[OpenSER-Users] OpenSER as NAT traversal proxy HELP!

Robert Dyck rob.dyck at telus.net
Tue Jul 22 18:39:05 CEST 2008


You did not provide many details but I suspect you trying to run a SIP phone 
on a typical home LAN with Linux box having a public IP address. Siproxd is a 
simple solution which of course does not have the flexibility of openser. I 
have used it with multiple phones on the LAN. The main reason I no longer use 
it is that it will not fork a call and I wanted more than one phone sharing a 
user ID.

On Tuesday 22 July 2008, Joris Dobbelsteen wrote:
> Robert Dyck wrote:
> > I understand that the iptables SIP ALG has been much revised this year
> > although I have not tested it myself. I believe you need at least linux
> > 2.6.25.
>
> The unfortunate situtions is that I currently run Debian, which has the
> 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does
> not support Xen yet. So I'm out of luck in this department in many ways.
>
> Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe
> another solutions is more suited for the problem I have?
>
> - Joris
>
> > On Monday 21 July 2008, Joris Dobbelsteen wrote:
> >> Neill Wilkinson wrote:
> >>> If you are using IPtables and are familiar with how to add modules -
> >>> there is a sip connection tracking module that might help:
> >>>
> >>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
> >>>
> >>> Neill...;o)
> >>>
> >>> Neill Wilkinson
> >>> Principal Consultant
> >>>
> >>> Aeonvista Ltd - opening up new ideas
> >>
> >> I have that installed, but to the outside the SIP packets still carry
> >> the LAN IP address. I'm currently missing audio (at least inbound is
> >> nowhere to be seen) and it doesn't really work reliable at this moment.
> >> That is a real problem currently and must be solved reliably.
> >>
> >> The ZyXEL modem I have was intended to be the NAT router for the
> >> network, but its configured differently in my case, so I can't make that
> >> thing to play nicely with NAT.
> >>
> >> lsmod on the firewall:
> >> ip_nat_sip              8832  0
> >> ip_conntrack_sip       13392  1 ip_nat_sip
> >>
> >> Thanks so far,
> >>
> >> - Joris
> >>
> >>> -----Original Message-----
> >>> From: users-bounces at lists.openser.org
> >>> [mailto:users-bounces at lists.openser.org] On Behalf Of Joris Dobbelsteen
> >>> Sent: 21 July 2008 21:10
> >>> To: users at lists.openser.org
> >>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP!
> >>>
> >>> Dear,
> >>>
> >>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my
> >>> home phone keeps breaking voice channels (the box was not intended
> >>> behind NAT and I'm, of course, using a configuration that no so well
> >>> supported).
> >>>
> >>> What is the idea:
> >>>
> >>> SIP transactions should travel this way:
> >>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet}
> >>>
> >>> RTP should travel this way:
> >>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet}
> >>>
> >>>
> >>> My current test is using X-Lite with voipbuster, but that doesn't
> >>> really work. It seems that registers are functioning, at least X-Lite
> >>> reports itself being registered.
> >>> Voice calls always end up in timeouts, so something is really going
> >>> wrong here, it might be authentication problems?
> >>>
> >>> An added problem is that I have just sufficient knowledge of SIP to see
> >>> what it is doing, without really knowing what to expect exactly.
> >>> Furthermore I have virtually no knowledge of OpenSER. I've quite a hard
> >>> time even grasping the configuration I typed in. This is not really
> >>> helpful
> >>>
> >>> What I do know:
> >>> * SIP Proxy traffic is flowing.
> >>> * SIP INVITES don't work at all.
> >>> * SIP to RTP is communication, but I don't know if RTP is actually
> >>> flowing.
> >>>
> >>> I stole most of the configuration from the "04 NAT Traversal" slides of
> >>> the "Italy 2007 Admin course", to which there is link on the
> >>> documentation site. I adapted it to make it work with the debian
> >>> supplied OpenSER 1.1.
> >>>
> >>> How do I get this all working?
> >>> What am I getting wrong?
> >>>
> >>> I really really appeciate any help I can get to get it working!
> >>>
> >>> - Joris
> >>>
> >>>
> >>> Config is this:
> >>> # ----------- global configuration parameters ------------------------
> >>>
> >>> debug=4            # debug level (cmd line: -dddddddddd)
> >>> fork=yes           # Set to no to enter debugging mode
> >>> log_stderror=no    # (cmd line: -E) Set to yes to enter debugging mode
> >>>
> >>> check_via=no    # (cmd. line: -v)
> >>> dns=no          # (cmd. line: -r)
> >>> rev_dns=no      # (cmd. line: -R)
> >>> advertised_address="82.168.191.xx"
> >>> advertised_port=5060
> >>> port=5060
> >>> children=4
> >>> fifo="/tmp/openser_fifo"
> >>>
> >>> #
> >>> # ------------------ module loading ----------------------------------
> >>>
> >>> # Uncomment this if you want to use SQL database
> >>> mpath="/usr/lib/openser/modules/"
> >>> loadmodule "mysql.so"
> >>> loadmodule "sl.so"
> >>> loadmodule "tm.so"
> >>> loadmodule "rr.so"
> >>> loadmodule "maxfwd.so"
> >>> loadmodule "usrloc.so"
> >>> loadmodule "registrar.so"
> >>> loadmodule "textops.so"
> >>> loadmodule "nathelper.so"
> >>>
> >>> # Uncomment this if you want digest authentication
> >>> # mysql.so must be loaded !
> >>> loadmodule "auth.so"
> >>> loadmodule "auth_db.so"
> >>>
> >>> # ----------------- setting module-specific parameters ---------------
> >>>
> >>> # -- usrloc params --
> >>>
> >>> modparam("usrloc", "db_mode",   0)
> >>>
> >>> # Uncomment this if you want to use SQL database
> >>> # for persistent storage and comment the previous line
> >>> #modparam("usrloc", "db_mode", 2)
> >>>
> >>> # -- auth params --
> >>> # Uncomment if you are using auth module
> >>> #
> >>> modparam("auth_db", "calculate_ha1", yes)
> >>> #
> >>> # If you set "calculate_ha1" parameter to yes (which true in this
> >>> config), # uncomment also the following parameter)
> >>> #
> >>> modparam("auth_db", "password_column", "password")
> >>>
> >>> # -- rr params --
> >>> # add value to ;lr param to make some broken UAs happy
> >>> modparam("rr", "enable_full_lr", 1)
> >>>
> >>> # -- nathelper params ---
> >>> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222")
> >>> modparam("nathelper", "natping_interval", 30)
> >>> modparam("nathelper", "ping_nated_only", 1)
> >>> #modparam("nathelper", "sipping_bflag", 7)
> >>> modparam("nathelper", "sipping_from", "sip:pinger at 82.168.191.xx")
> >>>
> >>> # -------------------------  request routing logic -------------------
> >>>
> >>> # main routing logic
> >>>
> >>> route{
> >>>
> >>>          # initial sanity checks -- messages with
> >>>          # max_forwards==0, or excessively long requests
> >>>          if (!mf_process_maxfwd_header("10")) {
> >>>                  sl_send_reply("483","Too Many Hops");
> >>>                  exit;
> >>>          };
> >>>
> >>>          if (msg:len >=  2048 ) {
> >>>                  sl_send_reply("513", "Message too big");
> >>>                  exit;
> >>>          };
> >>>
> >>>          # NAT detection
> >>>          route(2);
> >>>
> >>>          # we record-route all messages -- to make sure that
> >>>          # subsequent messages will go through our proxy; that's
> >>>          # particularly good if upstream and downstream entities
> >>>          # use different transport protocol
> >>>          if (!method=="REGISTER")
> >>>                  record_route();
> >>>
> >>>          # subsequent messages withing a dialog should take the
> >>>          # path determined by record-routing
> >>>          if (loose_route()) {
> >>>                  # mark routing logic in request
> >>>                  append_hf("P-hint: rr-enforced\r\n");
> >>>                  route(1);
> >>>          };
> >>>
> >>>          if (!uri==myself) {
> >>>                  # mark routing logic in request
> >>>                  append_hf("P-hint: outbound\r\n");
> >>>                  # if you have some interdomain connections via TLS
> >>>                  #if(uri=~"@tls_domain1.net") {
> >>>                  #       t_relay("tls:domain1.net");
> >>>                  #       exit;
> >>>                  #} else if(uri=~"@tls_domain2.net") {
> >>>                  #       t_relay("tls:domain2.net");
> >>>                  #       exit;
> >>>                  #}
> >>>                  route(1);
> >>>          };
> >>>
> >>>          # if the request is for other domain use UsrLoc
> >>>          # (in case, it does not work, use the following command
> >>>          # with proper names and addresses in it)
> >>>          if (uri==myself) {
> >>>
> >>>                  if (method=="REGISTER") {
> >>>
> >>>                          # Uncomment this if you want to use digest
> >>> authentication
> >>>                          if
> >>> (!www_authorize("sip.familiedobbelsteen.nl", "subscriber")) {
> >>>
> >>> www_challenge("sip.familiedobbelsteen.nl", "0");
> >>>                                  exit;
> >>>                          };
> >>>
> >>>                          if (isflagset(5)) {
> >>>                                  # set branch flag -- when someone will
> >>> call this user
> >>>                                  # INVITE will have branch flag 6 set
> >>> after loopup("location")
> >>>                                  setflag(6);
> >>>                                  # if you want OPTIONS natpings
> >>> uncomment next
> >>>                                  # setflag(7);
> >>>                          };
> >>>
> >>>                          save("location");
> >>>                          exit;
> >>>                  };
> >>>
> >>>                  lookup("aliases");
> >>>                  if (!uri==myself) {
> >>>                          append_hf("P-hint: outbound alias\r\n");
> >>>                          route(1);
> >>>                  };
> >>>
> >>>                  # native SIP destinations are handled using our USRLOC
> >>> DB if (!lookup("location")) {
> >>>                          sl_send_reply("404", "Not Found");
> >>>                          exit;
> >>>                  };
> >>>                  append_hf("P-hint: usrloc applied\r\n");
> >>>          };
> >>>
> >>>          route(1);
> >>> }
> >>>
> >>>
> >>> route[1] {
> >>>          # send it out now; use stateful forwarding as it works
> >>> reliably # even for UDP2TCP
> >>>          if (subst_uri('/(sip:.*);nat=yes/\1/i')) {
> >>>                  setflag(6);
> >>>          };
> >>>
> >>>          if (isflagset(5) || isflagset(6)) {
> >>>                  route(3);
> >>>          };
> >>>
> >>>          if (!t_relay()) {
> >>>                  sl_reply_error();
> >>>          };
> >>>          exit;
> >>> }
> >>>
> >>> route[2] {
> >>>          force_rport();
> >>>          if(nat_uac_test("19")) {
> >>>                  if (method=="REGISTER") {
> >>>                          fix_nated_register();
> >>>                  } else {
> >>>                          fix_nated_contact();
> >>>                  };
> >>>                  setflag(5);
> >>>          };
> >>> }
> >>>
> >>> route[3] {
> >>>          if (is_method("BYE")) {
> >>>                  unforce_rtp_proxy();
> >>>          } else if (is_method("INVITE")) {
> >>>                  force_rtp_proxy("", "82.168.191.xx");
> >>>                  t_on_failure("2");
> >>>          };
> >>>          if (isflagset(5))
> >>>                  search_append('Contact:.*sip:[^>[:cntrl:]]*',
> >>> ';nat=yes'); t_on_reply("1");
> >>> }
> >>>
> >>> failure_route[2] {
> >>>          if (isflagset(6)||isflagset(5)) {
> >>>                  unforce_rtp_proxy();
> >>>          };
> >>> }
> >>>
> >>> onreply_route[1] {
> >>>          if ((isflagset(5) || isflagset(6)) && status =~
> >>> "(183)|(2[0-9][0-9])") {
> >>>                  force_rtp_proxy();
> >>>          };
> >>>          search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
> >>>
> >>>          if (isflagset(6)) {
> >>>                  fix_nated_contact();
> >>>          };
> >>>          exit;
> >>> }
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.openser.org
> >>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.openser.org
> >> http://lists.openser.org/cgi-bin/mailman/listinfo/users





More information about the Users mailing list