[SR-Users] What is the typical network setup for kamailio?

Kevin Olbrich ko at sv01.de
Mon Aug 20 13:22:30 CEST 2018

Hi Henning,

I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
- interesting solution with e/iBGP which we would also be able to deploy).

There was just a single presentation that I was able to locate that had the
proxy only on the edge:
At least it looks like they are located behind the SBC.

After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.

If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.

Kind regards,

Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw at kamailio.org>:

> Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
> > I am working successfully with Kamailio in my lab setup where Kamailio is
> > the SBC for Asterisk.
> > The network layout is looking like this:
> >
> > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
> > <== PUBLIC NET ==> Carrier
> >
> > Each public network is reachable from the internet and has a local
> firewall
> > with IP whitelists.
> > The internal SIP transactions are UDP-only but for external phones I
> would
> > like to also listen for TCP/TLS.
> >
> > For this layout to work with rtpproxy (before we move on to RTPengine),
> we
> > have to enable mhomed in Kamailio.
> > We also have some routing issues with packets leaving with the wrong IP
> via
> > rtpproxy (when call between carrier and external phone needs to be
> bridged).
> >
> > Most examples show that Asterisk is deployed on the same network as the
> > external interface of Kamailio (-> Asterisk exposed to the public
> network).
> > In our tests, this works much better but I have great security concerns
> > because this Asterisk instance itself does not need to be reachable from
> > external.
> >
> > How do other users deploy Kamailio in front of Asterisk or similar as SBC
> > to secure internals?
> > There is lot of docs for Kamailio's config but IMHO less for the setup as
> > DMZ (SBC) proxy.
> Hello Kevin,
> this is indeed a common setup to protect asterisk and to have also much
> greater flexibility with regards to balancing and/or SIP message adaptions.
> To get some ideas, have a look to the last years conferences available
> here:
> https://www.kamailio.org/events/
> There should be some talks about using Kamailio to in front of asterisk,
> the
> talk name is usually in the file name.
> I think even on this year cluecon Fred Posner did a talk about Kamailio as
> Edge Proxy, and also on astricon there were some talks  about this
> scenario if
> I remember correctly.
> You should also find in the Kamailio World or FOSDEM talks a lot of
> information about this scenario.  You find all the talks available from
> Kamailio World in our youtube channel:
> https://www.youtube.com/kamailioworld
> Best regards,
> Henning
> --
> Henning Westerholt
> https://skalatan.de/blog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180820/f0ed3d77/attachment.html>

More information about the sr-users mailing list