST 2008
Other Option is if you can replace the Firewall with a Vyatta VC4
router/firewall. And set up NAT in that you should be able to successfully
use the IPTables SIP traversal functions.
If you want to go down this route, I can supply the configuration for the
Vyatta firewall.
Neill...;o)
Neill Wilkinson
Principal Consultant
Aeonvista Ltd - opening up new ideas
-----Original Message-----
From: Robert Dyck [mailto:rob.dyck at telus.net]
Sent: 22 July 2008 17:39
To: Joris Dobbelsteen
Cc: users at lists.openser.org; Neill Wilkinson
Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
You did not provide many details but I suspect you trying to run a SIP phone
on a typical home LAN with Linux box having a public IP address. Siproxd is
a
simple solution which of course does not have the flexibility of openser. I
have used it with multiple phones on the LAN. The main reason I no longer
use
it is that it will not fork a call and I wanted more than one phone sharing
a
user ID.
On Tuesday 22 July 2008, Joris Dobbelsteen wrote:
> Robert Dyck wrote:
> > I understand that the iptables SIP ALG has been much revised this year
> > although I have not tested it myself. I believe you need at least linux
> > 2.6.25.
>
> The unfortunate situtions is that I currently run Debian, which has the
> 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
> not support Xen yet. So I'm out of luck in this department in many ways.
>
> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
> another solutions is more suited for the problem I have?
>
> - Joris
>
> > On Monday 21 July 2008, Joris Dobbelsteen wrote:
> >> Neill Wilkinson wrote:
> >>> If you are using IPtables and are familiar with how to add modules -
> >>> there is a sip connection tracking module that might help:
> >>>
> >>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
> >>>
> >>> Neill...;o)
> >>>
> >>> Neill Wilkinson
> >>> Principal Consultant
> >>>
> >>> Aeonvista Ltd - opening up new ideas
> >>
> >> I have that installed, but to the outside the SIP packets still carry
> >> the LAN IP address. I'm currently missing audio (at least inbound is
> >> nowhere to be seen) and it doesn't really work reliable at this moment.
> >> That is a real problem currently and must be solved reliably.
> >>
> >> The ZyXEL modem I have was intended to be the NAT router for the
> >> network, but its configured differently in my case, so I can't make
that
> >> thing to play nicely with NAT.
> >>
> >> lsmod on the firewall:
> >> ip_nat_sip 8832 0
> >> ip_conntrack_sip 13392 1 ip_nat_sip
> >>
> >> Thanks so far,
> >>
> >> - Joris
> >>
> >>> -----Original Message-----
> >>> From: users-bounces at lists.openser.org
> >>> [mailto:users-bounces at lists.openser.org] On Behalf Of Joris
Dobbelsteen
> >>> Sent: 21 July 2008 21:10
> >>> To: users at lists.openser.org
> >>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
> >>>
> >>> Dear,
> >>>
> >>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since
my
> >>> home phone keeps breaking voice channels (the box was not intended
> >>> behind NAT and I'm, of course, using a configuration that no so well
> >>> supported).
> >>>
> >>> What is the idea:
> >>>
> >>> SIP transactions should travel this way:
> >>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
> >>>
> >>> RTP should travel this way:
> >>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
> >>>
> >>>
> >>> My current test is using X-Lite with voipbuster, but that doesn't
> >>> really work. It seems that registers are functioning, at least X-Lite
> >>> reports itself being registered.
> >>> Voice calls always end up in timeouts, so something is really going
> >>> wrong here, it might be authentication problems?
> >>>
> >>> An added problem is that I have just sufficient knowledge of SIP to
see
> >>> what it is doing, without really knowing what to expect exactly.
> >>> Furthermore I have virtually no knowledge of OpenSER. I've quite a
hard
> >>> time even grasping the configuration I typed in. This is not really
> >>> helpful
> >>>
> >>> What I do know:
> >>> * SIP Proxy traffic is flowing.
> >>> * SIP INVITES don't work at all.
> >>> * SIP to RTP is communication, but I don't know if RTP is actually
> >>> flowing.
> >>>
> >>> I stole most of the configuration from the "04 NAT Traversal" slides
of
> >>> the "Italy 2007 Admin course", to which there is link on the
> >>> documentation site. I adapted it to make it work with the debian
> >>> supplied OpenSER 1.1.
> >>>
> >>> How do I get this all working?
> >>> What am I getting wrong?
> >>>
> >>> I really really appeciate any help I can get to get it working!
> >>>
> >>> - Joris
> >>>
> >>>
> >>> Config is this:
> >>> # ----------- global configuration parameters ------------------------
> >>>
> >>> debug=4 # debug level (cmd line: -dddddddddd)
> >>> fork=yes # Set to no to enter debugging mode
> >>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode
> >>>
> >>> check_via=no # (cmd. line: -v)
> >>> dns=no # (cmd. line: -r)
> >>> rev_dns=no # (cmd. line: -R)
> >>> advertised_address="82.168.191.xx"
> >>> advertised_port=5060
> >>> port=5060
> >>> children=4
> >>> fifo="/tmp/openser_fifo"
> >>>
> >>> #
> >>> # ------------------ module loading ----------------------------------
> >>>
> >>> # Uncomment this if you want to use SQL database
> >>> mpath="/usr/lib/openser/modules/"
> >>> loadmodule "mysql.so"
> >>> loadmodule "sl.so"
> >>> loadmodule "tm.so"
> >>> loadmodule "rr.so"
> >>> loadmodule "maxfwd.so"
> >>> loadmodule "usrloc.so"
> >>> loadmodule "registrar.so"
> >>> loadmodule "textops.so"
> >>> loadmodule "nathelper.so"
> >>>
> >>> # Uncomment this if you want digest authentication
> >>> # mysql.so must be loaded !
> >>> loadmodule "auth.so"
> >>> loadmodule "auth_db.so"
> >>>
> >>> # ----------------- setting module-specific parameters ---------------
> >>>
> >>> # -- usrloc params --
> >>>
> >>> modparam("usrloc", "db_mode", 0)
> >>>
> >>> # Uncomment this if you want to use SQL database
> >>> # for persistent storage and comment the previous line
> >>> #modparam("usrloc", "db_mode", 2)
> >>>
> >>> # -- auth params --
> >>> # Uncomment if you are using auth module
> >>> #
> >>> modparam("auth_db", "calculate_ha1", yes)
> >>> #
> >>> # If you set "calculate_ha1" parameter to yes (which true in this
> >>> config), # uncomment also the following parameter)
> >>> #
> >>> modparam("auth_db", "password_column", "password")
> >>>
> >>> # -- rr params --
> >>> # add value to ;lr param to make some broken UAs happy
> >>> modparam("rr", "enable_full_lr", 1)
> >>>
> >>> # -- nathelper params ---
> >>> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
> >>> modparam("nathelper", "natping_interval", 30)
> >>> modparam("nathelper", "ping_nated_only", 1)
> >>> #modparam("nathelper", "sipping_bflag", 7)
> >>> modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
> >>>
> >>> # ------------------------- request routing logic -------------------
> >>>
> >>> # main routing logic
> >>>
> >>> route{
> >>>
> >>> # initial sanity checks -- messages with
> >>> # max_forwards==0, or excessively long requests
> >>> if (!mf_process_maxfwd_header("10")) {
> >>> sl_send_reply("483","Too Many Hops");
> >>> exit;
> >>> };
> >>>
> >>> if (msg:len >= 2048 ) {
> >>> sl_send_reply("513", "Message too big");
> >>> exit;
> >>> };
> >>>
> >>> # NAT detection
> >>> route(2);
> >>>
> >>> # we record-route all messages -- to make sure that
> >>> # subsequent messages will go through our proxy; that's
> >>> # particularly good if upstream and downstream entities
> >>> # use different transport protocol
> >>> if (!method=="REGISTER")
> >>> record_route();
> >>>
> >>> # subsequent messages withing a dialog should take the
> >>> # path determined by record-routing
> >>> if (loose_route()) {
> >>> # mark routing logic in request
> >>> append_hf("P-hint: rr-enforced\r\n");
> >>> route(1);
> >>> };
> >>>
> >>> if (!uri==myself) {
> >>> # mark routing logic in request
> >>> append_hf("P-hint: outbound\r\n");
> >>> # if you have some interdomain connections via TLS
> >>> #if(uri=~"@tls_domain1.net") {
> >>> # t_relay("tls:domain1.net");
> >>> # exit;
> >>> #} else if(uri=~"@tls_domain2.net") {
> >>> # t_relay("tls:domain2.net");
> >>> # exit;
> >>> #}
> >>> route(1);
> >>> };
> >>>
> >>> # if the request is for other domain use UsrLoc
> >>> # (in case, it does not work, use the following command
> >>> # with proper names and addresses in it)
> >>> if (uri==myself) {
> >>>
> >>> if (method=="REGISTER") {
> >>>
> >>> # Uncomment this if you want to use digest
> >>> authentication
> >>> if
> >>> (!www_authorize("sip.familiedobbelsteen.nl", "subscriber")) {
> >>>
> >>> www_challenge("sip.familiedobbelsteen.nl", "0");
> >>> exit;
> >>> };
> >>>
> >>> if (isflagset(5)) {
> >>> # set branch flag -- when someone
will
> >>> call this user
> >>> # INVITE will have branch flag 6 set
> >>> after loopup("location")
> >>> setflag(6);
> >>> # if you want OPTIONS natpings
> >>> uncomment next
> >>> # setflag(7);
> >>> };
> >>>
> >>> save("location");
> >>> exit;
> >>> };
> >>>
> >>> lookup("aliases");
> >>> if (!uri==myself) {
> >>> append_hf("P-hint: outbound alias\r\n");
> >>> route(1);
> >>> };
> >>>
> >>> # native SIP destinations are handled using our
USRLOC
> >>> DB if (!lookup("location")) {
> >>> sl_send_reply("404", "Not Found");
> >>> exit;
> >>> };
> >>> append_hf("P-hint: usrloc applied\r\n");
> >>> };
> >>>
> >>> route(1);
> >>> }
> >>>
> >>>
> >>> route[1] {
> >>> # send it out now; use stateful forwarding as it works
> >>> reliably # even for UDP2TCP
> >>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
> >>> setflag(6);
> >>> };
> >>>
> >>> if (isflagset(5) || isflagset(6)) {
> >>> route(3);
> >>> };
> >>>
> >>> if (!t_relay()) {
> >>> sl_reply_error();
> >>> };
> >>> exit;
> >>> }
> >>>
> >>> route[2] {
> >>> force_rport();
> >>> if(nat_uac_test("19")) {
> >>> if (method=="REGISTER") {
> >>> fix_nated_register();
> >>> } else {
> >>> fix_nated_contact();
> >>> };
> >>> setflag(5);
> >>> };
> >>> }
> >>>
> >>> route[3] {
> >>> if (is_method("BYE")) {
> >>> unforce_rtp_proxy();
> >>> } else if (is_method("INVITE")) {
> >>> force_rtp_proxy("", "82.168.191.xx");
> >>> t_on_failure("2");
> >>> };
> >>> if (isflagset(5))
> >>> search_append('Contact:.*sip:[^>[:cntrl:]]*',
> >>> ';nat=yes'); t_on_reply("1");
> >>> }
> >>>
> >>> failure_route[2] {
> >>> if (isflagset(6)||isflagset(5)) {
> >>> unforce_rtp_proxy();
> >>> };
> >>> }
> >>>
> >>> onreply_route[1] {
> >>> if ((isflagset(5) || isflagset(6)) && status =~
> >>> "(183)|(2[0-9][0-9])") {
> >>> force_rtp_proxy();
> >>> };
> >>> search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
> >>>
> >>> if (isflagset(6)) {
> >>> fix_nated_contact();
> >>> };
> >>> exit;
> >>> }
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.openser.org
> >>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.openser.org
> >> http://lists.openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list