[OpenSIPS-Users] 2 UAs behind same NAT Device

Deon Vermeulen vermeulen.deon at gmail.com
Wed Nov 3 07:17:57 CET 2010


Morning Kennard

I really appreciate your feedback.

I will be serving different networks, but will have control over most  
of them or at least be able to assist 3rd party vendors for those I  
don't.

As for another NAT device behind the "Main" Firewall, there wouldn't  
be an issue like that, but would be a "nice to have" just in case I  
run into something like that.

I think it would be best that I explain what I would like to achieve  
to clarify what my idea is:

I have a Multi-Tenant solution running on Multiple Asterisk Servers.
The solution currently works for customer that has an VPN/MPLS  
connection to me, but I would like to expand my services over the  
Internet for smaller customers who can not afford VPN/MPLS connections  
to me, but would like to make use of this service.
I would also like to extend this service to have Follow me for my  
current customers via their mobile devices, from home, etc...
The Multi-Tenant Asterisk Servers use one Database and handle all  
Media including Hunt groups, IVR, Speed Dials, Black/White listing,  
Connectivity to the PSTN via external Gateways, etc...
I am looking at OpenSIPS to only help resolve the NAT issue and do  
Load-Balancing between my Asterisk Multi-Tenant servers.

Hope this clarifies what I am looking to achieving.

I would really appreciate your help with this.
Perhaps a sample config of how you would do this would be awesome.

Thanks again.

Best Regards
Deon


So, I am looking at OpenSIPS to help provide LoadBalancing/Load  
Sharing between couple of Asterisk Servers, which will cut down a lot  
on expenses.

On 03 Nov 2010, at 5:26 AM, Kennard White wrote:

> Hi Deon,
>
> For better or worse there are many ways to configure opensips  
> depending upon exactly what you are doing. Re your route6, it should  
> be invoked from some branch route. One way branch routes are  
> established is using t_on_branch(). Your route(3) (or somewhere)  
> must be doing a lookup() and establish a branch route.
>
> As someone else said, a key question with what you're trying to do  
> is: is your network an open or closed environment? If open  
> environment (where you cannot control/know the networks where your  
> users are) then non-ICE short-circuiting media relay will fail for  
> people behind non-hairpinning firewalls or double firewalls. ICE  
> (and yes, full ICE, not just STUN) is more robust way of avoiding  
> media-relay when not needed. Of course, it has its own issues :-).
>
> Kennard
>
> On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <vermeulen.deon at gmail.com 
> > wrote:
> Hi Kennard
>
> Thanks for the ideas.
> I really appreciate it.
>
> I got the config as an example from the Building Telephony systems
> with OpenSER.
> I choose the OpenSER implementation as it describes the implenetation
> of MediaProxy.
> Reason for choosing MediaProxy is because I am very, very interested
> in getting the ICE feature.
>
> I thought best to first get this config working before playing around
> with the ICE configuration.
>
> Could you be so kind and perhaps show me where I should call up
> route(6)?
>
> I use fully qualified domain names (i.e domaina.com) for the domain.
> At the moment I specify the proxy with the IP of my Server as I
> haven't setup the DNS records yet.
>
> I really appreciate your feedback and assistance.
>
> Regards
> Deon
>
>
> On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
>
> > Hi Deon,
> >
> > Some ideas:
> > 1. Capture the SIP traffic and see if media proxy is being invoked
> > in the request and/or response (look for your P-hint messages), and
> > the IP addresses.
> > 2. Add xlog messages when you invoke mediarelay to confirm that they
> > are getting called.
> > 3. You're comparing $dd (which is a domain) to $si (which is an IP
> > address). I don't think this will work in the general case, but
> > maybe you're using IP addresses as your domains?
> > 4. I don't see the code that invokes route(6) -- I assume that is in
> > a branch_route not the request route?
> >
> > Good luck,
> > Kennard
> >
> > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <vermeulen.deon at gmail.com
> > > wrote:
> > Hi List
> >
> > I'm trying to setup NAT to NOT use MediaProxy when it detects that 2
> > devices are behind the same NAT Device, but rather have coms go
> > directly between them.
> > At the moment I can dial between the 2 phones and answer the call.
> > The callee phone says "Call Established" upon answer, but the caller
> > phone still says "trying/connecting".
> > I am sure this has something to do with my configuration, but I have
> > "NO IDEA" where to start looking.
> > The phones are setup to use their local IPs with no other STUN, ICE,
> > or "proxy like" configurations.
> > Below is a snipped from my opensips.cfg with the NAT configs and  
> would
> > really appreciate any help to get this working.
> >
> > modparam("rr", "enable_full_lr", 1)
> > modparam("registrar", "received_avp", "$avp(i:42)")
> > modparam("usrloc", "db_mode",   2)
> > modparam("usrloc", "nat_bflag", 6)
> > modparam("domain", "db_mode", 1) # Use caching
> > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
> > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
> > siptrace|group|avpops|presence", "db_url", "mysql://
> > opensips:opensipsrw at localhost/opensips")
> > modparam("nathelper", "natping_interval", 10)
> > modparam("nathelper", "received_avp", "$avp(i:42)")
> > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
> > dispatcher.sock")
> > modparam("mediaproxy", "mediaproxy_timeout", 500)
> > modparam("mi_datagram", "socket_name", "/var/run/opensips/
> > opensips.sock")
> > modparam("mi_datagram", "children_count", 4)
> >
> >
> > # -------------------------  request routing logic
> > ------------------- #
> >
> > route{
> >
> >     #
> >     # -- 1 -- Request Validation
> >     #
> >     if (!mf_process_maxfwd_header("10")) {
> >         sl_send_reply("483","Too Many Hops");
> >         exit;
> >     }
> >
> >     if (msg:len >=  2048 ) {
> >         sl_send_reply("513", "Message too big");
> >         exit;
> >     }
> >
> >     #
> >     # -- 2 -- Routing Preprocessing
> >     #
> >     ## Record-route all except Register
> >     ## Mark packets with nat=yes
> >     ## This mark will be used to identify the request in the loose
> >     ## route section
> >     if(!is_method("REGISTER")){
> >         if(nat_uac_test("19")){
> >             record_route(";nat=yes");
> >         } else {
> >             record_route();
> >         }
> >     }
> >
> >     ##Loose_route packets
> >     if (has_totag()) {
> >         #sequential request withing a dialog should
> >         # take the path determined by record-routing
> >         if (loose_route()) {
> >             #Check authentication of re-invites
> >             if(method=="INVITE") {
> >                 if (!proxy_authorize("","subscriber")) {
> >                 proxy_challenge("","1");
> >                 exit;
> >             } else if (!db_check_from()) {
> >                 sl_send_reply("403", "Forbidden, use From=ID");
> >                 exit;
> >             }
> >         }
> >                 ## BYE and CANCEL message handling
> >         if(method=="BYE" || method=="CANCEL") {
> >             end_media_session();
> >         }
> >         ##Detect requests in the dialog behind NAT and flag with 6
> >             if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
> >                 append_hf("P-hint: LR|fixcontact,setflag6,  
> mediaproxy
> > \r\n");
> >                 fix_contact();
> >                 setbflag(6);
> >                 use_media_proxy();
> >             }
> >             route(1);
> >         } else {
> >             sl_send_reply("404","Not here");
> >         }
> >         exit;
> >     }
> >
> >     #CANCEL processing
> >     if (is_method("CANCEL")) {
> >         if (t_check_trans()) {
> >             end_media_session();
> >             t_relay();
> >         }
> >         exit;
> >     }
> >
> >     t_check_trans();
> >
> >     #
> >     # -- 3 -- Determine Request Target
> >     #
> >     if (method=="REGISTER") {
> >         route(2);
> >     } else {
> >         route(3);
> >     }
> > }
> >
> >
> > route[1] {
> >     #
> >     # -- 4 -- Forward request to target
> >     #
> >     # Forward statefully
> >     t_on_reply("1");
> >     t_on_failure("1");
> >     if (!t_relay()) {
> >         sl_reply_error();
> >     }
> >     exit;
> > }
> >
> > route[2] {
> >     ## Register request handler
> >     if (is_uri_host_local()) {
> >         if (!www_authorize("", "subscriber")) {
> >             www_challenge("", "1");
> >             exit;
> >         }
> >
> >         if (!db_check_to()) {
> >             sl_send_reply("403", "Forbidden");
> >             exit;
> >         }
> >
> >            # Test to see if Caller is behind NAT
> >         if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
> >             setbflag(6);
> >             fix_nated_register();
> >             force_rport();
> >         }
> >         save("location");
> >         exit;
> >
> >     } else {
> >         sl_send_reply("403", "Forbidden");
> >     }
> > }
> >
> >
> > route[3] {
> >     ## Requests handler
> >     if (is_from_local()){
> >         # From an internal domain -> check the credentials and the
> > FROM
> >         #if(!allow_trusted()){
> >             if (!proxy_authorize("","subscriber")) {
> >                 proxy_challenge("","0");
> >                 exit;
> >             } else if(!db_check_from()) {
> >             sl_send_reply("403", "Forbidden, use From=ID");
> >             exit;
> >         }
> >
> >         if (client_nat_test("3")) {
> >             append_hf("P-hint: route(3)|
> > setflag7,forcerport,fix_contact\r\n");
> >             setbflag(7);
> >             force_rport();
> >             fix_contact();
> >         }
> >
> > ..............
> >
> > route[6] {
> >     #
> >     # -- NAT Traversal handling --
> >     #
> >     # Route[6] is the routing block responsible for activating the
> > MediaProxy, whenever
> >     # the caller or callee is behind NAT (flags 6 or 7  
> respectively).
> >     if (isbflagset(6) || isbflagset(7)) {
> >            if ( $dd == $si ) {
> >                    xlog("L_INFO", "Both users behind same NAT, so we
> > dont use MediaProxy\n");
> >                    resetbflag(6);  # Unset NAT flag general.
> >                    resetbflag(7);  # Unset NAT flag general.
> >         } else
> >         append_hf("P-hint: Route[6]: mediaproxy \r\n");
> >         use_media_proxy();
> >     }
> > }
> >
> > .............
> >
> > onreply_route[1] {
> > #
> > #-- On-replay block routing --
> > #
> >     if (client_nat_test("1")) {
> >         append_hf("P-hint: Onreply-route - fixcontact \r\n");
> >         fix_contact();
> >     }
> >
> >     if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
> > 2[0-9][0-9]")) {
> >         if (search("^Content-Type:[ ]*application/sdp")) {
> >             append_hf("P-hint: onreply_route|usemediaproxy \r\n");
> >         use_media_proxy();
> >         }
> >     }
> >     exit;
> > }
> >
> >
> > Thanks again for helping. Really appreciate it.
> >
> > Regards
> > Deon
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list