[OpenSIPS-Users] OpenSIPS Server behind a NAT firewall
Damon Miller
dmiller at cloudswitch.com
Mon Dec 20 19:45:48 CET 2010
Hi all. I'm trying to deploy an OpenSIPS server behind a NAT firewall. I've searched the various list archives for references on how this can be accomplished, but this far the only example I found was essentially left unresolved. A quick illustration seems helpful, so here's my attempt:
---------- ------------ ------------- --------------
- Peer A - <---> - F/W - <---> - F/W - <---> - OpenSIPS -
---------- ------------ ------------- --------------
192.168.1.10 (LAN) 192.168.1.1 : 131.239.15.22 (WAN) 50.18.56.112 : 192.168.20.1 (LAN) 192.168.20.235
Picasso I'm not but hopefully that makes some sense. Basically I have a NAT firewall on the client side and a NAT firewall on the server side. Both of the firewall have two IP addresses--one internal and one external. I've attempted to configure nathelper and RTPProxy but I've clearly done something wrong on the OpenSIPS side as it generates a 420 when the client registers. I tried to use the example provided in Flavio's excellent book, so the most likely cuplrit is my changes made in an attempt to simplify. Please be gentle; I'm still learning... Thanks in advance for any guidance.
Here's my opensips.cfg file:
[root at cent55-64 ~]# cat /usr/local/etc/opensips/opensips.cfg
####### Global Parameters #########
debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
advertised_address="50.18.56.112"
advertised_port=5060
port=5060
####### Modules Section ########
mpath="/usr/local/lib64/opensips/modules/"
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_db.so"
loadmodule "alias_db.so"
loadmodule "domain.so"
loadmodule "avpops.so"
loadmodule "nathelper.so"
# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
# ----- rr params -----
modparam("rr", "enable_full_lr", 1)
modparam("rr", "append_fromtag", 0)
# ----- usrloc params -----
modparam("usrloc", "db_mode", 0)
modparam("usrloc", "nat_bflag", 6)
# ----- nathelper params -----
modparam("nathelper", "ping_nated_only", 0)
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "natping_processes", 1)
modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:22222")
modparam("nathelper","sipping_bflag",7)
modparam("nathelper","sipping_from", "sip:pinger at 50.18.56.112")
modparam("registrar","received_avp", "$avp(i:42)")
modparam("nathelper","received_avp", "$avp(i:42)")
# ----- uri params -----
modparam("uri", "use_uri_table", 0)
# ----- acc params -----
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
modparam("acc", "detect_direction", 0)
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)
####### Routing Logic ########
route{
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
#---- NAT Detection ----#
force_rport();
if (nat_uac_test("18")) {
if (method=="REGISTER") {
fix_nated_register();
}
else {
fix_nated_contact();
}
setflag(5);
};
#---- Sequential requests section ----#
if (has_totag()) {
# sequential request withing a dialog should
# take the path determined by record-routing
if (loose_route()) {
if (is_method("BYE")) {
setflag(1); # do accounting
setflag(3); # even if the transaction fails
}
else if (is_method("INVITE")) {
record_route();
};
route(1);
}
else {
if ( is_method("ACK") ) {
if ( t_check_trans() ) {
t_relay();
exit;
}
else {
exit;
};
};
sl_send_reply("404","Not here");
};
exit;
}
#---- initial requests section ----#
if (is_method("CANCEL")) {
if (t_check_trans()) {
t_relay();
exit;
};
};
t_check_trans();
#---- preloaded route checking ----#
if (loose_route()) {
if (!is_method("ACK")) {
sl_send_reply("403","Preload Route denied");
exit;
};
};
#---- record routing ----#
if (!is_method("REGISTER|MESSAGE")) {
record_route();
};
# account only INVITEs
if (is_method("INVITE")) {
setflag(1); # do accounting
};
#---- Routing to external domains ----#
if (!is_uri_host_local()) {
append_hf("P-hint: outbound\r\n");
if(is_uri_host_local()) {
route(1);
}
else {
sl_send_reply("403","Not here");
};
};
if (is_method("PUBLISH")) {
sl_send_reply("503", "Service Unavailable");
exit;
};
if (is_method("REGISTER")) {
#-- Request is behind NAT(flag5) save with bflag 6 -#
#---- Use bflag 7 to start SIP pinging (Options) ---#
if (isflagset(5)) {
setbflag(6);
setbflag(7);
};
if (!save("location")) {
sl_reply_error();
exit;
};
if($rU=~"^\*") {
# Route to media servers
route(5);
route(1);
};
send_reply("420", "Invalid Extension");
exit;
};
}
route[1] {
# for INVITEs enable some additional helper routes
#---- Helper route, if nat=yes in the R-URI set flag 6 ----#
#---- This is used to Process REINVITES ----#
if (subst_uri('/(sip:.*);nat=yes/\1/')) {
setbflag(6);
};
#-- If caller(flag 5) or callee(flag 6) are behind NAT --#
#-- Call the route(6) to force the use of the RTP Proxy --#
if (isflagset(5)||isbflagset(6)) {
route(6);
};
if (isflagset(5)){
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
};
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");
};
if (!t_relay()) {
sl_reply_error();
};
exit;
}
#Route for user lookups
route[3]{
if (!lookup("location", "m")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
};
};
# when routing via usrloc, log the missed calls also
setflag(2);
route(1);
}
route[5] {
#---- Route to media servers ----#
rewritehostport("192.168.20.235:5060");
route(1);
}
route[6] {
#---- RTP Proxy handling ---#
if (is_method("BYE|CANCEL")) {
unforce_rtp_proxy();
}
else if (is_method("INVITE")){
#---- Activates the RTP Proxy for the CALLEE ---#
force_rtp_proxy();
t_on_failure("1");
};
}
branch_route[2] {
xlog("new branch at $ru\n");
}
onreply_route[2] {
#---- Handling of the SDP for the 200 or 183 reply ----#
#---- If behind nat (flags 5 or 6) start RTP Proxy ----#
#---- Activates the RTP Proxy for the CALLER ----#
if ((isflagset(5) || isbflagset(6)) && status=~"(183)|(2[0-9][0-9])"){
force_rtp_proxy();
append_hf("P-hint: onreply_route|force_rtp_proxy \r\n");
};
#---- If the CALLEE is behind NAT, fix the CONTACT HF ----#
if (isbflagset(6)) {
#-- Insert nat=yes at the end of the Contact header --#
#-- This helps with REINVITEs, --#
#- nat=yes will be included in the R-URI for seq.requests-#
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
append_hf("P-hint: Onreply-route - fixcontact \r\n");
fix_nated_contact();
};
exit;
}
failure_route[1] {
#---- If a failure has ocurred, deactivate the RTP Proxy ----#
if (isflagset(5) || isbflagset(6)) {
unforce_rtp_proxy();
};
if (t_was_cancelled()) {
exit;
};
}
---
Regards,
Damon
More information about the Users
mailing list