[OpenSIPS-Users] udp or tcp for nat traversal?

george wu aihuawu2012 at 163.com
Wed Oct 15 14:06:04 CEST 2014


Hi, Bogdan:

I think I have found the problem.
I am using mediaproxy. If I kill that proxy.
suddenly the uac can get the message.
So it is quite obvious that my mediaproxy setting is not correct.
Just I don't know how to fix it. I modify it from my old rtpproxy setting.


George



/////////////////////


####  NAT modules
loadmodule "nathelper.so"
modparam("nathelper", "natping_interval", 10)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "received_avp", "$avp(received_nh)")

#loadmodule "rtpproxy.so"
#modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE ME

loadmodule "mediaproxy.so"
modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy/dispatcher.sock")
modparam("mediaproxy", "ice_candidate", "low-priority")





####### Routing Logic ########

# main request routing logic

route{
    force_rport();
    if (nat_uac_test("23")) {
        if (is_method("REGISTER")) {
            fix_nated_register();
            setbflag(NAT);
        } else {
            fix_nated_contact();
            setflag(NAT);
        }
    }
    

    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too Many Hops");
        exit;
    }

    if (has_totag()) {
        # sequential request withing a dialog should
        # take the path determined by record-routing
        if (loose_route()) {
           
            if (is_method("BYE")) {
                setflag(ACC_DO); # do accounting ...
                setflag(ACC_FAILED); # ... even if the transaction fails
            } else if (is_method("INVITE")) {
                # even if in most of the cases is useless, do RR for
                # re-INVITEs alos, as some buggy clients do change route set
                # during the dialog.
                record_route();
            }

            if (check_route_param("nat=yes"))
                setflag(NAT);

            # route it out to whatever destination was set by loose_route()
            # in $du (destination URI).
            route(relay);
        } else {
           
            if ( is_method("ACK") ) {
                if ( t_check_trans() ) {
                    # non loose-route, but stateful ACK; must be an ACK after
                    # a 487 or e.g. 404 from upstream server
                    t_relay();
                    exit;
                } else {
                    # ACK without matching transaction ->
                    # ignore and discard
                    exit;
                }
            }
            sl_send_reply("404","Not here");
        }
        exit;
    }

    # CANCEL processing
    if (is_method("CANCEL"))
    {
        if (t_check_trans())
            t_relay();
        exit;
    }

    t_check_trans();

    if ( !(is_method("REGISTER")  ) ) {
       
        if (from_uri==myself)
       
        {
           
        } else {
            # if caller is not local, then called number must be local
           
            if (!uri==myself) {
                send_reply("403","Rely forbidden");
                exit;
            }
        }

    }

    # preloaded route checking
    if (loose_route()) {
        xlog("L_ERR",
        "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
        if (!is_method("ACK"))
            sl_send_reply("403","Preload Route denied");
        exit;
    }

    # record routing
    if (!is_method("REGISTER|MESSAGE"))
        record_route();

    # account only INVITEs
    if (is_method("INVITE")) {
       
        setflag(ACC_DO); # do accounting
    }

   
    if (!uri==myself) {
        append_hf("P-hint: outbound\r\n");
       
        # if you have some interdomain connections via TLS
        ## CUSTOMIZE IF NEEDED
        ##if ($rd=="tls_domain1.net"
        ## || $rd=="tls_domain2.net"
        ##) {
        ##    force_send_socket(tls:127.0.0.1:5061); # CUSTOMIZE
        ##}
       
        route(relay);
    }

    # requests for my domain
   
    if (is_method("PUBLISH|SUBSCRIBE"))
    {
        sl_send_reply("503", "Service Unavailable");
        exit;
    }

    if (is_method("REGISTER"))
    {
       

        if ( proto==TCP || proto==TLS || 0 ) setflag(TCP_PERSISTENT);

        if (!save("location"))
            sl_reply_error();

        exit;
    }

    if ($rU==NULL) {
        # request with no Username in RURI
        sl_send_reply("484","Address Incomplete");
        exit;
    }

   

   

     

    # do lookup with method filtering
    if (!lookup("location","m")) {
       
       
        t_newtran();
        t_reply("404", "Not Found");
        exit;
    }

    if (isbflagset(NAT)) setflag(NAT);

    # when routing via usrloc, log the missed calls also
    setflag(ACC_MISSED);
    route(relay);
}


route[relay] {
    # for INVITEs enable some additional helper routes
    if (is_method("INVITE")) {
       
        if (isflagset(NAT)) {
#            rtpproxy_offer("ro");
                        use_media_proxy();

        }

        t_on_branch("per_branch_ops");
        t_on_reply("handle_nat");
        t_on_failure("missed_call");
    }
        if (is_method("BYE")) {
                if (isflagset(NAT)) {
                        end_media_session();
                }
        }


    if (isflagset(NAT)) {
        add_rr_param(";nat=yes");
        }

    if (!t_relay()) {
        send_reply("500","Internal Error");
    };
    exit;
}




branch_route[per_branch_ops] {
    xlog("new branch at $ru\n");
}


onreply_route[handle_nat] {
    if (nat_uac_test("1"))
        fix_nated_contact();
#    if ( isflagset(NAT) )
#        rtpproxy_answer("ro");
        if (is_method("INVITE")) {
                if (isflagset(NAT)) {
                        use_media_proxy();
                }
        }
        if (is_method("BYE")) {
                if (isflagset(NAT)) {
                        end_media_session();
                }
        }

    xlog("incoming reply\n");
}


failure_route[missed_call] {
    if (t_was_cancelled()) {
        exit;
    }

    # uncomment the following lines if you want to block client
    # redirect based on 3xx replies.
    ##if (t_check_status("3[0-9][0-9]")) {
    ##t_reply("404","Not found");
    ##    exit;
    ##}

   
}






在 2014-10-15 15:13:00,"Bogdan-Andrei Iancu" <bogdan at opensips.org> 写道:

Hi George,

If your OpenSIPS fails to reach the UAC is because of two reasons:
    - NAT pinhole is closed - but if pinging is done, it shouldn't be
    - opensips is trying to contact UAC via wrong IP:port - can you confirm that when calling the UAC, OpenSIPS sends the INVITE to same IP and port as where the pingings are coming from ?

TCP works as this part is "automatically" resolved because of the connection (where the other pipe is known).

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 15.10.2014 03:24, george wu wrote:



Hi, Bogdan-Andrei:

For udp, it fails when reaching the UAC even though the UAC keeps pinging the server all the time.

For tcp, although it works. I find something interesting.
Only when the client pings the server, the invite message is sent to the UAC.
In my understanding, the server should be able to send message to the UAC since the
tcp connection is open. Actually the sip server is unable to send message to the UAC.

About the firewall type, I use opensipsctl ul show/rm to check.
I find every time when it register, i get the same ip/port most of time.
But occasionally it might get different ip/port.
I believe it is nat within a cone.

I am using ice, the ice only work after the first invite message is delivered to the peer.
My ice with mediaproxy works perfectly.



George Wu

At 2014-10-15 00:22:46, "Bogdan-Andrei Iancu" <bogdan at opensips.org> wrote:

Hi George,

NAT traversal is not only about pinging, but also about mangling/correcting the SIP traffic (from private IPs perspective) and ensuring the RTP flow.

So you need to be sure that all 3 points are addressed.

TCP versus UDP - there is only a difference at IP transport level...like datagram versus connection, and their implications at NAT level (being able to reach the device behind the nat). Otherwise it;s the same.

For UDP, can you see what fails ? the registration? reaching the UAC ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 14.10.2014 18:37, george wu wrote:

My experience is for two uac (linphone) behind a firewall,
tcp/tls will always work.
udp will never work.

for both tcp/udp, my uac will send keep alive every 10 seconds.
I don't understand what makes those difference.
Can any one  share your experience?

George Wu








_______________________________________________
Users mailing list
Users at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20141015/edfc6f00/attachment-0001.htm>


More information about the Users mailing list