[OpenSIPS-Users] Sip user behind a NAT

Ali Pey alipey at gmail.com
Tue Aug 7 21:19:11 CEST 2012


Ignacio,

Your configuration script heavily depends on your network setup:

1- Is your proxy server behind a nat? If so, do you know your public IP
address?
2- Are you using rtp proxy? What's the path for your rtp - through what
devices with what IPs?


On Tue, Aug 7, 2012 at 2:53 PM, Ignacio Gonzalez <mylaneza at gmail.com> wrote:

> Hi Ali, I use this configuration script to start my opensips proxy and it
> start, I only want to know, Do you see something wrong?
> I put in bold the modifications a made to add the nat_traversal module and
> the advertised_address parameter.
>
> In the documentation it says that nat_traversal is straight forward when
> using a single proxy, ( that is my case ).
>
> "In this case the usage is straight forward. The nat_keepalive() function
> needs to be called before save_location() for REGISTER requests, before
> handle_subscribe() for SUBSCRIBE requests and before t_relay() for the
> first INVITE of a dialog. "
>
> I do not configure any subscription, and I did not find the save_location
> function, I assumed that save("location") is a newer version of this
> function.
>
> #CONFIG FILE
>
> debug=3
> log_stderror=no
> log_facility=LOG_LOCAL1
>
> fork=yes
> children=4
>
> #debug=6
> #fork=no
> #log_stderror=yes
>
> #disable_dns_blacklist=no
>
> #dns_try_ipv6=yes
>
> auto_aliases=no
>
> *advertised_address="mydomain.com"*
>
> listen=udp:192.168.1.220:5060   # CUSTOMIZE ME
>
> disable_tcp=no
> listen=tcp:192.168.1.220:5060   # CUSTOMIZE ME
>
> disable_tls=yes
>
> mpath="/home/syrium/opensips_proxy/lib/opensips/modules/"
>
> loadmodule "signaling.so"
>
> loadmodule "sl.so"
>
> loadmodule "tm.so"
> modparam("tm", "fr_timer", 5)
> modparam("tm", "fr_inv_timer", 30)
> modparam("tm", "restart_fr_on_each_reply", 0)
> modparam("tm", "onreply_avp_mode", 1)
>
> loadmodule "rr.so"
> modparam("rr", "append_fromtag", 0)
>
> loadmodule "maxfwd.so"
>
> loadmodule "sipmsgops.so"
>
> loadmodule "mi_fifo.so"
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
> modparam("mi_fifo", "fifo_mode", 0666)
>
> loadmodule "uri.so"
> modparam("uri", "use_uri_table", 0)
> modparam("uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
>
> loadmodule "db_mysql.so"
>
> loadmodule "usrloc.so"
> modparam("usrloc", "nat_bflag", 10)
> modparam("usrloc", "db_mode",   2)
> modparam("usrloc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
>
> loadmodule "registrar.so"
> modparam("registrar", "tcp_persistent_flag", 7)
> modparam("registrar", "received_avp", "$avp(received_nh)")
> #modparam("registrar", "max_contacts", 10)
>
> loadmodule "acc.so"
> modparam("acc", "early_media", 0)
> modparam("acc", "report_cancels", 0)
> modparam("acc", "detect_direction", 0)
> modparam("acc", "failed_transaction_flag", 3)
> modparam("acc", "db_flag", 1)
> modparam("acc", "db_missed_flag", 2)
> modparam("acc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
>
> loadmodule "auth.so"
> loadmodule "auth_db.so"
> modparam("auth_db", "calculate_ha1", yes)
> modparam("auth_db", "password_column", "password")
> modparam("auth_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
> modparam("auth_db", "load_credentials", "")
>
> loadmodule "domain.so"
> modparam("domain", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
> modparam("domain", "db_mode", 1)   # Use caching
> modparam("auth_db|usrloc|uri", "use_domain", 1)
>
> loadmodule "dialog.so"
> modparam("dialog", "dlg_match_mode", 1)
> modparam("dialog", "default_timeout", 21600)  # 6 hours timeout
> modparam("dialog", "db_mode", 2)
> modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
> # CUSTOMIZE ME
>
> *loadmodule "nat_traversal.so"*
>
> loadmodule "nathelper.so"
> modparam("nathelper", "natping_interval", 10)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "received_avp", "$avp(received_nh)")
>
> loadmodule "rtpproxy.so"
> modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE ME
>
> ####### Routing Logic ########
>
> route{
>     force_rport();
>     if (nat_uac_test("23")) {
>         if (is_method("REGISTER")) {
>             fix_nated_register();
>             setbflag(10);
>         } else {
>             fix_nated_contact();
>             setflag(10);
>         }
>     }
>
>
>     if (!mf_process_maxfwd_header("10")) {
>         sl_send_reply("483","Too Many Hops");
>         exit;
>     }
>
>     if (has_totag()) {
>         # sequential request withing a dialog should
>         # take the path determined by record-routing
>         if (loose_route()) {
>
>             # validate the sequential request against dialog
>             if ( $DLG_status!=NULL && !validate_dialog() ) {
>                 xlog("In-Dialog $rm from $si (callid=$ci) is not valid
> according to dialog\n");
>                 ## exit;
>             }
>
>             if (is_method("BYE")) {
>                 setflag(1); # do accounting ...
>                 setflag(3); # ... even if the transaction fails
>             } else if (is_method("INVITE")) {
>                 # even if in most of the cases is useless, do RR for
>                 # re-INVITEs alos, as some buggy clients do change route
> set
>                 # during the dialog.
>                 record_route();
>             }
>
>             if (check_route_param("nat=yes"))
>                 setflag(10);
>
>             # route it out to whatever destination was set by loose_route()
>             # in $du (destination URI).
>             route(1);
>         } else {
>
>             if ( is_method("ACK") ) {
>                 if ( t_check_trans() ) {
>                     # non loose-route, but stateful ACK; must be an ACK
> after
>                     # a 487 or e.g. 404 from upstream server
>                     t_relay();
>                     exit;
>                 } else {
>                     # ACK without matching transaction ->
>                     # ignore and discard
>                     exit;
>                 }
>             }
>             sl_send_reply("404","Not here");
>         }
>         exit;
>     }
>
>     # CANCEL processing
>     if (is_method("CANCEL"))
>     {
>         if (t_check_trans())
>             t_relay();
>         exit;
>     }
>
>     t_check_trans();
>
>     if ( !(is_method("REGISTER")  ) ) {
>
>         if (is_from_local())
>         {
>
>             # authenticate if from local subscriber
>             # authenticate all initial non-REGISTER request that pretend
> to be
>             # generated by local subscriber (domain from FROM URI is local)
>             if (!proxy_authorize("", "subscriber")) {
>                 proxy_challenge("", "0");
>                 exit;
>             }
>             if (!db_check_from()) {
>                 sl_send_reply("403","Forbidden auth ID");
>                 exit;
>             }
>
>             consume_credentials();
>             # caller authenticated
>
>         } else {
>             # if caller is not local, then called number must be local
>
>             if (!is_uri_host_local()) {
>                 send_reply("403","Rely forbidden");
>                 exit;
>             }
>         }
>
>     }
>
>     # preloaded route checking
>     if (loose_route()) {
>         xlog("L_ERR", "Attempt to route with preloaded Route's
> [$fu/$tu/$ru/$ci]");
>         if (!is_method("ACK"))
>             sl_send_reply("403","Preload Route denied");
>         exit;
>     }
>
>     # record routing
>     if (!is_method("REGISTER|MESSAGE"))
>         record_route();
>
>     # account only INVITEs
>     if (is_method("INVITE")) {
>
>         # create dialog with timeout
>         if ( !create_dialog("B") ) {
>             send_reply("500","Internal Server Error");
>             exit;
>         }
>
>         setflag(1); # do accounting
>     }
>
>
>     if (!is_uri_host_local()) {
>         append_hf("P-hint: outbound\r\n");
>
>         route(1);
>     }
>
>     # requests for my domain
>
>     if (is_method("PUBLISH|SUBSCRIBE"))
>     {
>         sl_send_reply("503", "Service Unavailable");
>         exit;
>     }
>
>     if (is_method("REGISTER"))
>     {
>
>         # authenticate the REGISTER requests
>         if (!www_authorize("", "subscriber"))
>         {
>             www_challenge("", "0");
>             exit;
>         }
>
>         if (!db_check_to())
>         {
>             sl_send_reply("403","Forbidden auth ID");
>             exit;
>         }
>
>         if ( proto==TCP ||  0 )
>             setflag(7);
>
>         *if ( client_nat_test("3") ) {
>                 nat_keepalive();
>          }*
>
>         if (!save("location"))
>             sl_reply_error();
>
>         exit;
>     }
>
>     if ($rU==NULL) {
>         # request with no Username in RURI
>         sl_send_reply("484","Address Incomplete");
>         exit;
>     }
>
>     # do lookup with method filtering
>     if (!lookup("location","m")) {
>         if (!db_does_uri_exist()) {
>             send_reply("420","Bad Extension");
>             exit;
>         }
>
>         t_newtran();
>         t_reply("404", "Not Found");
>         exit;
>     }
>
>     if ( isbflagset(10) )
>         setflag(10);
>
>     # when routing via usrloc, log the missed calls also
>     setflag(2);
>     route(1);
> }
>
>
> route[1] {
>     # for INVITEs enable some additional helper routes
>     if (is_method("INVITE")) {
>
>         if (isflagset(10)) {
>             rtpproxy_offer("ro");
>         }
>
>         t_on_branch("2");
>         t_on_reply("2");
>         t_on_failure("1");
>
>         *if ( client_nat_test("3") ) {
>                 nat_keepalive();
>             }*
>
>     }
>
>     if (isflagset(10)) {
>         add_rr_param(";nat=yes");
>     }
>
>
>
>     if (!t_relay()) {
>         send_reply("500","Internal Error");
>     };
>     exit;
> }
>
> branch_route[2] {
>     xlog("new branch at $ru\n");
> }
>
> onreply_route[2] {
>     if ( nat_uac_test("1") )
>         fix_nated_contact();
>     if ( isflagset(10) )
>         rtpproxy_answer("ro");
>     xlog("incoming reply\n");
> }
>
> failure_route[1] {
>     if ( t_was_cancelled() ) {
>         exit;
>     }
> }
>
> local_route {
>     if (is_method("BYE") && $DLG_dir=="UPSTREAM") {
>
>         acc_db_request("200 Dialog Timeout", "acc");
>
>     }
> }
>
> Thanks for your time Ali.
>
>
> 2012/8/7 Ignacio Gonzalez <mylaneza at gmail.com>
>
>> Ok aly, I will read more, i have created the configuration script already
>> with opensips-cp, I created a residential script and I selected the NAT
>> option but that option just install nathelper module, and this why I asked
>> you if nathelper and nat traversal module were mutually exclusive. I will
>> add nat traversal to my configuration script.
>>
>> Another question, where can I read about the differences between
>> residential and trunking scripts?
>>
>>
>> 2012/8/7 Ali Pey <alipey at gmail.com>
>>
>>> Ignacio,
>>>
>>> You need to implement nat traversal in your routing script -
>>> opensips.cfg. IMO, forget about the opensips-cp until you get it to work.
>>> Once you know how it works, then you know how you can do with the config
>>> tool. Sounds like you need lots more reading/testing :)
>>>
>>> Regards,
>>> Ali Pey
>>>
>>>
>>> On Mon, Aug 6, 2012 at 1:38 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>
>>>> Ok, i red the NAT_TRAVERSAL module, i don't know how to configure using
>>>> the configuration tool, do I have to configure it manual? The NAT_TRAVERSAL
>>>> module and the NATHELPER module are mutually exclusive?
>>>>
>>>>
>>>> 2012/8/5 Ali Pey <alipey at gmail.com>
>>>>
>>>>> Hello Ignacio,
>>>>>
>>>>> Yes, you can handle nat and you don't need stun, turn or ICE. In fact,
>>>>> it's always better to turn off any nat traversal feature on the phone when
>>>>> you are using a proxy server such as OpenSIPS.
>>>>>
>>>>> Check out the nat traveral module and advertized_ip. How you implement
>>>>> it depends on your network setup:
>>>>> http://www.opensips.org/html/docs/modules/1.8.x/nat_traversal.html
>>>>>
>>>>> Regards,
>>>>> Ali Pey
>>>>>
>>>>> On Sat, Aug 4, 2012 at 5:31 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>>
>>>>>> Hello everybody, I have configured my opensips proxy with
>>>>>> NAT_TRAVERSAL support using the new tool for configuration. I developed a
>>>>>> softphone using JAIN-SIP, I think JAIN-SIP does not implements STUN, TURN
>>>>>> and ICE for NAT Traversal ( RFC 6314), is any way to do nat traversal
>>>>>> without making a new softphone with another library?
>>>>>>
>>>>>> I also have tested this softphone with Inphonex, and this company use
>>>>>> openSER in its proxy and the softphone works fine, but i don't know how
>>>>>> they do that, so I thought to ask if is something I can do in the
>>>>>> configuration file of my proxy or they use something else to solve this
>>>>>> problem.
>>>>>>
>>>>>> Thanks for all.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120807/9c1de74c/attachment-0001.htm>


More information about the Users mailing list