[OpenSIPS-Users] Need some help with NAT/rtpproxy
James Lamanna
jlamanna at gmail.com
Tue Dec 14 19:55:44 CET 2010
Does anyone have a working example with fix_nated_register() that they
could post (or email me directly).
I'd really like to see how this is done properly.
Thanks.
-- James
On Mon, Dec 13, 2010 at 5:54 PM, James Lamanna <jlamanna at gmail.com> wrote:
> Some other weird stuff that happens if I remove the fix_nated_register call:
> Sometimes everything will work fine, audio is fine, etc..
> However, sometimes I'll call a phone, and the phone will immediately
> place a call back out to the number I'm dialing from!
> (very strange).
>
> -- James
>
> On Mon, Dec 13, 2010 at 5:28 PM, James Lamanna <jlamanna at gmail.com> wrote:
>> Hi,
>> I'm having some issues getting a correct NAT configuration going.
>> The problem I'm having is
>> I get a "479 We don't forward to private IP addresses" back when
>> receiving a call to a phone from Asterisk, presumably because the
>> location table has private IPs in it for some reason.
>>
>> This seems to be related to my failed attempt to use fix_nated_register().
>> Removing the call to fix_nated_register and just using
>> fix_nated_contact allows calls to go through, but then I get no audio
>> on either side...
>>
>> Config follows.
>>
>> Thanks.
>>
>> -- James
>>
>>
>> debug=3 # debug level (cmd line: -dddddddddd)
>> fork=yes
>> log_stderror=no # (cmd line: -E)
>> log_facility=LOG_LOCAL0
>> tos=0x60
>>
>> # Uncomment these lines to enter debugging mode
>> #fork=no
>> #log_stderror=yes
>> #debug=6
>>
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> port=5060
>> children=4
>>
>> listen=udp:208.xxx.xxx.6:5060
>> listen=udp:208.xxx.xxx.6:5061
>> # ------------------ module loading ----------------------------------
>>
>> #set module path
>> #mpath="/usr/local/lib/opensips/modules/"
>> mpath="/usr/local/lib64/opensips/modules/"
>>
>> # Uncomment this if you want to use SQL database
>> loadmodule "db_mysql.so"
>>
>> loadmodule "sl.so"
>> loadmodule "maxfwd.so"
>> loadmodule "textops.so"
>> loadmodule "avpops.so"
>> loadmodule "tm.so"
>> loadmodule "rr.so"
>> loadmodule "dialog.so"
>> loadmodule "signaling.so"
>> loadmodule "options.so"
>> loadmodule "localcache.so"
>>
>> loadmodule "usrloc.so"
>>
>> loadmodule "presence.so"
>> loadmodule "presence_xml.so"
>> loadmodule "presence_dialoginfo.so"
>> loadmodule "pua.so"
>> loadmodule "pua_dialoginfo.so"
>> #loadmodule "pua_bla.so"
>> loadmodule "pua_usrloc.so"
>>
>> loadmodule "registrar.so"
>> loadmodule "mi_fifo.so"
>> #loadmodule "xlog.so"
>>
>> # Uncomment this if you want digest authentication
>> # db_mysql.so must be loaded !
>> loadmodule "auth.so"
>> loadmodule "auth_db.so"
>>
>> # !! Nathelper
>> loadmodule "nathelper.so"
>>
>>
>> # ----------------- setting module-specific parameters ---------------
>>
>> # -- mi_fifo params --
>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>>
>> modparam("usrloc", "db_mode", 2)
>> modparam("usrloc|dialog|dispatcher|presence|presence_xml|pua|avpops",
>> "db_url", "mysql://opensips:xxxxxxxxxxxxx@localhost/opensips")
>>
>>
>> modparam("avpops","avp_table","usr_preferences")
>>
>> #modparam("dispatcher", "force_dst", 1)
>> # Only use username
>> #modparam("dispatcher", "flags", 1)
>>
>> # Store passwords for 1 hour in cache
>>
>> modparam("auth","username_spec","$avp(i:54)")
>> modparam("auth","password_spec","$avp(i:55)")
>> modparam("auth","calculate_ha1",1)
>>
>> modparam("auth_db", "db_url",
>> "mysql://opensipsro:xxxxxxxx@localhost/opensips")
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "password_column", "password")
>> modparam("auth_db", "load_credentials", "$avp(i:55)=password")
>>
>> modparam("rr", "enable_full_lr", 1)
>>
>> modparam("dialog", "dlg_flag", 4)
>> modparam("dialog", "profiles_with_value", "caller")
>>
>> modparam("usrloc","nat_bflag",6)
>> modparam("nathelper","sipping_bflag",8)
>> #modparam("nathelper", "natping_interval", 30)
>> modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
>> #modparam("nathelper", "natping_interval", 30)
>> modparam("nathelper", "sipping_from", "sip:pinger at 208.xxx.xxx.6")
>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy/rtpproxy.sock")
>> modparam("nathelper", "received_avp", "$avp(i:42)")
>> modparam("registrar", "received_avp", "$avp(i:42)")
>>
>> modparam("presence", "server_address", "sip:sa at 208.xxx.xxx.6:5060")
>> modparam("presence", "expires_offset", 10)
>> modparam("presence", "mix_dialog_presence", 1)
>> #modparam("presence", "fallback2db", 1)
>> modparam("presence_xml", "force_active", 1)
>>
>> modparam("presence_dialoginfo", "force_single_dialog", 1)
>> modparam("pua_dialoginfo", "presence_server", "sip:sa at 208.xxx.xxx.6:5060")
>> modparam("pua_dialoginfo", "include_callid", 1)
>> modparam("pua_dialoginfo", "include_tags", 1)
>> modparam("pua_dialoginfo", "caller_confirmed", 1)
>>
>> modparam("pua_usrloc", "default_domain", "208.xxx.xxx.6")
>> modparam("pua_usrloc", "presence_server", "sip:sa at 208.xxx.xxx.6:5060")
>>
>> #modparam("stun","primary_ip","208.xxx.xxx.6")
>> #modparam("stun","alternate_ip","208.90.184.10")
>> #modparam("stun","primary_port","5060")
>> #modparam("stun","alternate_port","3479")
>>
>> # ------------------------- request routing logic -------------------
>>
>> # main routing logic
>>
>> route{
>>
>> if (!is_method("NOTIFY"))
>> xlog("L_INFO", "New request - Request/failure/branch routes: M=$rm
>> RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> exit;
>> };
>> if (msg:len >= 2048 ) {
>> sl_send_reply("513", "Message too big");
>> exit;
>> };
>>
>> # !! Nathelper
>> # Special handling for NATed clients; first, NAT test is
>> # executed: it looks for via!=received and RFC1918 addresses
>> # in Contact (may fail if line-folding is used); also,
>> # the received test should, if completed, should check all
>> # vias for rpesence of received
>> if (nat_uac_test("19")) {
>> # Allow RR-ed requests, as these may indicate that
>> # a NAT-enabled proxy takes care of it; unless it is
>> # a REGISTER
>>
>> if (is_method("REGISTER") || !is_present_hf("Record-Route")) {
>> #xlog("L_INFO", "LOG:Someone trying to register from private IP,
>> rewriting\n");
>> #xlog("L_INFO", "$rb\n");
>> # This will work only for user agents that support symmetric
>> # communication. We tested quite many of them and majority is
>> # smart enough to be symmetric. In some phones it takes a
>> # configuration option. With Cisco 7960, it is called
>> # NAT_Enable=Yes, with kphone it is called "symmetric media" and
>> # "symmetric signalling".
>>
>> # Rewrite contact with source IP of signalling
>> if (is_method("REGISTER")) {
>> fix_nated_register();
>> } else {
>> fix_nated_contact();
>> };
>>
>> if ( is_method("INVITE") ) {
>> #xlog("L_INFO", "NAT: FIXING SDP");
>> fix_nated_sdp("1"); # Add direction=active to SDP
>> };
>> force_rport(); # Add rport parameter to topmost Via
>> setbflag(6); # Mark as NATed
>>
>> # if you want sip nat pinging
>> # setbflag(8);
>> };
>> };
>>
>> # subsequent messages withing a dialog should take the
>> # path determined by record-routing
>> if (loose_route()) {
>> # mark routing logic in request
>> append_hf("P-hint: rr-enforced\r\n");
>> route(1);
>> exit;
>> };
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> # use different transport protocol
>> if (!is_method("REGISTER"))
>> record_route();
>>
>> if (method == "INVITE") {
>> setflag(4);
>> }
>>
>> if (!uri==myself) {
>> # mark routing logic in request
>> append_hf("P-hint: outbound\r\n");
>> route(1);
>> exit;
>> };
>>
>> # if the request is for other domain use UsrLoc
>> # (in case, it does not work, use the following command
>> # with proper names and addresses in it)
>> if (uri==myself) {
>> if (is_method("OPTIONS") && (! uri=~"sip:.*[@]+.*")) {
>> options_reply();
>> exit;
>> }
>>
>> # if (is_method("INVITE|ACK")) {
>> # unforce_rtp_proxy();
>> # }
>>
>>
>>
>> if (is_method("REGISTER")) {
>> #xlog("L_INFO", "trying to register $au $ad\n");
>>
>> if(cache_fetch("local","passwd_$tu",$avp(i:55))) {
>> $avp(i:54) = $tU;
>> xlog("SCRIPT: stored password is $avp(i:55)\n");
>> # perform auth from variables
>> # $avp(i:54) contains the username
>> # $avp(i:55) contains the password
>> if (!pv_www_authorize("asterisk")) {
>> # authentication failed -> do challenge
>> www_challenge("asterisk", "0");
>> exit;
>> };
>> } else {
>> # perform DB authentication ->
>> # password will be loaded from DB automatically
>> if (!www_authorize("asterisk", "subscriber")) {
>> # authentication failed -> do challenge
>> www_challenge("asterisk", "0");
>> exit;
>> };
>> # after DB authentication, the password is available
>> # in $avp(i:55) because of the "load_credentials"
>> # module parameter.
>> xlog("SCRIPT: storing password <$avp(i:55)>\n");
>> # use a 20 minutes lifetime for the password;
>> # after that, it will erased from cache and we do
>> # db authentication again (refresh the passwd from DB)
>> cache_store("local","passwd_$tu","$avp(i:55)",3600);
>> }
>>
>> # Uncomment this if you want to use digest authentication
>> #if (!www_authorize("asterisk", "subscriber")) {
>> # www_challenge("asterisk", "0");
>> # return;
>> #};
>>
>> #bla_set_flag();
>>
>> save("location");
>> pua_set_publish();
>> exit;
>> };
>>
>> lookup("aliases");
>> if (!uri==myself) {
>> append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> exit;
>> };
>>
>> #xlog("L_INFO", "TESTING FOR $hdr(Event)\n");
>> if (is_method("NOTIFY") && $hdr(Event) == "message-summary") {
>> #xlog("L_INFO", "MWI Notification $rb\n");
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> exit;
>> }
>> } else if (is_method("SUBSCRIBE") && (uri =~ "sip:[7-9][0-9]@208.xxx.xxx.6" ||
>> $hdr(Event) == 'message-summary')) {
>> xlog("L_INFO", "SUBSCRIBE FOR PAGE/VM \n");
>> if(!cache_fetch("local","ast_$fU",$avp(i:200)))
>> avp_db_load("$fu/username","$avp(i:200)");
>> if ($avp(i:200) == NULL || $avp(i:200) == '') {
>> xlog("INVALID DIALPLAN SERVER URL\n");
>> sl_send_reply("404", "Not Found");
>> exit;
>> } else {
>> cache_store("local","ast_$fU","$avp(i:200)",3600);
>> }
>> #rewritehostport("$avp(i:200)");
>> $rd = $(avp(i:200){s.select,0,:});
>> $rp = $(avp(i:200){s.select,1,:});
>> } else if (is_method("PUBLISH|SUBSCRIBE|NOTIFY")) {
>> route(2);
>>
>> # Asterisk signaling comes in on 5061
>> } else if (dst_port==5061) {
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> exit;
>> }
>>
>> if (is_method("INVITE")) {
>> dialoginfo_set();
>> }
>>
>>
>> xlog("L_INFO", "request from asterisk $ru $tu\n");
>> if (to_uri =~ ".*intercom=true") {
>> xlog("INTERCOM REQUEST\n");
>> $var(checkuser) = $tU;
>>
>> get_profile_size("caller","$var(checkuser)","$var(rcalls)");
>> if ($var(rcalls) > 0) {
>> xlog("DENY INTERCOM\n");
>> sl_send_reply("486", "Busy Here");
>> exit;
>> }
>> }
>>
>> if (!isflagset(31)) {
>> #get_profile_size("caller","$avp(s:caller_uuid)","$var(calls)");
>> create_dialog();
>> #set_dlg_profile("caller","$avp(s:caller_uuid)");
>> set_dlg_profile("caller","$tU");
>> setflag(31);
>> get_profile_size("caller","$tU","$var(calls)");
>> xlog("NUM CALLS $tU $ru $mf $var(calls) \n");
>> }
>> } else if (is_method("INVITE")) {
>> #if (!proxy_authorize("asterisk", "subscriber")) {
>> # proxy_challenge("asterisk", "1"); # Realm will be autogenerated
>> # exit;
>> #};
>>
>> if(!cache_fetch("local","ast_$fU",$avp(i:200)))
>> avp_db_load("$fu/username","$avp(i:200)");
>> if ($avp(i:200) == NULL || $avp(i:200) == '') {
>> xlog("INVALID DIALPLAN SERVER URL\n");
>> sl_send_reply("404", "Not Found");
>> exit;
>> } else {
>> cache_store("local","ast_$fU","$avp(i:200)",3600);
>> }
>> #rewritehostport("$avp(i:200)");
>> $rd = $(avp(i:200){s.select,0,:});
>> $rp = $(avp(i:200){s.select,1,:});
>>
>> if (!isflagset(31)) {
>> #get_profile_size("caller","$avp(s:caller_uuid)","$var(calls)");
>> create_dialog();
>> #set_dlg_profile("caller","$avp(s:caller_uuid)");
>> set_dlg_profile("caller","$fU");
>> setflag(31);
>> get_profile_size("caller","$fU","$var(calls)");
>> xlog("NUM CALLS $fU $ru $mf $var(calls) \n");
>> }
>> dialoginfo_set();
>> }
>> };
>> append_hf("P-hint: usrloc applied\r\n");
>>
>> route(1);
>> }
>>
>> route[1]
>> {
>> # !! Nathelper
>> if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
>> !search("^Route:")){
>> sl_send_reply("479", "We don't forward to private IP addresses");
>> exit;
>> };
>>
>> # if client or server know to be behind a NAT, enable relay
>> if (isbflagset(6)) {
>> force_rtp_proxy();
>> };
>>
>> # NAT processing of replies; apply to all transactions (for example,
>> # re-INVITEs from public to private UA are hard to identify as
>> # NATed at the moment of request processing); look at replies
>> t_on_reply("1");
>>
>> # send it out now; use stateful forwarding as it works reliably
>> # even for UDP2TCP
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>> }
>>
>> # !! Nathelper
>> onreply_route[1] {
>> # NATed transaction ?
>> if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>> fix_nated_contact();
>> force_rtp_proxy();
>> # otherwise, is it a transaction behind a NAT and we did not
>> # know at time of request processing ? (RFC1918 contacts)
>> } else if (nat_uac_test("1")) {
>> fix_nated_contact();
>> } else if (status =~ "407") {
>> xlog("AUTH unset profile $tu $fu\n");
>> unset_dlg_profile("caller","$fU");
>> }
>> }
>>
>> route[2] {
>> xlog("L_INFO", "NOTIFY SUBSCRIBE PUBLISH route\n");
>> if (!t_newtran()) {
>> sl_reply_error();
>> exit;
>> };
>>
>> if(is_method("PUBLISH")) {
>> if ($hdr(Sender) != NULL)
>> handle_publish("$hdr(Sender)");
>> else
>> handle_publish();
>> }
>> else if( is_method("SUBSCRIBE")) {
>> xlog("L_INFO", "Handle Subscribe\n");
>> handle_subscribe();
>> }
>> else if (is_method("NOTIFY")) {
>> if ($hdr(Event) != "keep-alive") {
>> # bla_handle_notify();
>> pua_update_contact();
>> }
>> t_reply("200", "OK");
>> }
>>
>> exit;
>> }
>>
>
More information about the Users
mailing list