[OpenSIPS-Users] 2 UAs behind same NAT Device
Deon Vermeulen
vermeulen.deon at gmail.com
Wed Nov 3 07:17:57 CET 2010
Morning Kennard
I really appreciate your feedback.
I will be serving different networks, but will have control over most
of them or at least be able to assist 3rd party vendors for those I
don't.
As for another NAT device behind the "Main" Firewall, there wouldn't
be an issue like that, but would be a "nice to have" just in case I
run into something like that.
I think it would be best that I explain what I would like to achieve
to clarify what my idea is:
I have a Multi-Tenant solution running on Multiple Asterisk Servers.
The solution currently works for customer that has an VPN/MPLS
connection to me, but I would like to expand my services over the
Internet for smaller customers who can not afford VPN/MPLS connections
to me, but would like to make use of this service.
I would also like to extend this service to have Follow me for my
current customers via their mobile devices, from home, etc...
The Multi-Tenant Asterisk Servers use one Database and handle all
Media including Hunt groups, IVR, Speed Dials, Black/White listing,
Connectivity to the PSTN via external Gateways, etc...
I am looking at OpenSIPS to only help resolve the NAT issue and do
Load-Balancing between my Asterisk Multi-Tenant servers.
Hope this clarifies what I am looking to achieving.
I would really appreciate your help with this.
Perhaps a sample config of how you would do this would be awesome.
Thanks again.
Best Regards
Deon
So, I am looking at OpenSIPS to help provide LoadBalancing/Load
Sharing between couple of Asterisk Servers, which will cut down a lot
on expenses.
On 03 Nov 2010, at 5:26 AM, Kennard White wrote:
> Hi Deon,
>
> For better or worse there are many ways to configure opensips
> depending upon exactly what you are doing. Re your route6, it should
> be invoked from some branch route. One way branch routes are
> established is using t_on_branch(). Your route(3) (or somewhere)
> must be doing a lookup() and establish a branch route.
>
> As someone else said, a key question with what you're trying to do
> is: is your network an open or closed environment? If open
> environment (where you cannot control/know the networks where your
> users are) then non-ICE short-circuiting media relay will fail for
> people behind non-hairpinning firewalls or double firewalls. ICE
> (and yes, full ICE, not just STUN) is more robust way of avoiding
> media-relay when not needed. Of course, it has its own issues :-).
>
> Kennard
>
> On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <vermeulen.deon at gmail.com
> > wrote:
> Hi Kennard
>
> Thanks for the ideas.
> I really appreciate it.
>
> I got the config as an example from the Building Telephony systems
> with OpenSER.
> I choose the OpenSER implementation as it describes the implenetation
> of MediaProxy.
> Reason for choosing MediaProxy is because I am very, very interested
> in getting the ICE feature.
>
> I thought best to first get this config working before playing around
> with the ICE configuration.
>
> Could you be so kind and perhaps show me where I should call up
> route(6)?
>
> I use fully qualified domain names (i.e domaina.com) for the domain.
> At the moment I specify the proxy with the IP of my Server as I
> haven't setup the DNS records yet.
>
> I really appreciate your feedback and assistance.
>
> Regards
> Deon
>
>
> On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
>
> > Hi Deon,
> >
> > Some ideas:
> > 1. Capture the SIP traffic and see if media proxy is being invoked
> > in the request and/or response (look for your P-hint messages), and
> > the IP addresses.
> > 2. Add xlog messages when you invoke mediarelay to confirm that they
> > are getting called.
> > 3. You're comparing $dd (which is a domain) to $si (which is an IP
> > address). I don't think this will work in the general case, but
> > maybe you're using IP addresses as your domains?
> > 4. I don't see the code that invokes route(6) -- I assume that is in
> > a branch_route not the request route?
> >
> > Good luck,
> > Kennard
> >
> > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <vermeulen.deon at gmail.com
> > > wrote:
> > Hi List
> >
> > I'm trying to setup NAT to NOT use MediaProxy when it detects that 2
> > devices are behind the same NAT Device, but rather have coms go
> > directly between them.
> > At the moment I can dial between the 2 phones and answer the call.
> > The callee phone says "Call Established" upon answer, but the caller
> > phone still says "trying/connecting".
> > I am sure this has something to do with my configuration, but I have
> > "NO IDEA" where to start looking.
> > The phones are setup to use their local IPs with no other STUN, ICE,
> > or "proxy like" configurations.
> > Below is a snipped from my opensips.cfg with the NAT configs and
> would
> > really appreciate any help to get this working.
> >
> > modparam("rr", "enable_full_lr", 1)
> > modparam("registrar", "received_avp", "$avp(i:42)")
> > modparam("usrloc", "db_mode", 2)
> > modparam("usrloc", "nat_bflag", 6)
> > modparam("domain", "db_mode", 1) # Use caching
> > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
> > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
> > siptrace|group|avpops|presence", "db_url", "mysql://
> > opensips:opensipsrw at localhost/opensips")
> > modparam("nathelper", "natping_interval", 10)
> > modparam("nathelper", "received_avp", "$avp(i:42)")
> > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
> > dispatcher.sock")
> > modparam("mediaproxy", "mediaproxy_timeout", 500)
> > modparam("mi_datagram", "socket_name", "/var/run/opensips/
> > opensips.sock")
> > modparam("mi_datagram", "children_count", 4)
> >
> >
> > # ------------------------- request routing logic
> > ------------------- #
> >
> > route{
> >
> > #
> > # -- 1 -- Request Validation
> > #
> > if (!mf_process_maxfwd_header("10")) {
> > sl_send_reply("483","Too Many Hops");
> > exit;
> > }
> >
> > if (msg:len >= 2048 ) {
> > sl_send_reply("513", "Message too big");
> > exit;
> > }
> >
> > #
> > # -- 2 -- Routing Preprocessing
> > #
> > ## Record-route all except Register
> > ## Mark packets with nat=yes
> > ## This mark will be used to identify the request in the loose
> > ## route section
> > if(!is_method("REGISTER")){
> > if(nat_uac_test("19")){
> > record_route(";nat=yes");
> > } else {
> > record_route();
> > }
> > }
> >
> > ##Loose_route packets
> > if (has_totag()) {
> > #sequential request withing a dialog should
> > # take the path determined by record-routing
> > if (loose_route()) {
> > #Check authentication of re-invites
> > if(method=="INVITE") {
> > if (!proxy_authorize("","subscriber")) {
> > proxy_challenge("","1");
> > exit;
> > } else if (!db_check_from()) {
> > sl_send_reply("403", "Forbidden, use From=ID");
> > exit;
> > }
> > }
> > ## BYE and CANCEL message handling
> > if(method=="BYE" || method=="CANCEL") {
> > end_media_session();
> > }
> > ##Detect requests in the dialog behind NAT and flag with 6
> > if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
> > append_hf("P-hint: LR|fixcontact,setflag6,
> mediaproxy
> > \r\n");
> > fix_contact();
> > setbflag(6);
> > use_media_proxy();
> > }
> > route(1);
> > } else {
> > sl_send_reply("404","Not here");
> > }
> > exit;
> > }
> >
> > #CANCEL processing
> > if (is_method("CANCEL")) {
> > if (t_check_trans()) {
> > end_media_session();
> > t_relay();
> > }
> > exit;
> > }
> >
> > t_check_trans();
> >
> > #
> > # -- 3 -- Determine Request Target
> > #
> > if (method=="REGISTER") {
> > route(2);
> > } else {
> > route(3);
> > }
> > }
> >
> >
> > route[1] {
> > #
> > # -- 4 -- Forward request to target
> > #
> > # Forward statefully
> > t_on_reply("1");
> > t_on_failure("1");
> > if (!t_relay()) {
> > sl_reply_error();
> > }
> > exit;
> > }
> >
> > route[2] {
> > ## Register request handler
> > if (is_uri_host_local()) {
> > if (!www_authorize("", "subscriber")) {
> > www_challenge("", "1");
> > exit;
> > }
> >
> > if (!db_check_to()) {
> > sl_send_reply("403", "Forbidden");
> > exit;
> > }
> >
> > # Test to see if Caller is behind NAT
> > if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
> > setbflag(6);
> > fix_nated_register();
> > force_rport();
> > }
> > save("location");
> > exit;
> >
> > } else {
> > sl_send_reply("403", "Forbidden");
> > }
> > }
> >
> >
> > route[3] {
> > ## Requests handler
> > if (is_from_local()){
> > # From an internal domain -> check the credentials and the
> > FROM
> > #if(!allow_trusted()){
> > if (!proxy_authorize("","subscriber")) {
> > proxy_challenge("","0");
> > exit;
> > } else if(!db_check_from()) {
> > sl_send_reply("403", "Forbidden, use From=ID");
> > exit;
> > }
> >
> > if (client_nat_test("3")) {
> > append_hf("P-hint: route(3)|
> > setflag7,forcerport,fix_contact\r\n");
> > setbflag(7);
> > force_rport();
> > fix_contact();
> > }
> >
> > ..............
> >
> > route[6] {
> > #
> > # -- NAT Traversal handling --
> > #
> > # Route[6] is the routing block responsible for activating the
> > MediaProxy, whenever
> > # the caller or callee is behind NAT (flags 6 or 7
> respectively).
> > if (isbflagset(6) || isbflagset(7)) {
> > if ( $dd == $si ) {
> > xlog("L_INFO", "Both users behind same NAT, so we
> > dont use MediaProxy\n");
> > resetbflag(6); # Unset NAT flag general.
> > resetbflag(7); # Unset NAT flag general.
> > } else
> > append_hf("P-hint: Route[6]: mediaproxy \r\n");
> > use_media_proxy();
> > }
> > }
> >
> > .............
> >
> > onreply_route[1] {
> > #
> > #-- On-replay block routing --
> > #
> > if (client_nat_test("1")) {
> > append_hf("P-hint: Onreply-route - fixcontact \r\n");
> > fix_contact();
> > }
> >
> > if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
> > 2[0-9][0-9]")) {
> > if (search("^Content-Type:[ ]*application/sdp")) {
> > append_hf("P-hint: onreply_route|usemediaproxy \r\n");
> > use_media_proxy();
> > }
> > }
> > exit;
> > }
> >
> >
> > Thanks again for helping. Really appreciate it.
> >
> > Regards
> > Deon
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list