[OpenSIPS-Users] 2 UAs behind same NAT Device

Deon Vermeulen vermeulen.deon at gmail.com
Wed Nov 3 19:54:39 CET 2010


Hi Kennard

Thanks for coming back to me.
Do you perhaps have a working MediaProxy config example that should  
solve most of the NAT issues?

If I can just get a working example then I should be able to work it  
from there.

Thanks again. I really appreciate it.

Best Regards
Deon


On 03 Nov 2010, at 8:43 PM, Kennard White wrote:

> Hi Deon,
>
> I don't have experience doing what you're trying to doing. Only  
> comment I have is that I doubt short-circuiting media-relay based  
> upon SIP message source IPs is unlikely to work well.
>
> Kennard
>
> On Tue, Nov 2, 2010 at 11:17 PM, Deon Vermeulen <vermeulen.deon at gmail.com 
> > wrote:
> Morning Kennard
>
> I really appreciate your feedback.
>
> I will be serving different networks, but will have control over most
> of them or at least be able to assist 3rd party vendors for those I
> don't.
>
> As for another NAT device behind the "Main" Firewall, there wouldn't
> be an issue like that, but would be a "nice to have" just in case I
> run into something like that.
>
> I think it would be best that I explain what I would like to achieve
> to clarify what my idea is:
>
> I have a Multi-Tenant solution running on Multiple Asterisk Servers.
> The solution currently works for customer that has an VPN/MPLS
> connection to me, but I would like to expand my services over the
> Internet for smaller customers who can not afford VPN/MPLS connections
> to me, but would like to make use of this service.
> I would also like to extend this service to have Follow me for my
> current customers via their mobile devices, from home, etc...
> The Multi-Tenant Asterisk Servers use one Database and handle all
> Media including Hunt groups, IVR, Speed Dials, Black/White listing,
> Connectivity to the PSTN via external Gateways, etc...
> I am looking at OpenSIPS to only help resolve the NAT issue and do
> Load-Balancing between my Asterisk Multi-Tenant servers.
>
> Hope this clarifies what I am looking to achieving.
>
> I would really appreciate your help with this.
> Perhaps a sample config of how you would do this would be awesome.
>
> Thanks again.
>
> Best Regards
> Deon
>
>
> So, I am looking at OpenSIPS to help provide LoadBalancing/Load
> Sharing between couple of Asterisk Servers, which will cut down a lot
> on expenses.
>
> On 03 Nov 2010, at 5:26 AM, Kennard White wrote:
>
> > Hi Deon,
> >
> > For better or worse there are many ways to configure opensips
> > depending upon exactly what you are doing. Re your route6, it should
> > be invoked from some branch route. One way branch routes are
> > established is using t_on_branch(). Your route(3) (or somewhere)
> > must be doing a lookup() and establish a branch route.
> >
> > As someone else said, a key question with what you're trying to do
> > is: is your network an open or closed environment? If open
> > environment (where you cannot control/know the networks where your
> > users are) then non-ICE short-circuiting media relay will fail for
> > people behind non-hairpinning firewalls or double firewalls. ICE
> > (and yes, full ICE, not just STUN) is more robust way of avoiding
> > media-relay when not needed. Of course, it has its own issues :-).
> >
> > Kennard
> >
> > On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <vermeulen.deon at gmail.com
> > > wrote:
> > Hi Kennard
> >
> > Thanks for the ideas.
> > I really appreciate it.
> >
> > I got the config as an example from the Building Telephony systems
> > with OpenSER.
> > I choose the OpenSER implementation as it describes the  
> implenetation
> > of MediaProxy.
> > Reason for choosing MediaProxy is because I am very, very interested
> > in getting the ICE feature.
> >
> > I thought best to first get this config working before playing  
> around
> > with the ICE configuration.
> >
> > Could you be so kind and perhaps show me where I should call up
> > route(6)?
> >
> > I use fully qualified domain names (i.e domaina.com) for the domain.
> > At the moment I specify the proxy with the IP of my Server as I
> > haven't setup the DNS records yet.
> >
> > I really appreciate your feedback and assistance.
> >
> > Regards
> > Deon
> >
> >
> > On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
> >
> > > Hi Deon,
> > >
> > > Some ideas:
> > > 1. Capture the SIP traffic and see if media proxy is being invoked
> > > in the request and/or response (look for your P-hint messages),  
> and
> > > the IP addresses.
> > > 2. Add xlog messages when you invoke mediarelay to confirm that  
> they
> > > are getting called.
> > > 3. You're comparing $dd (which is a domain) to $si (which is an IP
> > > address). I don't think this will work in the general case, but
> > > maybe you're using IP addresses as your domains?
> > > 4. I don't see the code that invokes route(6) -- I assume that  
> is in
> > > a branch_route not the request route?
> > >
> > > Good luck,
> > > Kennard
> > >
> > > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <vermeulen.deon at gmail.com
> > > > wrote:
> > > Hi List
> > >
> > > I'm trying to setup NAT to NOT use MediaProxy when it detects  
> that 2
> > > devices are behind the same NAT Device, but rather have coms go
> > > directly between them.
> > > At the moment I can dial between the 2 phones and answer the call.
> > > The callee phone says "Call Established" upon answer, but the  
> caller
> > > phone still says "trying/connecting".
> > > I am sure this has something to do with my configuration, but I  
> have
> > > "NO IDEA" where to start looking.
> > > The phones are setup to use their local IPs with no other STUN,  
> ICE,
> > > or "proxy like" configurations.
> > > Below is a snipped from my opensips.cfg with the NAT configs and
> > would
> > > really appreciate any help to get this working.
> > >
> > > modparam("rr", "enable_full_lr", 1)
> > > modparam("registrar", "received_avp", "$avp(i:42)")
> > > modparam("usrloc", "db_mode",   2)
> > > modparam("usrloc", "nat_bflag", 6)
> > > modparam("domain", "db_mode", 1) # Use caching
> > > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
> > > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
> > > siptrace|group|avpops|presence", "db_url", "mysql://
> > > opensips:opensipsrw at localhost/opensips")
> > > modparam("nathelper", "natping_interval", 10)
> > > modparam("nathelper", "received_avp", "$avp(i:42)")
> > > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
> > > dispatcher.sock")
> > > modparam("mediaproxy", "mediaproxy_timeout", 500)
> > > modparam("mi_datagram", "socket_name", "/var/run/opensips/
> > > opensips.sock")
> > > modparam("mi_datagram", "children_count", 4)
> > >
> > >
> > > # -------------------------  request routing logic
> > > ------------------- #
> > >
> > > route{
> > >
> > >     #
> > >     # -- 1 -- Request Validation
> > >     #
> > >     if (!mf_process_maxfwd_header("10")) {
> > >         sl_send_reply("483","Too Many Hops");
> > >         exit;
> > >     }
> > >
> > >     if (msg:len >=  2048 ) {
> > >         sl_send_reply("513", "Message too big");
> > >         exit;
> > >     }
> > >
> > >     #
> > >     # -- 2 -- Routing Preprocessing
> > >     #
> > >     ## Record-route all except Register
> > >     ## Mark packets with nat=yes
> > >     ## This mark will be used to identify the request in the loose
> > >     ## route section
> > >     if(!is_method("REGISTER")){
> > >         if(nat_uac_test("19")){
> > >             record_route(";nat=yes");
> > >         } else {
> > >             record_route();
> > >         }
> > >     }
> > >
> > >     ##Loose_route packets
> > >     if (has_totag()) {
> > >         #sequential request withing a dialog should
> > >         # take the path determined by record-routing
> > >         if (loose_route()) {
> > >             #Check authentication of re-invites
> > >             if(method=="INVITE") {
> > >                 if (!proxy_authorize("","subscriber")) {
> > >                 proxy_challenge("","1");
> > >                 exit;
> > >             } else if (!db_check_from()) {
> > >                 sl_send_reply("403", "Forbidden, use From=ID");
> > >                 exit;
> > >             }
> > >         }
> > >                 ## BYE and CANCEL message handling
> > >         if(method=="BYE" || method=="CANCEL") {
> > >             end_media_session();
> > >         }
> > >         ##Detect requests in the dialog behind NAT and flag with 6
> > >             if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
> > >                 append_hf("P-hint: LR|fixcontact,setflag6,
> > mediaproxy
> > > \r\n");
> > >                 fix_contact();
> > >                 setbflag(6);
> > >                 use_media_proxy();
> > >             }
> > >             route(1);
> > >         } else {
> > >             sl_send_reply("404","Not here");
> > >         }
> > >         exit;
> > >     }
> > >
> > >     #CANCEL processing
> > >     if (is_method("CANCEL")) {
> > >         if (t_check_trans()) {
> > >             end_media_session();
> > >             t_relay();
> > >         }
> > >         exit;
> > >     }
> > >
> > >     t_check_trans();
> > >
> > >     #
> > >     # -- 3 -- Determine Request Target
> > >     #
> > >     if (method=="REGISTER") {
> > >         route(2);
> > >     } else {
> > >         route(3);
> > >     }
> > > }
> > >
> > >
> > > route[1] {
> > >     #
> > >     # -- 4 -- Forward request to target
> > >     #
> > >     # Forward statefully
> > >     t_on_reply("1");
> > >     t_on_failure("1");
> > >     if (!t_relay()) {
> > >         sl_reply_error();
> > >     }
> > >     exit;
> > > }
> > >
> > > route[2] {
> > >     ## Register request handler
> > >     if (is_uri_host_local()) {
> > >         if (!www_authorize("", "subscriber")) {
> > >             www_challenge("", "1");
> > >             exit;
> > >         }
> > >
> > >         if (!db_check_to()) {
> > >             sl_send_reply("403", "Forbidden");
> > >             exit;
> > >         }
> > >
> > >            # Test to see if Caller is behind NAT
> > >         if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
> > >             setbflag(6);
> > >             fix_nated_register();
> > >             force_rport();
> > >         }
> > >         save("location");
> > >         exit;
> > >
> > >     } else {
> > >         sl_send_reply("403", "Forbidden");
> > >     }
> > > }
> > >
> > >
> > > route[3] {
> > >     ## Requests handler
> > >     if (is_from_local()){
> > >         # From an internal domain -> check the credentials and the
> > > FROM
> > >         #if(!allow_trusted()){
> > >             if (!proxy_authorize("","subscriber")) {
> > >                 proxy_challenge("","0");
> > >                 exit;
> > >             } else if(!db_check_from()) {
> > >             sl_send_reply("403", "Forbidden, use From=ID");
> > >             exit;
> > >         }
> > >
> > >         if (client_nat_test("3")) {
> > >             append_hf("P-hint: route(3)|
> > > setflag7,forcerport,fix_contact\r\n");
> > >             setbflag(7);
> > >             force_rport();
> > >             fix_contact();
> > >         }
> > >
> > > ..............
> > >
> > > route[6] {
> > >     #
> > >     # -- NAT Traversal handling --
> > >     #
> > >     # Route[6] is the routing block responsible for activating the
> > > MediaProxy, whenever
> > >     # the caller or callee is behind NAT (flags 6 or 7
> > respectively).
> > >     if (isbflagset(6) || isbflagset(7)) {
> > >            if ( $dd == $si ) {
> > >                    xlog("L_INFO", "Both users behind same NAT,  
> so we
> > > dont use MediaProxy\n");
> > >                    resetbflag(6);  # Unset NAT flag general.
> > >                    resetbflag(7);  # Unset NAT flag general.
> > >         } else
> > >         append_hf("P-hint: Route[6]: mediaproxy \r\n");
> > >         use_media_proxy();
> > >     }
> > > }
> > >
> > > .............
> > >
> > > onreply_route[1] {
> > > #
> > > #-- On-replay block routing --
> > > #
> > >     if (client_nat_test("1")) {
> > >         append_hf("P-hint: Onreply-route - fixcontact \r\n");
> > >         fix_contact();
> > >     }
> > >
> > >     if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
> > > 2[0-9][0-9]")) {
> > >         if (search("^Content-Type:[ ]*application/sdp")) {
> > >             append_hf("P-hint: onreply_route|usemediaproxy \r\n");
> > >         use_media_proxy();
> > >         }
> > >     }
> > >     exit;
> > > }
> > >
> > >
> > > Thanks again for helping. Really appreciate it.
> > >
> > > Regards
> > > Deon
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list