[OpenSER-Users] OpenSER as NAT traversal proxy HELP!

Joris Dobbelsteen joris at familiedobbelsteen.nl
Tue Jul 22 12:08:20 CEST 2008


Klaus Darilion wrote:
> Hi Joris!
> 
> This is a normal home user scenario and usually there is no need for an 
> outbound proxy. Either the SIP UA does NAT traversal (e.g. using STUN) 

The SIP UA does NOT. Its a ZyXEL ADSL+VoIP modem that ASSUMES it has an 
Internet IP number.
In my installation, it does not, as I have quite high demands on the 
number of NATted connections and some special desires for doing tricky 
things with the firewall for experimental purposes. These rule out the 
ZyXEL solution for large part. Its also inherited from my pre-VoIP era 
installation.

> or the VoIP Service Provider does the NAT traversal on the proxy. As oyu 
> are using iptables NAT it should work this way (except you have certain 
> unusual iptables rules).

Yeah, it should, but I don't see incoming VoIP traffic flowing. Also the 
connection worked a bit before, but its not reliable for voice traffic. 
This is a major problem for me.
It has worked somewhat reliable before, but there are occasional 
problems with the installation, just mostly missing audio.

The problem is that I think (quite certain) that the UA does NOT do NAT, 
and I cannot control what my ISP is actually doing. Futhermore I don't 
expect any support from them for my installation. They will assume that 
the VoIP box has the public IP address and plays nicely on the Internet. 
That the 'provided' and supported solution they give.

So repeating again, I think the only way to properly guarentee reliable 
VoIP connection is handling SIP and RTP traffic in such a way that my 
ISP does not have to make any NAT assumptions/handling.

> I suggest to install "winstun" 
> (http://sourceforge.net/project/showfiles.php?group_id=47735&package_id=102146) 
> and test your NAT device.
 >
> If winstun reports that VoIP should work, then using Xlite should be no 
> problem.

X-Lite is only a test case, as I don't want to mess with the ZyXEL modem 
yet. Its also a hell of a lot easier to control with X-Lite is actually 
doing, but its not the solution to be implemented. The ZyXEL modem with 
attached analog phones is.

I'm passing XLite though the openser and that doesn't work. It has 
worked plainly over NAT before without problems before. This is however 
NOT the test case!

> regards
> klaus

- Joris

> Joris Dobbelsteen schrieb:
>> Robert Dyck wrote:
>>> I understand that the iptables SIP ALG has been much revised this 
>>> year although I have not tested it myself. I believe you need at 
>>> least linux 2.6.25.
>>
>> The unfortunate situtions is that I currently run Debian, which has 
>> the 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel 
>> does not support Xen yet. So I'm out of luck in this department in 
>> many ways.
>>
>> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe 
>> another solutions is more suited for the problem I have?
>>
>> - Joris
>>
>>> On Monday 21 July 2008, Joris Dobbelsteen wrote:
>>>> Neill Wilkinson wrote:
>>>>> If you are using IPtables and are familiar with how to add modules -
>>>>> there is a sip connection tracking module that might help:
>>>>>
>>>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
>>>>>
>>>>> Neill...;o)
>>>>>
>>>>> Neill Wilkinson
>>>>> Principal Consultant
>>>>>
>>>>> Aeonvista Ltd - opening up new ideas
>>>> I have that installed, but to the outside the SIP packets still carry
>>>> the LAN IP address. I'm currently missing audio (at least inbound is
>>>> nowhere to be seen) and it doesn't really work reliable at this moment.
>>>> That is a real problem currently and must be solved reliably.
>>>>
>>>> The ZyXEL modem I have was intended to be the NAT router for the
>>>> network, but its configured differently in my case, so I can't make 
>>>> that
>>>> thing to play nicely with NAT.
>>>>
>>>> lsmod on the firewall:
>>>> ip_nat_sip              8832  0
>>>> ip_conntrack_sip       13392  1 ip_nat_sip
>>>>
>>>> Thanks so far,
>>>>
>>>> - Joris
>>>>
>>>>> -----Original Message-----
>>>>> From: users-bounces at lists.openser.org
>>>>> [mailto:users-bounces at lists.openser.org] On Behalf Of Joris 
>>>>> Dobbelsteen
>>>>> Sent: 21 July 2008 21:10
>>>>> To: users at lists.openser.org
>>>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
>>>>>
>>>>> Dear,
>>>>>
>>>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, 
>>>>> since my
>>>>> home phone keeps breaking voice channels (the box was not intended
>>>>> behind NAT and I'm, of course, using a configuration that no so well
>>>>> supported).
>>>>>
>>>>> What is the idea:
>>>>>
>>>>> SIP transactions should travel this way:
>>>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
>>>>>
>>>>> RTP should travel this way:
>>>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
>>>>>
>>>>>
>>>>> My current test is using X-Lite with voipbuster, but that doesn't 
>>>>> really
>>>>> work. It seems that registers are functioning, at least X-Lite reports
>>>>> itself being registered.
>>>>> Voice calls always end up in timeouts, so something is really going
>>>>> wrong here, it might be authentication problems?
>>>>>
>>>>> An added problem is that I have just sufficient knowledge of SIP to 
>>>>> see
>>>>> what it is doing, without really knowing what to expect exactly.
>>>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a 
>>>>> hard
>>>>> time even grasping the configuration I typed in. This is not really
>>>>> helpful
>>>>>
>>>>> What I do know:
>>>>> * SIP Proxy traffic is flowing.
>>>>> * SIP INVITES don't work at all.
>>>>> * SIP to RTP is communication, but I don't know if RTP is actually
>>>>> flowing.
>>>>>
>>>>> I stole most of the configuration from the "04 NAT Traversal" 
>>>>> slides of
>>>>> the "Italy 2007 Admin course", to which there is link on the
>>>>> documentation site. I adapted it to make it work with the debian
>>>>> supplied OpenSER 1.1.
>>>>>
>>>>> How do I get this all working?
>>>>> What am I getting wrong?
>>>>>
>>>>> I really really appeciate any help I can get to get it working!
>>>>>
>>>>> - Joris
>>>>>
>>>>>
>>>>> Config is this:
>>>>> # ----------- global configuration parameters ------------------------
>>>>>
>>>>> debug=4            # debug level (cmd line: -dddddddddd)
>>>>> fork=yes           # Set to no to enter debugging mode
>>>>> log_stderror=no    # (cmd line: -E) Set to yes to enter debugging mode
>>>>>
>>>>> check_via=no    # (cmd. line: -v)
>>>>> dns=no          # (cmd. line: -r)
>>>>> rev_dns=no      # (cmd. line: -R)
>>>>> advertised_address="82.168.191.xx"
>>>>> advertised_port=5060
>>>>> port=5060
>>>>> children=4
>>>>> fifo="/tmp/openser_fifo"
>>>>>
>>>>> #
>>>>> # ------------------ module loading ----------------------------------
>>>>>
>>>>> # Uncomment this if you want to use SQL database
>>>>> mpath="/usr/lib/openser/modules/"
>>>>> loadmodule "mysql.so"
>>>>> loadmodule "sl.so"
>>>>> loadmodule "tm.so"
>>>>> loadmodule "rr.so"
>>>>> loadmodule "maxfwd.so"
>>>>> loadmodule "usrloc.so"
>>>>> loadmodule "registrar.so"
>>>>> loadmodule "textops.so"
>>>>> loadmodule "nathelper.so"
>>>>>
>>>>> # Uncomment this if you want digest authentication
>>>>> # mysql.so must be loaded !
>>>>> loadmodule "auth.so"
>>>>> loadmodule "auth_db.so"
>>>>>
>>>>> # ----------------- setting module-specific parameters ---------------
>>>>>
>>>>> # -- usrloc params --
>>>>>
>>>>> modparam("usrloc", "db_mode",   0)
>>>>>
>>>>> # Uncomment this if you want to use SQL database
>>>>> # for persistent storage and comment the previous line
>>>>> #modparam("usrloc", "db_mode", 2)
>>>>>
>>>>> # -- auth params --
>>>>> # Uncomment if you are using auth module
>>>>> #
>>>>> modparam("auth_db", "calculate_ha1", yes)
>>>>> #
>>>>> # If you set "calculate_ha1" parameter to yes (which true in this
>>>>> config), # uncomment also the following parameter)
>>>>> #
>>>>> modparam("auth_db", "password_column", "password")
>>>>>
>>>>> # -- rr params --
>>>>> # add value to ;lr param to make some broken UAs happy
>>>>> modparam("rr", "enable_full_lr", 1)
>>>>>
>>>>> # -- nathelper params ---
>>>>> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
>>>>> modparam("nathelper", "natping_interval", 30)
>>>>> modparam("nathelper", "ping_nated_only", 1)
>>>>> #modparam("nathelper", "sipping_bflag", 7)
>>>>> modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
>>>>>
>>>>> # -------------------------  request routing logic -------------------
>>>>>
>>>>> # main routing logic
>>>>>
>>>>> route{
>>>>>
>>>>>          # initial sanity checks -- messages with
>>>>>          # max_forwards==0, or excessively long requests
>>>>>          if (!mf_process_maxfwd_header("10")) {
>>>>>                  sl_send_reply("483","Too Many Hops");
>>>>>                  exit;
>>>>>          };
>>>>>
>>>>>          if (msg:len >=  2048 ) {
>>>>>                  sl_send_reply("513", "Message too big");
>>>>>                  exit;
>>>>>          };
>>>>>
>>>>>          # NAT detection
>>>>>          route(2);
>>>>>
>>>>>          # we record-route all messages -- to make sure that
>>>>>          # subsequent messages will go through our proxy; that's
>>>>>          # particularly good if upstream and downstream entities
>>>>>          # use different transport protocol
>>>>>          if (!method=="REGISTER")
>>>>>                  record_route();
>>>>>
>>>>>          # subsequent messages withing a dialog should take the
>>>>>          # path determined by record-routing
>>>>>          if (loose_route()) {
>>>>>                  # mark routing logic in request
>>>>>                  append_hf("P-hint: rr-enforced\r\n");
>>>>>                  route(1);
>>>>>          };
>>>>>
>>>>>          if (!uri==myself) {
>>>>>                  # mark routing logic in request
>>>>>                  append_hf("P-hint: outbound\r\n");
>>>>>                  # if you have some interdomain connections via TLS
>>>>>                  #if(uri=~"@tls_domain1.net") {
>>>>>                  #       t_relay("tls:domain1.net");
>>>>>                  #       exit;
>>>>>                  #} else if(uri=~"@tls_domain2.net") {
>>>>>                  #       t_relay("tls:domain2.net");
>>>>>                  #       exit;
>>>>>                  #}
>>>>>                  route(1);
>>>>>          };
>>>>>
>>>>>          # if the request is for other domain use UsrLoc
>>>>>          # (in case, it does not work, use the following command
>>>>>          # with proper names and addresses in it)
>>>>>          if (uri==myself) {
>>>>>
>>>>>                  if (method=="REGISTER") {
>>>>>
>>>>>                          # Uncomment this if you want to use digest
>>>>> authentication
>>>>>                          if 
>>>>> (!www_authorize("sip.familiedobbelsteen.nl",
>>>>> "subscriber")) {
>>>>>
>>>>> www_challenge("sip.familiedobbelsteen.nl", "0");
>>>>>                                  exit;
>>>>>                          };
>>>>>
>>>>>                          if (isflagset(5)) {
>>>>>                                  # set branch flag -- when someone 
>>>>> will
>>>>> call this user
>>>>>                                  # INVITE will have branch flag 6 set
>>>>> after loopup("location")
>>>>>                                  setflag(6);
>>>>>                                  # if you want OPTIONS natpings
>>>>> uncomment next
>>>>>                                  # setflag(7);
>>>>>                          };
>>>>>
>>>>>                          save("location");
>>>>>                          exit;
>>>>>                  };
>>>>>
>>>>>                  lookup("aliases");
>>>>>                  if (!uri==myself) {
>>>>>                          append_hf("P-hint: outbound alias\r\n");
>>>>>                          route(1);
>>>>>                  };
>>>>>
>>>>>                  # native SIP destinations are handled using our 
>>>>> USRLOC
>>>>> DB if (!lookup("location")) {
>>>>>                          sl_send_reply("404", "Not Found");
>>>>>                          exit;
>>>>>                  };
>>>>>                  append_hf("P-hint: usrloc applied\r\n");
>>>>>          };
>>>>>
>>>>>          route(1);
>>>>> }
>>>>>
>>>>>
>>>>> route[1] {
>>>>>          # send it out now; use stateful forwarding as it works 
>>>>> reliably
>>>>>          # even for UDP2TCP
>>>>>          if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
>>>>>                  setflag(6);
>>>>>          };
>>>>>
>>>>>          if (isflagset(5) || isflagset(6)) {
>>>>>                  route(3);
>>>>>          };
>>>>>
>>>>>          if (!t_relay()) {
>>>>>                  sl_reply_error();
>>>>>          };
>>>>>          exit;
>>>>> }
>>>>>
>>>>> route[2] {
>>>>>          force_rport();
>>>>>          if(nat_uac_test("19")) {
>>>>>                  if (method=="REGISTER") {
>>>>>                          fix_nated_register();
>>>>>                  } else {
>>>>>                          fix_nated_contact();
>>>>>                  };
>>>>>                  setflag(5);
>>>>>          };
>>>>> }
>>>>>
>>>>> route[3] {
>>>>>          if (is_method("BYE")) {
>>>>>                  unforce_rtp_proxy();
>>>>>          } else if (is_method("INVITE")) {
>>>>>                  force_rtp_proxy("", "82.168.191.xx");
>>>>>                  t_on_failure("2");
>>>>>          };
>>>>>          if (isflagset(5))
>>>>>                  search_append('Contact:.*sip:[^>[:cntrl:]]*',
>>>>> ';nat=yes'); t_on_reply("1");
>>>>> }
>>>>>
>>>>> failure_route[2] {
>>>>>          if (isflagset(6)||isflagset(5)) {
>>>>>                  unforce_rtp_proxy();
>>>>>          };
>>>>> }
>>>>>
>>>>> onreply_route[1] {
>>>>>          if ((isflagset(5) || isflagset(6)) && status =~
>>>>> "(183)|(2[0-9][0-9])") {
>>>>>                  force_rtp_proxy();
>>>>>          };
>>>>>          search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
>>>>>
>>>>>          if (isflagset(6)) {
>>>>>                  fix_nated_contact();
>>>>>          };
>>>>>          exit;
>>>>> }
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.openser.org
>>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.openser.org
>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.openser.org
>> http://lists.openser.org/cgi-bin/mailman/listinfo/users



More information about the Users mailing list