[OpenSIPS-Users] Sip user behind a NAT

Ali Pey alipey at gmail.com
Wed Aug 8 00:24:49 CEST 2012


Good.

Have you been able to capture the call using tcpdump or ngrep?

If so, do you see the Ack to 200 OK reaching the caller from callee?

Meanwhile, try to use record_route_preset instead of record_route. That
probably will fix it.

Regards,
Ali Pey

On Tue, Aug 7, 2012 at 5:53 PM, Ignacio Gonzalez <mylaneza at gmail.com> wrote:

> 1. Yes my proxy is behind a NAT, and my public ip address is mydomain.com,
> i created a rule in my router to bind 5060 ports of my nat ip address.
> 2. Yes i'm using rtp proxy. I do not understand the rest of the question.
> RTP proxy is in the same machine of opensips. And I created the rule of a
> set of ports to bind the public ip and the nat ip.
>
>
> 2012/8/7 Ali Pey <alipey at gmail.com>
>
>> Ignacio,
>>
>> Your configuration script heavily depends on your network setup:
>>
>> 1- Is your proxy server behind a nat? If so, do you know your public IP
>> address?
>> 2- Are you using rtp proxy? What's the path for your rtp - through what
>> devices with what IPs?
>>
>>
>> On Tue, Aug 7, 2012 at 2:53 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>
>>> Hi Ali, I use this configuration script to start my opensips proxy and
>>> it start, I only want to know, Do you see something wrong?
>>> I put in bold the modifications a made to add the nat_traversal module
>>> and the advertised_address parameter.
>>>
>>> In the documentation it says that nat_traversal is straight forward when
>>> using a single proxy, ( that is my case ).
>>>
>>> "In this case the usage is straight forward. The nat_keepalive()
>>> function needs to be called before save_location() for REGISTER requests,
>>> before handle_subscribe() for SUBSCRIBE requests and before t_relay() for
>>> the first INVITE of a dialog. "
>>>
>>> I do not configure any subscription, and I did not find the
>>> save_location function, I assumed that save("location") is a newer version
>>> of this function.
>>>
>>> #CONFIG FILE
>>>
>>> debug=3
>>> log_stderror=no
>>> log_facility=LOG_LOCAL1
>>>
>>> fork=yes
>>> children=4
>>>
>>> #debug=6
>>> #fork=no
>>> #log_stderror=yes
>>>
>>> #disable_dns_blacklist=no
>>>
>>> #dns_try_ipv6=yes
>>>
>>> auto_aliases=no
>>>
>>> *advertised_address="mydomain.com"*
>>>
>>> listen=udp:192.168.1.220:5060   # CUSTOMIZE ME
>>>
>>> disable_tcp=no
>>> listen=tcp:192.168.1.220:5060   # CUSTOMIZE ME
>>>
>>> disable_tls=yes
>>>
>>> mpath="/home/syrium/opensips_proxy/lib/opensips/modules/"
>>>
>>> loadmodule "signaling.so"
>>>
>>> loadmodule "sl.so"
>>>
>>> loadmodule "tm.so"
>>> modparam("tm", "fr_timer", 5)
>>> modparam("tm", "fr_inv_timer", 30)
>>> modparam("tm", "restart_fr_on_each_reply", 0)
>>> modparam("tm", "onreply_avp_mode", 1)
>>>
>>> loadmodule "rr.so"
>>> modparam("rr", "append_fromtag", 0)
>>>
>>> loadmodule "maxfwd.so"
>>>
>>> loadmodule "sipmsgops.so"
>>>
>>> loadmodule "mi_fifo.so"
>>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>>> modparam("mi_fifo", "fifo_mode", 0666)
>>>
>>> loadmodule "uri.so"
>>> modparam("uri", "use_uri_table", 0)
>>> modparam("uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>>
>>> loadmodule "db_mysql.so"
>>>
>>> loadmodule "usrloc.so"
>>> modparam("usrloc", "nat_bflag", 10)
>>> modparam("usrloc", "db_mode",   2)
>>> modparam("usrloc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>>
>>> loadmodule "registrar.so"
>>> modparam("registrar", "tcp_persistent_flag", 7)
>>> modparam("registrar", "received_avp", "$avp(received_nh)")
>>> #modparam("registrar", "max_contacts", 10)
>>>
>>> loadmodule "acc.so"
>>> modparam("acc", "early_media", 0)
>>> modparam("acc", "report_cancels", 0)
>>> modparam("acc", "detect_direction", 0)
>>> modparam("acc", "failed_transaction_flag", 3)
>>> modparam("acc", "db_flag", 1)
>>> modparam("acc", "db_missed_flag", 2)
>>> modparam("acc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>>
>>> loadmodule "auth.so"
>>> loadmodule "auth_db.so"
>>> modparam("auth_db", "calculate_ha1", yes)
>>> modparam("auth_db", "password_column", "password")
>>> modparam("auth_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>> modparam("auth_db", "load_credentials", "")
>>>
>>> loadmodule "domain.so"
>>> modparam("domain", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>> modparam("domain", "db_mode", 1)   # Use caching
>>> modparam("auth_db|usrloc|uri", "use_domain", 1)
>>>
>>> loadmodule "dialog.so"
>>> modparam("dialog", "dlg_match_mode", 1)
>>> modparam("dialog", "default_timeout", 21600)  # 6 hours timeout
>>> modparam("dialog", "db_mode", 2)
>>> modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>>> # CUSTOMIZE ME
>>>
>>> *loadmodule "nat_traversal.so"*
>>>
>>> loadmodule "nathelper.so"
>>> modparam("nathelper", "natping_interval", 10)
>>> modparam("nathelper", "ping_nated_only", 1)
>>> modparam("nathelper", "received_avp", "$avp(received_nh)")
>>>
>>> loadmodule "rtpproxy.so"
>>> modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE
>>> ME
>>>
>>> ####### Routing Logic ########
>>>
>>> route{
>>>     force_rport();
>>>     if (nat_uac_test("23")) {
>>>         if (is_method("REGISTER")) {
>>>             fix_nated_register();
>>>             setbflag(10);
>>>         } else {
>>>             fix_nated_contact();
>>>             setflag(10);
>>>         }
>>>     }
>>>
>>>
>>>     if (!mf_process_maxfwd_header("10")) {
>>>         sl_send_reply("483","Too Many Hops");
>>>         exit;
>>>     }
>>>
>>>     if (has_totag()) {
>>>         # sequential request withing a dialog should
>>>         # take the path determined by record-routing
>>>         if (loose_route()) {
>>>
>>>             # validate the sequential request against dialog
>>>             if ( $DLG_status!=NULL && !validate_dialog() ) {
>>>                 xlog("In-Dialog $rm from $si (callid=$ci) is not valid
>>> according to dialog\n");
>>>                 ## exit;
>>>             }
>>>
>>>             if (is_method("BYE")) {
>>>                 setflag(1); # do accounting ...
>>>                 setflag(3); # ... even if the transaction fails
>>>             } else if (is_method("INVITE")) {
>>>                 # even if in most of the cases is useless, do RR for
>>>                 # re-INVITEs alos, as some buggy clients do change route
>>> set
>>>                 # during the dialog.
>>>                 record_route();
>>>             }
>>>
>>>             if (check_route_param("nat=yes"))
>>>                 setflag(10);
>>>
>>>             # route it out to whatever destination was set by
>>> loose_route()
>>>             # in $du (destination URI).
>>>             route(1);
>>>         } else {
>>>
>>>             if ( is_method("ACK") ) {
>>>                 if ( t_check_trans() ) {
>>>                     # non loose-route, but stateful ACK; must be an ACK
>>> after
>>>                     # a 487 or e.g. 404 from upstream server
>>>                     t_relay();
>>>                     exit;
>>>                 } else {
>>>                     # ACK without matching transaction ->
>>>                     # ignore and discard
>>>                     exit;
>>>                 }
>>>             }
>>>             sl_send_reply("404","Not here");
>>>         }
>>>         exit;
>>>     }
>>>
>>>     # CANCEL processing
>>>     if (is_method("CANCEL"))
>>>     {
>>>         if (t_check_trans())
>>>             t_relay();
>>>         exit;
>>>     }
>>>
>>>     t_check_trans();
>>>
>>>     if ( !(is_method("REGISTER")  ) ) {
>>>
>>>         if (is_from_local())
>>>         {
>>>
>>>             # authenticate if from local subscriber
>>>             # authenticate all initial non-REGISTER request that pretend
>>> to be
>>>             # generated by local subscriber (domain from FROM URI is
>>> local)
>>>             if (!proxy_authorize("", "subscriber")) {
>>>                 proxy_challenge("", "0");
>>>                 exit;
>>>             }
>>>             if (!db_check_from()) {
>>>                 sl_send_reply("403","Forbidden auth ID");
>>>                 exit;
>>>             }
>>>
>>>             consume_credentials();
>>>             # caller authenticated
>>>
>>>         } else {
>>>             # if caller is not local, then called number must be local
>>>
>>>             if (!is_uri_host_local()) {
>>>                 send_reply("403","Rely forbidden");
>>>                 exit;
>>>             }
>>>         }
>>>
>>>     }
>>>
>>>     # preloaded route checking
>>>     if (loose_route()) {
>>>         xlog("L_ERR", "Attempt to route with preloaded Route's
>>> [$fu/$tu/$ru/$ci]");
>>>         if (!is_method("ACK"))
>>>             sl_send_reply("403","Preload Route denied");
>>>         exit;
>>>     }
>>>
>>>     # record routing
>>>     if (!is_method("REGISTER|MESSAGE"))
>>>         record_route();
>>>
>>>     # account only INVITEs
>>>     if (is_method("INVITE")) {
>>>
>>>         # create dialog with timeout
>>>         if ( !create_dialog("B") ) {
>>>             send_reply("500","Internal Server Error");
>>>             exit;
>>>         }
>>>
>>>         setflag(1); # do accounting
>>>     }
>>>
>>>
>>>     if (!is_uri_host_local()) {
>>>         append_hf("P-hint: outbound\r\n");
>>>
>>>         route(1);
>>>     }
>>>
>>>     # requests for my domain
>>>
>>>     if (is_method("PUBLISH|SUBSCRIBE"))
>>>     {
>>>         sl_send_reply("503", "Service Unavailable");
>>>         exit;
>>>     }
>>>
>>>     if (is_method("REGISTER"))
>>>     {
>>>
>>>         # authenticate the REGISTER requests
>>>         if (!www_authorize("", "subscriber"))
>>>         {
>>>             www_challenge("", "0");
>>>             exit;
>>>         }
>>>
>>>         if (!db_check_to())
>>>         {
>>>             sl_send_reply("403","Forbidden auth ID");
>>>             exit;
>>>         }
>>>
>>>         if ( proto==TCP ||  0 )
>>>             setflag(7);
>>>
>>>         *if ( client_nat_test("3") ) {
>>>                 nat_keepalive();
>>>          }*
>>>
>>>         if (!save("location"))
>>>             sl_reply_error();
>>>
>>>         exit;
>>>     }
>>>
>>>     if ($rU==NULL) {
>>>         # request with no Username in RURI
>>>         sl_send_reply("484","Address Incomplete");
>>>         exit;
>>>     }
>>>
>>>     # do lookup with method filtering
>>>     if (!lookup("location","m")) {
>>>         if (!db_does_uri_exist()) {
>>>             send_reply("420","Bad Extension");
>>>             exit;
>>>         }
>>>
>>>         t_newtran();
>>>         t_reply("404", "Not Found");
>>>         exit;
>>>     }
>>>
>>>     if ( isbflagset(10) )
>>>         setflag(10);
>>>
>>>     # when routing via usrloc, log the missed calls also
>>>     setflag(2);
>>>     route(1);
>>> }
>>>
>>>
>>> route[1] {
>>>     # for INVITEs enable some additional helper routes
>>>     if (is_method("INVITE")) {
>>>
>>>         if (isflagset(10)) {
>>>             rtpproxy_offer("ro");
>>>         }
>>>
>>>         t_on_branch("2");
>>>         t_on_reply("2");
>>>         t_on_failure("1");
>>>
>>>         *if ( client_nat_test("3") ) {
>>>                 nat_keepalive();
>>>             }*
>>>
>>>     }
>>>
>>>     if (isflagset(10)) {
>>>         add_rr_param(";nat=yes");
>>>     }
>>>
>>>
>>>
>>>     if (!t_relay()) {
>>>         send_reply("500","Internal Error");
>>>     };
>>>     exit;
>>> }
>>>
>>> branch_route[2] {
>>>     xlog("new branch at $ru\n");
>>> }
>>>
>>> onreply_route[2] {
>>>     if ( nat_uac_test("1") )
>>>         fix_nated_contact();
>>>     if ( isflagset(10) )
>>>         rtpproxy_answer("ro");
>>>     xlog("incoming reply\n");
>>> }
>>>
>>> failure_route[1] {
>>>     if ( t_was_cancelled() ) {
>>>         exit;
>>>     }
>>> }
>>>
>>> local_route {
>>>     if (is_method("BYE") && $DLG_dir=="UPSTREAM") {
>>>
>>>         acc_db_request("200 Dialog Timeout", "acc");
>>>
>>>     }
>>> }
>>>
>>> Thanks for your time Ali.
>>>
>>>
>>> 2012/8/7 Ignacio Gonzalez <mylaneza at gmail.com>
>>>
>>>> Ok aly, I will read more, i have created the configuration script
>>>> already with opensips-cp, I created a residential script and I selected the
>>>> NAT option but that option just install nathelper module, and this why I
>>>> asked you if nathelper and nat traversal module were mutually exclusive. I
>>>> will add nat traversal to my configuration script.
>>>>
>>>> Another question, where can I read about the differences between
>>>> residential and trunking scripts?
>>>>
>>>>
>>>> 2012/8/7 Ali Pey <alipey at gmail.com>
>>>>
>>>>> Ignacio,
>>>>>
>>>>> You need to implement nat traversal in your routing script -
>>>>> opensips.cfg. IMO, forget about the opensips-cp until you get it to work.
>>>>> Once you know how it works, then you know how you can do with the config
>>>>> tool. Sounds like you need lots more reading/testing :)
>>>>>
>>>>> Regards,
>>>>> Ali Pey
>>>>>
>>>>>
>>>>> On Mon, Aug 6, 2012 at 1:38 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>>
>>>>>> Ok, i red the NAT_TRAVERSAL module, i don't know how to configure
>>>>>> using the configuration tool, do I have to configure it manual? The
>>>>>> NAT_TRAVERSAL module and the NATHELPER module are mutually exclusive?
>>>>>>
>>>>>>
>>>>>> 2012/8/5 Ali Pey <alipey at gmail.com>
>>>>>>
>>>>>>> Hello Ignacio,
>>>>>>>
>>>>>>> Yes, you can handle nat and you don't need stun, turn or ICE. In
>>>>>>> fact, it's always better to turn off any nat traversal feature on the phone
>>>>>>> when you are using a proxy server such as OpenSIPS.
>>>>>>>
>>>>>>> Check out the nat traveral module and advertized_ip. How you
>>>>>>> implement it depends on your network setup:
>>>>>>> http://www.opensips.org/html/docs/modules/1.8.x/nat_traversal.html
>>>>>>>
>>>>>>> Regards,
>>>>>>> Ali Pey
>>>>>>>
>>>>>>> On Sat, Aug 4, 2012 at 5:31 PM, Ignacio Gonzalez <mylaneza at gmail.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Hello everybody, I have configured my opensips proxy with
>>>>>>>> NAT_TRAVERSAL support using the new tool for configuration. I developed a
>>>>>>>> softphone using JAIN-SIP, I think JAIN-SIP does not implements STUN, TURN
>>>>>>>> and ICE for NAT Traversal ( RFC 6314), is any way to do nat traversal
>>>>>>>> without making a new softphone with another library?
>>>>>>>>
>>>>>>>> I also have tested this softphone with Inphonex, and this company
>>>>>>>> use openSER in its proxy and the softphone works fine, but i don't know how
>>>>>>>> they do that, so I thought to ask if is something I can do in the
>>>>>>>> configuration file of my proxy or they use something else to solve this
>>>>>>>> problem.
>>>>>>>>
>>>>>>>> Thanks for all.
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.opensips.org
>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opensips.org
>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120807/dfb23c40/attachment-0001.htm>


More information about the Users mailing list