[OpenSIPS-Users] Sip user behind a NAT

Ignacio Gonzalez mylaneza at gmail.com
Tue Aug 7 23:53:41 CEST 2012


1. Yes my proxy is behind a NAT, and my public ip address is mydomain.com,
i created a rule in my router to bind 5060 ports of my nat ip address.
2. Yes i'm using rtp proxy. I do not understand the rest of the question.
RTP proxy is in the same machine of opensips. And I created the rule of a
set of ports to bind the public ip and the nat ip.

2012/8/7 Ali Pey <alipey at gmail.com>

> Ignacio,
>
> Your configuration script heavily depends on your network setup:
>
> 1- Is your proxy server behind a nat? If so, do you know your public IP
> address?
> 2- Are you using rtp proxy? What's the path for your rtp - through what
> devices with what IPs?
>
>
> On Tue, Aug 7, 2012 at 2:53 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>
>> Hi Ali, I use this configuration script to start my opensips proxy and it
>> start, I only want to know, Do you see something wrong?
>> I put in bold the modifications a made to add the nat_traversal module
>> and the advertised_address parameter.
>>
>> In the documentation it says that nat_traversal is straight forward when
>> using a single proxy, ( that is my case ).
>>
>> "In this case the usage is straight forward. The nat_keepalive() function
>> needs to be called before save_location() for REGISTER requests, before
>> handle_subscribe() for SUBSCRIBE requests and before t_relay() for the
>> first INVITE of a dialog. "
>>
>> I do not configure any subscription, and I did not find the save_location
>> function, I assumed that save("location") is a newer version of this
>> function.
>>
>> #CONFIG FILE
>>
>> debug=3
>> log_stderror=no
>> log_facility=LOG_LOCAL1
>>
>> fork=yes
>> children=4
>>
>> #debug=6
>> #fork=no
>> #log_stderror=yes
>>
>> #disable_dns_blacklist=no
>>
>> #dns_try_ipv6=yes
>>
>> auto_aliases=no
>>
>> *advertised_address="mydomain.com"*
>>
>> listen=udp:192.168.1.220:5060   # CUSTOMIZE ME
>>
>> disable_tcp=no
>> listen=tcp:192.168.1.220:5060   # CUSTOMIZE ME
>>
>> disable_tls=yes
>>
>> mpath="/home/syrium/opensips_proxy/lib/opensips/modules/"
>>
>> loadmodule "signaling.so"
>>
>> loadmodule "sl.so"
>>
>> loadmodule "tm.so"
>> modparam("tm", "fr_timer", 5)
>> modparam("tm", "fr_inv_timer", 30)
>> modparam("tm", "restart_fr_on_each_reply", 0)
>> modparam("tm", "onreply_avp_mode", 1)
>>
>> loadmodule "rr.so"
>> modparam("rr", "append_fromtag", 0)
>>
>> loadmodule "maxfwd.so"
>>
>> loadmodule "sipmsgops.so"
>>
>> loadmodule "mi_fifo.so"
>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>> modparam("mi_fifo", "fifo_mode", 0666)
>>
>> loadmodule "uri.so"
>> modparam("uri", "use_uri_table", 0)
>> modparam("uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "db_mysql.so"
>>
>> loadmodule "usrloc.so"
>> modparam("usrloc", "nat_bflag", 10)
>> modparam("usrloc", "db_mode",   2)
>> modparam("usrloc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "registrar.so"
>> modparam("registrar", "tcp_persistent_flag", 7)
>> modparam("registrar", "received_avp", "$avp(received_nh)")
>> #modparam("registrar", "max_contacts", 10)
>>
>> loadmodule "acc.so"
>> modparam("acc", "early_media", 0)
>> modparam("acc", "report_cancels", 0)
>> modparam("acc", "detect_direction", 0)
>> modparam("acc", "failed_transaction_flag", 3)
>> modparam("acc", "db_flag", 1)
>> modparam("acc", "db_missed_flag", 2)
>> modparam("acc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "auth.so"
>> loadmodule "auth_db.so"
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "password_column", "password")
>> modparam("auth_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>> modparam("auth_db", "load_credentials", "")
>>
>> loadmodule "domain.so"
>> modparam("domain", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>> modparam("domain", "db_mode", 1)   # Use caching
>> modparam("auth_db|usrloc|uri", "use_domain", 1)
>>
>> loadmodule "dialog.so"
>> modparam("dialog", "dlg_match_mode", 1)
>> modparam("dialog", "default_timeout", 21600)  # 6 hours timeout
>> modparam("dialog", "db_mode", 2)
>> modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> *loadmodule "nat_traversal.so"*
>>
>> loadmodule "nathelper.so"
>> modparam("nathelper", "natping_interval", 10)
>> modparam("nathelper", "ping_nated_only", 1)
>> modparam("nathelper", "received_avp", "$avp(received_nh)")
>>
>> loadmodule "rtpproxy.so"
>> modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE
>> ME
>>
>> ####### Routing Logic ########
>>
>> route{
>>     force_rport();
>>     if (nat_uac_test("23")) {
>>         if (is_method("REGISTER")) {
>>             fix_nated_register();
>>             setbflag(10);
>>         } else {
>>             fix_nated_contact();
>>             setflag(10);
>>         }
>>     }
>>
>>
>>     if (!mf_process_maxfwd_header("10")) {
>>         sl_send_reply("483","Too Many Hops");
>>         exit;
>>     }
>>
>>     if (has_totag()) {
>>         # sequential request withing a dialog should
>>         # take the path determined by record-routing
>>         if (loose_route()) {
>>
>>             # validate the sequential request against dialog
>>             if ( $DLG_status!=NULL && !validate_dialog() ) {
>>                 xlog("In-Dialog $rm from $si (callid=$ci) is not valid
>> according to dialog\n");
>>                 ## exit;
>>             }
>>
>>             if (is_method("BYE")) {
>>                 setflag(1); # do accounting ...
>>                 setflag(3); # ... even if the transaction fails
>>             } else if (is_method("INVITE")) {
>>                 # even if in most of the cases is useless, do RR for
>>                 # re-INVITEs alos, as some buggy clients do change route
>> set
>>                 # during the dialog.
>>                 record_route();
>>             }
>>
>>             if (check_route_param("nat=yes"))
>>                 setflag(10);
>>
>>             # route it out to whatever destination was set by
>> loose_route()
>>             # in $du (destination URI).
>>             route(1);
>>         } else {
>>
>>             if ( is_method("ACK") ) {
>>                 if ( t_check_trans() ) {
>>                     # non loose-route, but stateful ACK; must be an ACK
>> after
>>                     # a 487 or e.g. 404 from upstream server
>>                     t_relay();
>>                     exit;
>>                 } else {
>>                     # ACK without matching transaction ->
>>                     # ignore and discard
>>                     exit;
>>                 }
>>             }
>>             sl_send_reply("404","Not here");
>>         }
>>         exit;
>>     }
>>
>>     # CANCEL processing
>>     if (is_method("CANCEL"))
>>     {
>>         if (t_check_trans())
>>             t_relay();
>>         exit;
>>     }
>>
>>     t_check_trans();
>>
>>     if ( !(is_method("REGISTER")  ) ) {
>>
>>         if (is_from_local())
>>         {
>>
>>             # authenticate if from local subscriber
>>             # authenticate all initial non-REGISTER request that pretend
>> to be
>>             # generated by local subscriber (domain from FROM URI is
>> local)
>>             if (!proxy_authorize("", "subscriber")) {
>>                 proxy_challenge("", "0");
>>                 exit;
>>             }
>>             if (!db_check_from()) {
>>                 sl_send_reply("403","Forbidden auth ID");
>>                 exit;
>>             }
>>
>>             consume_credentials();
>>             # caller authenticated
>>
>>         } else {
>>             # if caller is not local, then called number must be local
>>
>>             if (!is_uri_host_local()) {
>>                 send_reply("403","Rely forbidden");
>>                 exit;
>>             }
>>         }
>>
>>     }
>>
>>     # preloaded route checking
>>     if (loose_route()) {
>>         xlog("L_ERR", "Attempt to route with preloaded Route's
>> [$fu/$tu/$ru/$ci]");
>>         if (!is_method("ACK"))
>>             sl_send_reply("403","Preload Route denied");
>>         exit;
>>     }
>>
>>     # record routing
>>     if (!is_method("REGISTER|MESSAGE"))
>>         record_route();
>>
>>     # account only INVITEs
>>     if (is_method("INVITE")) {
>>
>>         # create dialog with timeout
>>         if ( !create_dialog("B") ) {
>>             send_reply("500","Internal Server Error");
>>             exit;
>>         }
>>
>>         setflag(1); # do accounting
>>     }
>>
>>
>>     if (!is_uri_host_local()) {
>>         append_hf("P-hint: outbound\r\n");
>>
>>         route(1);
>>     }
>>
>>     # requests for my domain
>>
>>     if (is_method("PUBLISH|SUBSCRIBE"))
>>     {
>>         sl_send_reply("503", "Service Unavailable");
>>         exit;
>>     }
>>
>>     if (is_method("REGISTER"))
>>     {
>>
>>         # authenticate the REGISTER requests
>>         if (!www_authorize("", "subscriber"))
>>         {
>>             www_challenge("", "0");
>>             exit;
>>         }
>>
>>         if (!db_check_to())
>>         {
>>             sl_send_reply("403","Forbidden auth ID");
>>             exit;
>>         }
>>
>>         if ( proto==TCP ||  0 )
>>             setflag(7);
>>
>>         *if ( client_nat_test("3") ) {
>>                 nat_keepalive();
>>          }*
>>
>>         if (!save("location"))
>>             sl_reply_error();
>>
>>         exit;
>>     }
>>
>>     if ($rU==NULL) {
>>         # request with no Username in RURI
>>         sl_send_reply("484","Address Incomplete");
>>         exit;
>>     }
>>
>>     # do lookup with method filtering
>>     if (!lookup("location","m")) {
>>         if (!db_does_uri_exist()) {
>>             send_reply("420","Bad Extension");
>>             exit;
>>         }
>>
>>         t_newtran();
>>         t_reply("404", "Not Found");
>>         exit;
>>     }
>>
>>     if ( isbflagset(10) )
>>         setflag(10);
>>
>>     # when routing via usrloc, log the missed calls also
>>     setflag(2);
>>     route(1);
>> }
>>
>>
>> route[1] {
>>     # for INVITEs enable some additional helper routes
>>     if (is_method("INVITE")) {
>>
>>         if (isflagset(10)) {
>>             rtpproxy_offer("ro");
>>         }
>>
>>         t_on_branch("2");
>>         t_on_reply("2");
>>         t_on_failure("1");
>>
>>         *if ( client_nat_test("3") ) {
>>                 nat_keepalive();
>>             }*
>>
>>     }
>>
>>     if (isflagset(10)) {
>>         add_rr_param(";nat=yes");
>>     }
>>
>>
>>
>>     if (!t_relay()) {
>>         send_reply("500","Internal Error");
>>     };
>>     exit;
>> }
>>
>> branch_route[2] {
>>     xlog("new branch at $ru\n");
>> }
>>
>> onreply_route[2] {
>>     if ( nat_uac_test("1") )
>>         fix_nated_contact();
>>     if ( isflagset(10) )
>>         rtpproxy_answer("ro");
>>     xlog("incoming reply\n");
>> }
>>
>> failure_route[1] {
>>     if ( t_was_cancelled() ) {
>>         exit;
>>     }
>> }
>>
>> local_route {
>>     if (is_method("BYE") && $DLG_dir=="UPSTREAM") {
>>
>>         acc_db_request("200 Dialog Timeout", "acc");
>>
>>     }
>> }
>>
>> Thanks for your time Ali.
>>
>>
>> 2012/8/7 Ignacio Gonzalez <mylaneza at gmail.com>
>>
>>> Ok aly, I will read more, i have created the configuration script
>>> already with opensips-cp, I created a residential script and I selected the
>>> NAT option but that option just install nathelper module, and this why I
>>> asked you if nathelper and nat traversal module were mutually exclusive. I
>>> will add nat traversal to my configuration script.
>>>
>>> Another question, where can I read about the differences between
>>> residential and trunking scripts?
>>>
>>>
>>> 2012/8/7 Ali Pey <alipey at gmail.com>
>>>
>>>> Ignacio,
>>>>
>>>> You need to implement nat traversal in your routing script -
>>>> opensips.cfg. IMO, forget about the opensips-cp until you get it to work.
>>>> Once you know how it works, then you know how you can do with the config
>>>> tool. Sounds like you need lots more reading/testing :)
>>>>
>>>> Regards,
>>>> Ali Pey
>>>>
>>>>
>>>> On Mon, Aug 6, 2012 at 1:38 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>
>>>>> Ok, i red the NAT_TRAVERSAL module, i don't know how to configure
>>>>> using the configuration tool, do I have to configure it manual? The
>>>>> NAT_TRAVERSAL module and the NATHELPER module are mutually exclusive?
>>>>>
>>>>>
>>>>> 2012/8/5 Ali Pey <alipey at gmail.com>
>>>>>
>>>>>> Hello Ignacio,
>>>>>>
>>>>>> Yes, you can handle nat and you don't need stun, turn or ICE. In
>>>>>> fact, it's always better to turn off any nat traversal feature on the phone
>>>>>> when you are using a proxy server such as OpenSIPS.
>>>>>>
>>>>>> Check out the nat traveral module and advertized_ip. How you
>>>>>> implement it depends on your network setup:
>>>>>> http://www.opensips.org/html/docs/modules/1.8.x/nat_traversal.html
>>>>>>
>>>>>> Regards,
>>>>>> Ali Pey
>>>>>>
>>>>>> On Sat, Aug 4, 2012 at 5:31 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>>>
>>>>>>> Hello everybody, I have configured my opensips proxy with
>>>>>>> NAT_TRAVERSAL support using the new tool for configuration. I developed a
>>>>>>> softphone using JAIN-SIP, I think JAIN-SIP does not implements STUN, TURN
>>>>>>> and ICE for NAT Traversal ( RFC 6314), is any way to do nat traversal
>>>>>>> without making a new softphone with another library?
>>>>>>>
>>>>>>> I also have tested this softphone with Inphonex, and this company
>>>>>>> use openSER in its proxy and the softphone works fine, but i don't know how
>>>>>>> they do that, so I thought to ask if is something I can do in the
>>>>>>> configuration file of my proxy or they use something else to solve this
>>>>>>> problem.
>>>>>>>
>>>>>>> Thanks for all.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opensips.org
>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120807/0d52f4f0/attachment-0001.htm>


More information about the Users mailing list