[OpenSIPS-Users] NAT problem, no-audio when calling outside network... Please help

Mon Aug 31 09:59:30 CEST 2009

Hi Khan,

You can start with 2 simple checks:

1) be sure your force_rtp_proxy() functions are triggred both for 
request and reply - put some xlog to see if you get there in the script

2) check the messages with SDP (on the outgoing part) if they have the 
rtpproxy indication in SDP

Regards,
Bogdan

Khan wrote:
> Hey everyone,
>
> I have been trying to work this for a long time, this mailing list is
> my last resort. I have applied NAT traversal using RTP proxy. My
> scenario is as follows:
> UAC1 (behind NAT) ---> UAC2 (behind NAT)
>
> The UAC's get authenticated fine, call establishes but there is no
> voice, neither i hear them nor they hear me. I can't pin point exactly
> where did i go wrong. My script is as follows:
>
> route{
> ## unrelated script has been stripped!!!
> 	if (nat_uac_test("3")) {
> 		if (is_method("REGISTER") || !is_present_hf("Record-Route")) {
> 			log("LOG:Someone trying to register from private IP, rewriting\n");
> 			# Rewrite contact with source IP of signalling
> 			fix_nated_contact();
> 			if ( is_method("INVITE") ) {
> 				fix_nated_sdp("1"); # Add direction=active to SDP
> 			};
>
> 			force_rport(); # Add rport parameter to topmost Via
> 			setbflag(6);    # Mark as NATed
>
> 			# if you want sip nat pinging
> 			setbflag(8);
>
> 		xlog("L_INFO", "fixNATed and setbflag 6, 8 - M=$rm RURI=$ru F=$fu
> T=$tu IP=$si ID=$ci\n");
> 		};
> 	};
>
> 	# sequential requests...
> 	if (has_totag()) {
> 		# sequential request withing a dialog should
> 		# take the path determined by record-routing
> 		if (loose_route()) {
> 			xlog("L_INFO", "Initial loose-routing - M=$rm RURI=$ru F=$fu T=$tu
> IP=$si \n");
>
> 		# mark routing logic in request
> 		append_hf("P-hint: rr-enforced\r\n");
> 			if (is_method("BYE")) {
> 				setflag(1); # do accounting ...
> 				setflag(3); # ... even if the transaction fails
> 			xlog("L_INFO", "BYE ... unforce RTP - M=$rm RURI=$ru F=$fu T=$tu
> IP=$si ID=$ci\n");
> 			unforce_rtp_proxy();
> 			} else if (is_method("INVITE")) {
> 				# even if in most of the cases is useless, do RR for
> 				# re-INVITEs alos, as some buggy clients do change route set
> 				# during the dialog.
> 				record_route();
> 			}
> 			# route it out to whatever destination was set by loose_route()
> 			# in $du (destination URI).
> 			route(1);
> 		} else {
> 			if ( is_method("ACK") ) {
> 				if ( t_check_trans() ) {
> 					# non loose-route, but stateful ACK; must be an ACK after
> 					# a 487 or e.g. 404 from upstream server
> 					t_relay();
> 					exit;
> 				} else {
> 					# ACK without matching transaction ->
> 					# ignore and discard
> 					exit;
> 				}
> 			}
> 			sl_send_reply("404","Not here");
> 		}
> 		exit;
> 	}
>
> 	#initial requests
> 	# CANCEL processing
> 	if (is_method("CANCEL"))
> 	{
> 		if (t_check_trans())
> 			t_relay();
> 		xlog("L_INFO", "CANCEL ... unforce RTP - M=$rm RURI=$ru F=$fu T=$tu
> IP=$si ID=$ci\n");
> 		unforce_rtp_proxy();
> 		exit;
> 	}
>
> 	#--> Preventing the UAC problem which sends Option
>         ##if(is_method("OPTIONS"))        {
>         ##        sl_send_reply("200", "OK");
>         ##        exit;
>         ##}
>
>         #--> uncommented followings
>         if ((method=="OPTIONS|SUBSCRIBE") && from_uri==myself) /*no
> multidomain version*/
>         ##if (!(method=="OPTIONS") && is_from_local())  /*multidomain version*/
>         {
>                 if (!proxy_authorize("", "subscriber")) {
>                         proxy_challenge("", "0");
>                         exit;
>                 }
>                 if (!check_from()) {
>                         sl_send_reply("403","Forbidden auth ID");
>                         exit;
>                 }
>
>                 consume_credentials();
>                 # caller authenticated
>         }
>
> 	t_check_trans();
> 	if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
> 	##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
> 	{
> 		if (!proxy_authorize("", "subscriber")) {
> 			proxy_challenge("", "0");
> 			exit;
> 		}
> 		if (!check_from()) {
> 			sl_send_reply("403","Forbidden auth ID");
> 			exit;
> 		}
> 	
> 		consume_credentials();
> 		# caller authenticated
> 	}
>
> 	# preloaded route checking
> 	if (loose_route()) {
> 		xlog("L_ERR",
> 		"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
> 		if (!is_method("ACK"))
> 			sl_send_reply("403","Preload Route denied");
> 		exit;
> 	}
>
> 	# record routing
> 	if (!is_method("REGISTER|MESSAGE"))
> 		record_route();
>
> 	# account only INVITEs
> 	if (is_method("INVITE")) {
> 		setflag(1); # do accounting
> 	}
> 	if (!uri==myself)
> 	## replace with following line if multi-domain support is used
> 	##if (!is_uri_host_local())
> 	{
> 		append_hf("P-hint: outbound\r\n");
> 		# if you have some interdomain connections via TLS
> 		##if($rd=="tls_domain1.net") {
> 		##	t_relay("tls:domain1.net");
> 		##	exit;
> 		##} else if($rd=="tls_domain2.net") {
> 		##	t_relay("tls:domain2.net");
> 		##	exit;
> 		##}
> 		route(1);
> 	}
>
> 	# requests for my domain
> 	if (is_method("PUBLISH")) {
> 		sl_send_reply("503", "Service Unavailable");
> 		exit;
> 	}
>
> 	if (is_method("REGISTER"))	{
> 		# authenticate the REGISTER requests (uncomment to enable auth)
> 		if (!www_authorize("", "subscriber"))	{
> 		xlog("L_INFO", "1st Pass - Register authentication - M=$rm RURI=$ru
> F=$fu T=$tu IP=$si ID=$ci\n");
> 			www_challenge("", "0");
> 			exit;
> 		}
> 		
> 		if (!check_to()) {
> 		xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fu T=$tu
> IP=$si ID=$ci\n");
> 			sl_send_reply("403","Forbidden auth ID");
> 			exit;
> 		}
>
> 		if (!save("location"))
> 			sl_reply_error();
>
> 		xlog("L_INFO", "2nd Pass - Registration successful - M=$rm RURI=$ru
> F=$fu T=$tu IP=$si ID=$ci\n");
> 		exit;
> 	}
>
> 	if ($rU==NULL) {
> 		# request with no Username in RURI
> 		sl_send_reply("484","Address Incomplete");
> 		exit;
> 	}
>
>
> 	if (!lookup("location")) {
> 		switch ($retcode) {
> 			case -1:
> 			case -3:
> 				t_newtran();
> 				t_reply("404", "Not Found");
> 				exit;
> 			case -2:
> 				sl_send_reply("405", "Method Not Allowed");
> 				exit;
> 		}
> 	}
>
> 	# when routing via usrloc, log the missed calls also
> 	setflag(2);
>
> 	route(1);
> }
>
>
>
> #------>
> route[1] {
> 	if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
> !search("^Route:")){
> 		sl_send_reply("479", "We don't forward to private IP addresses");
> 		exit;
> 	};
>
> 	if (isbflagset(6)) {
> 		force_rtp_proxy();
> 	};
>
> 	t_on_reply("1");
>
> #! ***	<<
>
> 	# for INVITEs enable some additional helper routes
> 	if (is_method("INVITE")) {
> 		t_on_branch("2");
> 		t_on_reply("2");
> 		t_on_failure("1");
> 	}
>
> 	# send it out now; use stateful forwarding as it works reliably
> 	# even for UDP2TCP
> 	if (!t_relay()) {
> 		sl_reply_error();
> 	};
> 	exit;
> }
>
>
>
> # !! Nathelper
> onreply_route[1] {
> 	# NATed transaction ?
> 	if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
> 		fix_nated_contact();
> 		force_rtp_proxy();
> 	# otherwise, is it a transaction behind a NAT and we did not
> 	# know at time of request processing ? (RFC1918 contacts)
> 	} else if (nat_uac_test("1")) {
> 		fix_nated_contact();
> 	};
> }
>
> onreply_route[2] {
> 	xlog("incoming reply\n");
> }
>
>
>
> failure_route[1] {
> 	if (t_was_cancelled()) {
> 		exit;
> 	}
>
> }
>
> *************************************************************************
>
> The output capture from WireShark is at the following link.
> http://pastebin.com/m1c17484d
>
> Please help me figure out this problem, I appreciate your time.
> Thank you,
>
>
> Khan
> VoIP Rookie
> Every beginning has an end regardless we believe it or not...
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   