[OpenSIPS-Users] Example config for NATed UACs, RTPproxy, and NATed OpenSIPS (version 1.6.4)

James Lamanna jlamanna at gmail.com
Wed Jan 12 17:10:17 CET 2011 

Bogdan,
Wow, I didn't know about the live DVD.
Any chance someone could create this as an OpenVZ container in
addition to VMWare?

-- James

On Mon, Jan 10, 2011 at 2:25 AM, Bogdan-Andrei Iancu
<bogdan at voice-system.ro> wrote:
> Hi Damon,
>
> Well, the answer is simple - download the opensips virtual machine
> (http://www.voice-system.ro/shortcuts::opensips_livedvd)  were you have a
> ready to run opensips platform with NAT traversal support - you can see in
> the script form the VM how the NAT traversal is done (for signalling and
> media).
>
> If you have questions on that, please come back here.
>
> Regards,
> Bogdan
>
> Damon Miller wrote:
>>
>> All,
>>
>>
>> I've seen many requests for an example working config that shows a working
>> RTPproxy configuration with NATed clients, but I haven't seen many
>> responses.  I recently spent an absurd amount of time getting a working
>> configuration in place so I thought I would post it here in case it's
>> helpful to anyone.
>>
>> Three quick points:
>>
>> 1.  I have only tested this with clients behind a NAT firewall, i.e. I
>> haven't tested with clients that have a public IP.
>>
>>
>> 2.  My OpenSIPS server is behind a NAT firewall itself.  To deal with
>> this, I added the two "advertised" options, as follows:
>>
>> advertised_address="xx.xx.xx.xx"
>> alias="xx.xx.xx.xx:5060
>>
>>
>> (Replace the "xx.xx.xx.xx" with the NAT firewall's public IP.)
>>
>> I also had to use a modified version of RTPproxy that presents the
>> firewall's public IP even though it binds to a private IP.  Here's a post
>> which summarizes that version of RTPproxy:
>>
>>
>> http://opensips-open-sip-server.1449251.n2.nabble.com/Rtpproxy-behind-the-NAT-td5008041.html
>>
>>
>> I run RTPproxy like this:
>>
>> rtpproxy -A xx.xx.xx.xx -l 192.168.20.154 -s udp:127.0.0.1:12221 -m 25000
>> -M 65000 -F -d DBUG:LOCAL1
>>
>>
>> 3.  I had to "tell" OpenSIPS that my firewall's public IP was one of its
>> local domains.  I'm using MySQL as you'll see in the config file so all I
>> had to do was insert a value into the 'domain' table.  That was pretty
>> obvious, i.e.:
>>
>> mysql> insert into domain (domain) values ("xx.xx.xx.xx");
>>
>> (Replace 'xx.xx.xx.xx' with your public IP.)
>>
>>
>>
>> Here's my 'opensips.cfg' file:
>>
>> --
>>
>> # ----------- global configuration parameters ------------------------
>> debug=3
>> fork=yes
>> log_facility=LOG_LOCAL0
>> log_stderror=no
>> children=4
>> port=5060
>> dns=no
>> rev_dns=no
>>
>> advertised_address="xx.xx.xx.xx"
>> alias="xx.xx.xx.xx:5060"
>>
>> # ------------------ module loading ----------------------------------
>> mpath="/usr/local/lib64/opensips/modules/"
>> loadmodule "db_mysql.so"
>> loadmodule "signaling.so"
>> loadmodule "sl.so"
>> loadmodule "tm.so"
>> loadmodule "rr.so"
>> loadmodule "maxfwd.so"
>> loadmodule "usrloc.so"
>> loadmodule "registrar.so"
>> loadmodule "textops.so"
>> loadmodule "mi_fifo.so"
>> loadmodule "uri.so"
>> loadmodule "nathelper.so"
>> loadmodule "domain.so"
>>
>> # ----------------- setting module-specific parameters ---------------
>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>> modparam("usrloc", "db_url",
>> "mysql://opensipsrw:opensipsrw@localhost/opensips")
>> modparam("usrloc", "db_mode", 2)
>> modparam("rr", "enable_full_lr", 1)
>> modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:12221")
>> modparam("nathelper", "nortpproxy_str", "")
>> modparam("domain", "db_url",
>> "mysql://opensipsrw:opensipsrw@localhost/opensips")
>>
>> ################## NAT ######################
>> modparam("usrloc", "nat_bflag", 6)
>> modparam("nathelper", "ping_nated_only", 1)
>> modparam("nathelper", "sipping_bflag", 8)
>> modparam("nathelper", "received_avp", "$avp(i:801)")
>> ################## NAT ######################
>>
>>
>> # main routing logic
>> route {
>>
>>    # initial sanity checks
>>    if (!mf_process_maxfwd_header("10")) {
>>        sl_send_reply("483","Too Many Hops");
>>        exit;
>>    };
>>
>>    if (msg:len >=  2048 ) {
>>        sl_send_reply("513", "Message too big");
>>        exit;
>>    };
>>
>>
>>    ################## NAT ######################
>>    if (nat_uac_test("3")) {
>>
>>        if (is_method("REGISTER") && !is_present_hf("Record-Route")) {
>>
>>            # Rewrite contact with source IP of signalling
>>            fix_nated_contact();
>>
>>            force_rport();
>>            setbflag(6); # Mark as NATed
>>
>>            # if you want SIP NAT pinging
>>            setbflag(8);
>>        };
>>    };
>>    ################## NAT ######################
>>
>>    if (!method=="REGISTER")
>>        record_route();
>>
>>    # subsequent messages withing a dialog should take the
>>    # path determined by record-routing
>>    if (loose_route()) {
>>        # mark routing logic in request
>>        append_hf("P-hint: rr-enforced\r\n");
>>        route(1);
>>    };
>>
>>    if (!uri==myself) {
>>        # mark routing logic in request
>>        append_hf("P-hint: outbound\r\n");
>>        route(1);
>>    };
>>
>>    if (uri==myself) {
>>        if (method=="REGISTER") {
>>            save("location");
>>            exit;
>>        };
>>    }
>>
>>    if (is_method("BYE"))
>>        unforce_rtp_proxy();
>>      if (!lookup("location","m")) {
>>        switch ($retcode) {
>>            case -1:
>>            case -3:
>>                t_newtran();
>>                t_on_failure("1");
>>                t_reply("404", "Not Found");
>>                exit;
>>            case -2:
>>                sl_send_reply("405", "Method Not Allowed");
>>                exit;
>>        }
>>    };
>>
>>    route(1);
>> }
>>
>>
>>
>> route[1] {
>>
>>    ################## NAT ######################
>>    if (uri=~"[@:](192\.168\.10\.172\.(1[6-9]2[0-9]3[0-1])\.)" &&
>> !search("^Route:")) {
>>        sl_send_reply("479", "We don't forward to private IP addresses");
>>        exit;
>>    };
>>
>>    # if client or server know to be behind a NAT, enable relay
>>    if (isbflagset(6)) {
>>        if (has_body("application/sdp")) {
>>            rtpproxy_offer("o");
>>        };
>>    };
>>
>>    t_on_reply("1");
>>    ################## NAT ######################
>>
>>
>>    # send it out now; use stateful forwarding as it works
>>    # reliably even for UDP2TCP
>>    if (!t_relay()) {
>>        sl_reply_error();
>>    };
>>
>>    exit;
>> }
>>
>>
>>
>> onreply_route[1] {
>>
>>    ################## NAT ######################
>>    if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>>        fix_nated_contact();
>>        if (has_body("application/sdp")) {
>>            rtpproxy_answer("o");
>>        };
>>
>>        # Is this a transaction behind a NAT and we did not
>>        # know at time of request processing?
>>    } else if (nat_uac_test("1")) {
>>        fix_nated_contact();
>>    };
>>    ################## NAT ######################
>>
>> }
>>
>> failure_route[1] {
>>    unforce_rtp_proxy();
>> }
>>
>> --
>>
>>
>> I hope this saves someone some time.
>>
>>
>>
>> Damon
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
> --
> Bogdan-Andrei Iancu
> OpenSIPS Event - expo, conf, social, bootcamp
> 2 - 4 February 2011, ITExpo, Miami,  USA
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list