[OpenSIPS-Users] 2 UAs behind same NAT Device
Deon Vermeulen
vermeulen.deon at gmail.com
Wed Nov 3 12:49:58 CET 2010
Hi List
Anyone else able to assist me?
Really appreciate any help I can get.
Regards
Deon
On 03 Nov 2010, at 8:17 AM, Deon Vermeulen wrote:
> Morning Kennard
>
> I really appreciate your feedback.
>
> I will be serving different networks, but will have control over
> most of them or at least be able to assist 3rd party vendors for
> those I don't.
>
> As for another NAT device behind the "Main" Firewall, there wouldn't
> be an issue like that, but would be a "nice to have" just in case I
> run into something like that.
>
> I think it would be best that I explain what I would like to achieve
> to clarify what my idea is:
>
> I have a Multi-Tenant solution running on Multiple Asterisk Servers.
> The solution currently works for customer that has an VPN/MPLS
> connection to me, but I would like to expand my services over the
> Internet for smaller customers who can not afford VPN/MPLS
> connections to me, but would like to make use of this service.
> I would also like to extend this service to have Follow me for my
> current customers via their mobile devices, from home, etc...
> The Multi-Tenant Asterisk Servers use one Database and handle all
> Media including Hunt groups, IVR, Speed Dials, Black/White listing,
> Connectivity to the PSTN via external Gateways, etc...
> I am looking at OpenSIPS to only help resolve the NAT issue and do
> Load-Balancing between my Asterisk Multi-Tenant servers.
>
> Hope this clarifies what I am looking to achieving.
>
> I would really appreciate your help with this.
> Perhaps a sample config of how you would do this would be awesome.
>
> Thanks again.
>
> Best Regards
> Deon
>
>
> So, I am looking at OpenSIPS to help provide LoadBalancing/Load
> Sharing between couple of Asterisk Servers, which will cut down a
> lot on expenses.
>
> On 03 Nov 2010, at 5:26 AM, Kennard White wrote:
>
>> Hi Deon,
>>
>> For better or worse there are many ways to configure opensips
>> depending upon exactly what you are doing. Re your route6, it
>> should be invoked from some branch route. One way branch routes are
>> established is using t_on_branch(). Your route(3) (or somewhere)
>> must be doing a lookup() and establish a branch route.
>>
>> As someone else said, a key question with what you're trying to do
>> is: is your network an open or closed environment? If open
>> environment (where you cannot control/know the networks where your
>> users are) then non-ICE short-circuiting media relay will fail for
>> people behind non-hairpinning firewalls or double firewalls. ICE
>> (and yes, full ICE, not just STUN) is more robust way of avoiding
>> media-relay when not needed. Of course, it has its own issues :-).
>>
>> Kennard
>>
>> On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <vermeulen.deon at gmail.com
>> > wrote:
>> Hi Kennard
>>
>> Thanks for the ideas.
>> I really appreciate it.
>>
>> I got the config as an example from the Building Telephony systems
>> with OpenSER.
>> I choose the OpenSER implementation as it describes the implenetation
>> of MediaProxy.
>> Reason for choosing MediaProxy is because I am very, very interested
>> in getting the ICE feature.
>>
>> I thought best to first get this config working before playing around
>> with the ICE configuration.
>>
>> Could you be so kind and perhaps show me where I should call up
>> route(6)?
>>
>> I use fully qualified domain names (i.e domaina.com) for the domain.
>> At the moment I specify the proxy with the IP of my Server as I
>> haven't setup the DNS records yet.
>>
>> I really appreciate your feedback and assistance.
>>
>> Regards
>> Deon
>>
>>
>> On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
>>
>> > Hi Deon,
>> >
>> > Some ideas:
>> > 1. Capture the SIP traffic and see if media proxy is being invoked
>> > in the request and/or response (look for your P-hint messages), and
>> > the IP addresses.
>> > 2. Add xlog messages when you invoke mediarelay to confirm that
>> they
>> > are getting called.
>> > 3. You're comparing $dd (which is a domain) to $si (which is an IP
>> > address). I don't think this will work in the general case, but
>> > maybe you're using IP addresses as your domains?
>> > 4. I don't see the code that invokes route(6) -- I assume that is
>> in
>> > a branch_route not the request route?
>> >
>> > Good luck,
>> > Kennard
>> >
>> > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <vermeulen.deon at gmail.com
>> > > wrote:
>> > Hi List
>> >
>> > I'm trying to setup NAT to NOT use MediaProxy when it detects
>> that 2
>> > devices are behind the same NAT Device, but rather have coms go
>> > directly between them.
>> > At the moment I can dial between the 2 phones and answer the call.
>> > The callee phone says "Call Established" upon answer, but the
>> caller
>> > phone still says "trying/connecting".
>> > I am sure this has something to do with my configuration, but I
>> have
>> > "NO IDEA" where to start looking.
>> > The phones are setup to use their local IPs with no other STUN,
>> ICE,
>> > or "proxy like" configurations.
>> > Below is a snipped from my opensips.cfg with the NAT configs and
>> would
>> > really appreciate any help to get this working.
>> >
>> > modparam("rr", "enable_full_lr", 1)
>> > modparam("registrar", "received_avp", "$avp(i:42)")
>> > modparam("usrloc", "db_mode", 2)
>> > modparam("usrloc", "nat_bflag", 6)
>> > modparam("domain", "db_mode", 1) # Use caching
>> > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
>> > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
>> > siptrace|group|avpops|presence", "db_url", "mysql://
>> > opensips:opensipsrw at localhost/opensips")
>> > modparam("nathelper", "natping_interval", 10)
>> > modparam("nathelper", "received_avp", "$avp(i:42)")
>> > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
>> > dispatcher.sock")
>> > modparam("mediaproxy", "mediaproxy_timeout", 500)
>> > modparam("mi_datagram", "socket_name", "/var/run/opensips/
>> > opensips.sock")
>> > modparam("mi_datagram", "children_count", 4)
>> >
>> >
>> > # ------------------------- request routing logic
>> > ------------------- #
>> >
>> > route{
>> >
>> > #
>> > # -- 1 -- Request Validation
>> > #
>> > if (!mf_process_maxfwd_header("10")) {
>> > sl_send_reply("483","Too Many Hops");
>> > exit;
>> > }
>> >
>> > if (msg:len >= 2048 ) {
>> > sl_send_reply("513", "Message too big");
>> > exit;
>> > }
>> >
>> > #
>> > # -- 2 -- Routing Preprocessing
>> > #
>> > ## Record-route all except Register
>> > ## Mark packets with nat=yes
>> > ## This mark will be used to identify the request in the loose
>> > ## route section
>> > if(!is_method("REGISTER")){
>> > if(nat_uac_test("19")){
>> > record_route(";nat=yes");
>> > } else {
>> > record_route();
>> > }
>> > }
>> >
>> > ##Loose_route packets
>> > if (has_totag()) {
>> > #sequential request withing a dialog should
>> > # take the path determined by record-routing
>> > if (loose_route()) {
>> > #Check authentication of re-invites
>> > if(method=="INVITE") {
>> > if (!proxy_authorize("","subscriber")) {
>> > proxy_challenge("","1");
>> > exit;
>> > } else if (!db_check_from()) {
>> > sl_send_reply("403", "Forbidden, use From=ID");
>> > exit;
>> > }
>> > }
>> > ## BYE and CANCEL message handling
>> > if(method=="BYE" || method=="CANCEL") {
>> > end_media_session();
>> > }
>> > ##Detect requests in the dialog behind NAT and flag with 6
>> > if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
>> > append_hf("P-hint: LR|fixcontact,setflag6,
>> mediaproxy
>> > \r\n");
>> > fix_contact();
>> > setbflag(6);
>> > use_media_proxy();
>> > }
>> > route(1);
>> > } else {
>> > sl_send_reply("404","Not here");
>> > }
>> > exit;
>> > }
>> >
>> > #CANCEL processing
>> > if (is_method("CANCEL")) {
>> > if (t_check_trans()) {
>> > end_media_session();
>> > t_relay();
>> > }
>> > exit;
>> > }
>> >
>> > t_check_trans();
>> >
>> > #
>> > # -- 3 -- Determine Request Target
>> > #
>> > if (method=="REGISTER") {
>> > route(2);
>> > } else {
>> > route(3);
>> > }
>> > }
>> >
>> >
>> > route[1] {
>> > #
>> > # -- 4 -- Forward request to target
>> > #
>> > # Forward statefully
>> > t_on_reply("1");
>> > t_on_failure("1");
>> > if (!t_relay()) {
>> > sl_reply_error();
>> > }
>> > exit;
>> > }
>> >
>> > route[2] {
>> > ## Register request handler
>> > if (is_uri_host_local()) {
>> > if (!www_authorize("", "subscriber")) {
>> > www_challenge("", "1");
>> > exit;
>> > }
>> >
>> > if (!db_check_to()) {
>> > sl_send_reply("403", "Forbidden");
>> > exit;
>> > }
>> >
>> > # Test to see if Caller is behind NAT
>> > if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
>> > setbflag(6);
>> > fix_nated_register();
>> > force_rport();
>> > }
>> > save("location");
>> > exit;
>> >
>> > } else {
>> > sl_send_reply("403", "Forbidden");
>> > }
>> > }
>> >
>> >
>> > route[3] {
>> > ## Requests handler
>> > if (is_from_local()){
>> > # From an internal domain -> check the credentials and the
>> > FROM
>> > #if(!allow_trusted()){
>> > if (!proxy_authorize("","subscriber")) {
>> > proxy_challenge("","0");
>> > exit;
>> > } else if(!db_check_from()) {
>> > sl_send_reply("403", "Forbidden, use From=ID");
>> > exit;
>> > }
>> >
>> > if (client_nat_test("3")) {
>> > append_hf("P-hint: route(3)|
>> > setflag7,forcerport,fix_contact\r\n");
>> > setbflag(7);
>> > force_rport();
>> > fix_contact();
>> > }
>> >
>> > ..............
>> >
>> > route[6] {
>> > #
>> > # -- NAT Traversal handling --
>> > #
>> > # Route[6] is the routing block responsible for activating the
>> > MediaProxy, whenever
>> > # the caller or callee is behind NAT (flags 6 or 7
>> respectively).
>> > if (isbflagset(6) || isbflagset(7)) {
>> > if ( $dd == $si ) {
>> > xlog("L_INFO", "Both users behind same NAT, so
>> we
>> > dont use MediaProxy\n");
>> > resetbflag(6); # Unset NAT flag general.
>> > resetbflag(7); # Unset NAT flag general.
>> > } else
>> > append_hf("P-hint: Route[6]: mediaproxy \r\n");
>> > use_media_proxy();
>> > }
>> > }
>> >
>> > .............
>> >
>> > onreply_route[1] {
>> > #
>> > #-- On-replay block routing --
>> > #
>> > if (client_nat_test("1")) {
>> > append_hf("P-hint: Onreply-route - fixcontact \r\n");
>> > fix_contact();
>> > }
>> >
>> > if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
>> > 2[0-9][0-9]")) {
>> > if (search("^Content-Type:[ ]*application/sdp")) {
>> > append_hf("P-hint: onreply_route|usemediaproxy \r\n");
>> > use_media_proxy();
>> > }
>> > }
>> > exit;
>> > }
>> >
>> >
>> > Thanks again for helping. Really appreciate it.
>> >
>> > Regards
>> > Deon
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list