[SR-Users] How to configure Kamailio + Asterisk (on same server) to route between several disjoint networks?

[Alex Villací­s Lasso]

El 26/02/14 11:39, Alex Villací­s Lasso escribió:
> El 26/02/14 05:25, Klaus Darilion escribió:
>> Puh, too many questions in one email.
>>
> I am sorry about that. I wanted to provide as much useful information as possible on my email, including what I had observed, and what I have already tried. After all the exposition, I just want to 1) have a setup that routes media between several 
> disjoint networks, 2) while being secure by default even if the firewall gets misconfigured, 3) without having to hardcode a particular IP address in the configuration file.
>> First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple 
>> interfaces.
>>
> No, the server is not supposed to route ordinary traffic between networks.
>> If there is no routing, you need to have a media relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no" to avoid media offloading.
>>
> The asterisk instance was supposed to be already configured with directmedia=no the whole time. This was set both in the configuration file and in each of the realtime peers. The full sip.conf file is attached. The #include'd files at the end are 
> currently empty. You can see the commented-out attempt to listen on localhost only.
>
> I fail to see why rtpproxy would be required in this setup, since asterisk already opens RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is routed between the test networks through asterisk when it does all of the SIP 
> negotiation itself.

Regarding security, I think rtpproxy can help me. I have configured asterisk to listen for SIP traffic on localhost only. Of course, this means asterisk will send the media to localhost only, but now I can be sure there is no way to bypass kamailio 
authentication from the outside.

My test setup resembles a typical NAT traversal. However, instead of a single private interface and a single outgoing interface, I need to route between localhost (which behaves here as the private network) and multiple external interfaces (similar to the 
"public" network). A partially-working patch to kamailio.cfg is attached to this email. The known problems with the patch are:
- Incoming calls (external->kamailio->asterisk) are handled and media is correctly routed with multiple rtpproxy instances. However, calls generated from Asterisk itself (asterisk->kamailio->external) do not have their media routed correctly. This is 
because I need to choose which rtpproxy set to use in order to route the media, and I do not know which field to use at the required point for an outgoing INVITE. For incoming INVITEs, I am using $Ri, and for OK replies to those INVITES, I am using 
$(hdr(Record-Route)[1] (I believe this is not optimal and that a better solution must exist).
- I am forced to hardcode IPs to the various defined interfaces. As explained before, IPs can and do change, and removing the need to hardcode the IPs will make configuration and maintenance easier. I must add that I want to build a generic solution that 
can be minimally modified for several deployments.

Is this setup recognizable as an already-solved problem (minus the localhost trick)? How is it done correctly?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kamailio.cfg.patch
Type: text/x-patch
Size: 6110 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140227/16380ffd/attachment-0001.bin>