[OpenSIPS-Users] Sip user behind a NAT

Ignacio Gonzalez mylaneza at gmail.com
Tue Aug 7 20:53:50 CEST 2012


Hi Ali, I use this configuration script to start my opensips proxy and it
start, I only want to know, Do you see something wrong?
I put in bold the modifications a made to add the nat_traversal module and
the advertised_address parameter.

In the documentation it says that nat_traversal is straight forward when
using a single proxy, ( that is my case ).

"In this case the usage is straight forward. The nat_keepalive() function
needs to be called before save_location() for REGISTER requests, before
handle_subscribe() for SUBSCRIBE requests and before t_relay() for the
first INVITE of a dialog. "

I do not configure any subscription, and I did not find the save_location
function, I assumed that save("location") is a newer version of this
function.

#CONFIG FILE

debug=3
log_stderror=no
log_facility=LOG_LOCAL1

fork=yes
children=4

#debug=6
#fork=no
#log_stderror=yes

#disable_dns_blacklist=no

#dns_try_ipv6=yes

auto_aliases=no

*advertised_address="mydomain.com"*

listen=udp:192.168.1.220:5060   # CUSTOMIZE ME

disable_tcp=no
listen=tcp:192.168.1.220:5060   # CUSTOMIZE ME

disable_tls=yes

mpath="/home/syrium/opensips_proxy/lib/opensips/modules/"

loadmodule "signaling.so"

loadmodule "sl.so"

loadmodule "tm.so"
modparam("tm", "fr_timer", 5)
modparam("tm", "fr_inv_timer", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)

loadmodule "rr.so"
modparam("rr", "append_fromtag", 0)

loadmodule "maxfwd.so"

loadmodule "sipmsgops.so"

loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)

loadmodule "uri.so"
modparam("uri", "use_uri_table", 0)
modparam("uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME

loadmodule "db_mysql.so"

loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", 10)
modparam("usrloc", "db_mode",   2)
modparam("usrloc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME

loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", 7)
modparam("registrar", "received_avp", "$avp(received_nh)")
#modparam("registrar", "max_contacts", 10)

loadmodule "acc.so"
modparam("acc", "early_media", 0)
modparam("acc", "report_cancels", 0)
modparam("acc", "detect_direction", 0)
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME

loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME
modparam("auth_db", "load_credentials", "")

loadmodule "domain.so"
modparam("domain", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME
modparam("domain", "db_mode", 1)   # Use caching
modparam("auth_db|usrloc|uri", "use_domain", 1)

loadmodule "dialog.so"
modparam("dialog", "dlg_match_mode", 1)
modparam("dialog", "default_timeout", 21600)  # 6 hours timeout
modparam("dialog", "db_mode", 2)
modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
# CUSTOMIZE ME

*loadmodule "nat_traversal.so"*

loadmodule "nathelper.so"
modparam("nathelper", "natping_interval", 10)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "received_avp", "$avp(received_nh)")

loadmodule "rtpproxy.so"
modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE ME

####### Routing Logic ########

route{
    force_rport();
    if (nat_uac_test("23")) {
        if (is_method("REGISTER")) {
            fix_nated_register();
            setbflag(10);
        } else {
            fix_nated_contact();
            setflag(10);
        }
    }


    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too Many Hops");
        exit;
    }

    if (has_totag()) {
        # sequential request withing a dialog should
        # take the path determined by record-routing
        if (loose_route()) {

            # validate the sequential request against dialog
            if ( $DLG_status!=NULL && !validate_dialog() ) {
                xlog("In-Dialog $rm from $si (callid=$ci) is not valid
according to dialog\n");
                ## exit;
            }

            if (is_method("BYE")) {
                setflag(1); # do accounting ...
                setflag(3); # ... even if the transaction fails
            } else if (is_method("INVITE")) {
                # even if in most of the cases is useless, do RR for
                # re-INVITEs alos, as some buggy clients do change route set
                # during the dialog.
                record_route();
            }

            if (check_route_param("nat=yes"))
                setflag(10);

            # route it out to whatever destination was set by loose_route()
            # in $du (destination URI).
            route(1);
        } else {

            if ( is_method("ACK") ) {
                if ( t_check_trans() ) {
                    # non loose-route, but stateful ACK; must be an ACK
after
                    # a 487 or e.g. 404 from upstream server
                    t_relay();
                    exit;
                } else {
                    # ACK without matching transaction ->
                    # ignore and discard
                    exit;
                }
            }
            sl_send_reply("404","Not here");
        }
        exit;
    }

    # CANCEL processing
    if (is_method("CANCEL"))
    {
        if (t_check_trans())
            t_relay();
        exit;
    }

    t_check_trans();

    if ( !(is_method("REGISTER")  ) ) {

        if (is_from_local())
        {

            # authenticate if from local subscriber
            # authenticate all initial non-REGISTER request that pretend to
be
            # generated by local subscriber (domain from FROM URI is local)
            if (!proxy_authorize("", "subscriber")) {
                proxy_challenge("", "0");
                exit;
            }
            if (!db_check_from()) {
                sl_send_reply("403","Forbidden auth ID");
                exit;
            }

            consume_credentials();
            # caller authenticated

        } else {
            # if caller is not local, then called number must be local

            if (!is_uri_host_local()) {
                send_reply("403","Rely forbidden");
                exit;
            }
        }

    }

    # preloaded route checking
    if (loose_route()) {
        xlog("L_ERR", "Attempt to route with preloaded Route's
[$fu/$tu/$ru/$ci]");
        if (!is_method("ACK"))
            sl_send_reply("403","Preload Route denied");
        exit;
    }

    # record routing
    if (!is_method("REGISTER|MESSAGE"))
        record_route();

    # account only INVITEs
    if (is_method("INVITE")) {

        # create dialog with timeout
        if ( !create_dialog("B") ) {
            send_reply("500","Internal Server Error");
            exit;
        }

        setflag(1); # do accounting
    }


    if (!is_uri_host_local()) {
        append_hf("P-hint: outbound\r\n");

        route(1);
    }

    # requests for my domain

    if (is_method("PUBLISH|SUBSCRIBE"))
    {
        sl_send_reply("503", "Service Unavailable");
        exit;
    }

    if (is_method("REGISTER"))
    {

        # authenticate the REGISTER requests
        if (!www_authorize("", "subscriber"))
        {
            www_challenge("", "0");
            exit;
        }

        if (!db_check_to())
        {
            sl_send_reply("403","Forbidden auth ID");
            exit;
        }

        if ( proto==TCP ||  0 )
            setflag(7);

        *if ( client_nat_test("3") ) {
                nat_keepalive();
         }*

        if (!save("location"))
            sl_reply_error();

        exit;
    }

    if ($rU==NULL) {
        # request with no Username in RURI
        sl_send_reply("484","Address Incomplete");
        exit;
    }

    # do lookup with method filtering
    if (!lookup("location","m")) {
        if (!db_does_uri_exist()) {
            send_reply("420","Bad Extension");
            exit;
        }

        t_newtran();
        t_reply("404", "Not Found");
        exit;
    }

    if ( isbflagset(10) )
        setflag(10);

    # when routing via usrloc, log the missed calls also
    setflag(2);
    route(1);
}


route[1] {
    # for INVITEs enable some additional helper routes
    if (is_method("INVITE")) {

        if (isflagset(10)) {
            rtpproxy_offer("ro");
        }

        t_on_branch("2");
        t_on_reply("2");
        t_on_failure("1");

        *if ( client_nat_test("3") ) {
                nat_keepalive();
            }*

    }

    if (isflagset(10)) {
        add_rr_param(";nat=yes");
    }



    if (!t_relay()) {
        send_reply("500","Internal Error");
    };
    exit;
}

branch_route[2] {
    xlog("new branch at $ru\n");
}

onreply_route[2] {
    if ( nat_uac_test("1") )
        fix_nated_contact();
    if ( isflagset(10) )
        rtpproxy_answer("ro");
    xlog("incoming reply\n");
}

failure_route[1] {
    if ( t_was_cancelled() ) {
        exit;
    }
}

local_route {
    if (is_method("BYE") && $DLG_dir=="UPSTREAM") {

        acc_db_request("200 Dialog Timeout", "acc");

    }
}

Thanks for your time Ali.

2012/8/7 Ignacio Gonzalez <mylaneza at gmail.com>

> Ok aly, I will read more, i have created the configuration script already
> with opensips-cp, I created a residential script and I selected the NAT
> option but that option just install nathelper module, and this why I asked
> you if nathelper and nat traversal module were mutually exclusive. I will
> add nat traversal to my configuration script.
>
> Another question, where can I read about the differences between
> residential and trunking scripts?
>
>
> 2012/8/7 Ali Pey <alipey at gmail.com>
>
>> Ignacio,
>>
>> You need to implement nat traversal in your routing script -
>> opensips.cfg. IMO, forget about the opensips-cp until you get it to work.
>> Once you know how it works, then you know how you can do with the config
>> tool. Sounds like you need lots more reading/testing :)
>>
>> Regards,
>> Ali Pey
>>
>>
>> On Mon, Aug 6, 2012 at 1:38 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>
>>> Ok, i red the NAT_TRAVERSAL module, i don't know how to configure using
>>> the configuration tool, do I have to configure it manual? The NAT_TRAVERSAL
>>> module and the NATHELPER module are mutually exclusive?
>>>
>>>
>>> 2012/8/5 Ali Pey <alipey at gmail.com>
>>>
>>>> Hello Ignacio,
>>>>
>>>> Yes, you can handle nat and you don't need stun, turn or ICE. In fact,
>>>> it's always better to turn off any nat traversal feature on the phone when
>>>> you are using a proxy server such as OpenSIPS.
>>>>
>>>> Check out the nat traveral module and advertized_ip. How you implement
>>>> it depends on your network setup:
>>>> http://www.opensips.org/html/docs/modules/1.8.x/nat_traversal.html
>>>>
>>>> Regards,
>>>> Ali Pey
>>>>
>>>> On Sat, Aug 4, 2012 at 5:31 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>
>>>>> Hello everybody, I have configured my opensips proxy with
>>>>> NAT_TRAVERSAL support using the new tool for configuration. I developed a
>>>>> softphone using JAIN-SIP, I think JAIN-SIP does not implements STUN, TURN
>>>>> and ICE for NAT Traversal ( RFC 6314), is any way to do nat traversal
>>>>> without making a new softphone with another library?
>>>>>
>>>>> I also have tested this softphone with Inphonex, and this company use
>>>>> openSER in its proxy and the softphone works fine, but i don't know how
>>>>> they do that, so I thought to ask if is something I can do in the
>>>>> configuration file of my proxy or they use something else to solve this
>>>>> problem.
>>>>>
>>>>> Thanks for all.
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120807/79d91d06/attachment-0001.htm>


More information about the Users mailing list