[OpenSIPS-Users] 2 UAs behind same NAT Device

Deon Vermeulen vermeulen.deon at gmail.com
Wed Nov 3 12:49:58 CET 2010


Hi List

Anyone else able to assist me?

Really appreciate any help I can get.

Regards
Deon

On 03 Nov 2010, at 8:17 AM, Deon Vermeulen wrote:

> Morning Kennard
>
> I really appreciate your feedback.
>
> I will be serving different networks, but will have control over  
> most of them or at least be able to assist 3rd party vendors for  
> those I don't.
>
> As for another NAT device behind the "Main" Firewall, there wouldn't  
> be an issue like that, but would be a "nice to have" just in case I  
> run into something like that.
>
> I think it would be best that I explain what I would like to achieve  
> to clarify what my idea is:
>
> I have a Multi-Tenant solution running on Multiple Asterisk Servers.
> The solution currently works for customer that has an VPN/MPLS  
> connection to me, but I would like to expand my services over the  
> Internet for smaller customers who can not afford VPN/MPLS  
> connections to me, but would like to make use of this service.
> I would also like to extend this service to have Follow me for my  
> current customers via their mobile devices, from home, etc...
> The Multi-Tenant Asterisk Servers use one Database and handle all  
> Media including Hunt groups, IVR, Speed Dials, Black/White listing,  
> Connectivity to the PSTN via external Gateways, etc...
> I am looking at OpenSIPS to only help resolve the NAT issue and do  
> Load-Balancing between my Asterisk Multi-Tenant servers.
>
> Hope this clarifies what I am looking to achieving.
>
> I would really appreciate your help with this.
> Perhaps a sample config of how you would do this would be awesome.
>
> Thanks again.
>
> Best Regards
> Deon
>
>
> So, I am looking at OpenSIPS to help provide LoadBalancing/Load  
> Sharing between couple of Asterisk Servers, which will cut down a  
> lot on expenses.
>
> On 03 Nov 2010, at 5:26 AM, Kennard White wrote:
>
>> Hi Deon,
>>
>> For better or worse there are many ways to configure opensips  
>> depending upon exactly what you are doing. Re your route6, it  
>> should be invoked from some branch route. One way branch routes are  
>> established is using t_on_branch(). Your route(3) (or somewhere)  
>> must be doing a lookup() and establish a branch route.
>>
>> As someone else said, a key question with what you're trying to do  
>> is: is your network an open or closed environment? If open  
>> environment (where you cannot control/know the networks where your  
>> users are) then non-ICE short-circuiting media relay will fail for  
>> people behind non-hairpinning firewalls or double firewalls. ICE  
>> (and yes, full ICE, not just STUN) is more robust way of avoiding  
>> media-relay when not needed. Of course, it has its own issues :-).
>>
>> Kennard
>>
>> On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <vermeulen.deon at gmail.com 
>> > wrote:
>> Hi Kennard
>>
>> Thanks for the ideas.
>> I really appreciate it.
>>
>> I got the config as an example from the Building Telephony systems
>> with OpenSER.
>> I choose the OpenSER implementation as it describes the implenetation
>> of MediaProxy.
>> Reason for choosing MediaProxy is because I am very, very interested
>> in getting the ICE feature.
>>
>> I thought best to first get this config working before playing around
>> with the ICE configuration.
>>
>> Could you be so kind and perhaps show me where I should call up
>> route(6)?
>>
>> I use fully qualified domain names (i.e domaina.com) for the domain.
>> At the moment I specify the proxy with the IP of my Server as I
>> haven't setup the DNS records yet.
>>
>> I really appreciate your feedback and assistance.
>>
>> Regards
>> Deon
>>
>>
>> On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
>>
>> > Hi Deon,
>> >
>> > Some ideas:
>> > 1. Capture the SIP traffic and see if media proxy is being invoked
>> > in the request and/or response (look for your P-hint messages), and
>> > the IP addresses.
>> > 2. Add xlog messages when you invoke mediarelay to confirm that  
>> they
>> > are getting called.
>> > 3. You're comparing $dd (which is a domain) to $si (which is an IP
>> > address). I don't think this will work in the general case, but
>> > maybe you're using IP addresses as your domains?
>> > 4. I don't see the code that invokes route(6) -- I assume that is  
>> in
>> > a branch_route not the request route?
>> >
>> > Good luck,
>> > Kennard
>> >
>> > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <vermeulen.deon at gmail.com
>> > > wrote:
>> > Hi List
>> >
>> > I'm trying to setup NAT to NOT use MediaProxy when it detects  
>> that 2
>> > devices are behind the same NAT Device, but rather have coms go
>> > directly between them.
>> > At the moment I can dial between the 2 phones and answer the call.
>> > The callee phone says "Call Established" upon answer, but the  
>> caller
>> > phone still says "trying/connecting".
>> > I am sure this has something to do with my configuration, but I  
>> have
>> > "NO IDEA" where to start looking.
>> > The phones are setup to use their local IPs with no other STUN,  
>> ICE,
>> > or "proxy like" configurations.
>> > Below is a snipped from my opensips.cfg with the NAT configs and  
>> would
>> > really appreciate any help to get this working.
>> >
>> > modparam("rr", "enable_full_lr", 1)
>> > modparam("registrar", "received_avp", "$avp(i:42)")
>> > modparam("usrloc", "db_mode",   2)
>> > modparam("usrloc", "nat_bflag", 6)
>> > modparam("domain", "db_mode", 1) # Use caching
>> > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
>> > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
>> > siptrace|group|avpops|presence", "db_url", "mysql://
>> > opensips:opensipsrw at localhost/opensips")
>> > modparam("nathelper", "natping_interval", 10)
>> > modparam("nathelper", "received_avp", "$avp(i:42)")
>> > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
>> > dispatcher.sock")
>> > modparam("mediaproxy", "mediaproxy_timeout", 500)
>> > modparam("mi_datagram", "socket_name", "/var/run/opensips/
>> > opensips.sock")
>> > modparam("mi_datagram", "children_count", 4)
>> >
>> >
>> > # -------------------------  request routing logic
>> > ------------------- #
>> >
>> > route{
>> >
>> >     #
>> >     # -- 1 -- Request Validation
>> >     #
>> >     if (!mf_process_maxfwd_header("10")) {
>> >         sl_send_reply("483","Too Many Hops");
>> >         exit;
>> >     }
>> >
>> >     if (msg:len >=  2048 ) {
>> >         sl_send_reply("513", "Message too big");
>> >         exit;
>> >     }
>> >
>> >     #
>> >     # -- 2 -- Routing Preprocessing
>> >     #
>> >     ## Record-route all except Register
>> >     ## Mark packets with nat=yes
>> >     ## This mark will be used to identify the request in the loose
>> >     ## route section
>> >     if(!is_method("REGISTER")){
>> >         if(nat_uac_test("19")){
>> >             record_route(";nat=yes");
>> >         } else {
>> >             record_route();
>> >         }
>> >     }
>> >
>> >     ##Loose_route packets
>> >     if (has_totag()) {
>> >         #sequential request withing a dialog should
>> >         # take the path determined by record-routing
>> >         if (loose_route()) {
>> >             #Check authentication of re-invites
>> >             if(method=="INVITE") {
>> >                 if (!proxy_authorize("","subscriber")) {
>> >                 proxy_challenge("","1");
>> >                 exit;
>> >             } else if (!db_check_from()) {
>> >                 sl_send_reply("403", "Forbidden, use From=ID");
>> >                 exit;
>> >             }
>> >         }
>> >                 ## BYE and CANCEL message handling
>> >         if(method=="BYE" || method=="CANCEL") {
>> >             end_media_session();
>> >         }
>> >         ##Detect requests in the dialog behind NAT and flag with 6
>> >             if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
>> >                 append_hf("P-hint: LR|fixcontact,setflag6,  
>> mediaproxy
>> > \r\n");
>> >                 fix_contact();
>> >                 setbflag(6);
>> >                 use_media_proxy();
>> >             }
>> >             route(1);
>> >         } else {
>> >             sl_send_reply("404","Not here");
>> >         }
>> >         exit;
>> >     }
>> >
>> >     #CANCEL processing
>> >     if (is_method("CANCEL")) {
>> >         if (t_check_trans()) {
>> >             end_media_session();
>> >             t_relay();
>> >         }
>> >         exit;
>> >     }
>> >
>> >     t_check_trans();
>> >
>> >     #
>> >     # -- 3 -- Determine Request Target
>> >     #
>> >     if (method=="REGISTER") {
>> >         route(2);
>> >     } else {
>> >         route(3);
>> >     }
>> > }
>> >
>> >
>> > route[1] {
>> >     #
>> >     # -- 4 -- Forward request to target
>> >     #
>> >     # Forward statefully
>> >     t_on_reply("1");
>> >     t_on_failure("1");
>> >     if (!t_relay()) {
>> >         sl_reply_error();
>> >     }
>> >     exit;
>> > }
>> >
>> > route[2] {
>> >     ## Register request handler
>> >     if (is_uri_host_local()) {
>> >         if (!www_authorize("", "subscriber")) {
>> >             www_challenge("", "1");
>> >             exit;
>> >         }
>> >
>> >         if (!db_check_to()) {
>> >             sl_send_reply("403", "Forbidden");
>> >             exit;
>> >         }
>> >
>> >            # Test to see if Caller is behind NAT
>> >         if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
>> >             setbflag(6);
>> >             fix_nated_register();
>> >             force_rport();
>> >         }
>> >         save("location");
>> >         exit;
>> >
>> >     } else {
>> >         sl_send_reply("403", "Forbidden");
>> >     }
>> > }
>> >
>> >
>> > route[3] {
>> >     ## Requests handler
>> >     if (is_from_local()){
>> >         # From an internal domain -> check the credentials and the
>> > FROM
>> >         #if(!allow_trusted()){
>> >             if (!proxy_authorize("","subscriber")) {
>> >                 proxy_challenge("","0");
>> >                 exit;
>> >             } else if(!db_check_from()) {
>> >             sl_send_reply("403", "Forbidden, use From=ID");
>> >             exit;
>> >         }
>> >
>> >         if (client_nat_test("3")) {
>> >             append_hf("P-hint: route(3)|
>> > setflag7,forcerport,fix_contact\r\n");
>> >             setbflag(7);
>> >             force_rport();
>> >             fix_contact();
>> >         }
>> >
>> > ..............
>> >
>> > route[6] {
>> >     #
>> >     # -- NAT Traversal handling --
>> >     #
>> >     # Route[6] is the routing block responsible for activating the
>> > MediaProxy, whenever
>> >     # the caller or callee is behind NAT (flags 6 or 7  
>> respectively).
>> >     if (isbflagset(6) || isbflagset(7)) {
>> >            if ( $dd == $si ) {
>> >                    xlog("L_INFO", "Both users behind same NAT, so  
>> we
>> > dont use MediaProxy\n");
>> >                    resetbflag(6);  # Unset NAT flag general.
>> >                    resetbflag(7);  # Unset NAT flag general.
>> >         } else
>> >         append_hf("P-hint: Route[6]: mediaproxy \r\n");
>> >         use_media_proxy();
>> >     }
>> > }
>> >
>> > .............
>> >
>> > onreply_route[1] {
>> > #
>> > #-- On-replay block routing --
>> > #
>> >     if (client_nat_test("1")) {
>> >         append_hf("P-hint: Onreply-route - fixcontact \r\n");
>> >         fix_contact();
>> >     }
>> >
>> >     if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
>> > 2[0-9][0-9]")) {
>> >         if (search("^Content-Type:[ ]*application/sdp")) {
>> >             append_hf("P-hint: onreply_route|usemediaproxy \r\n");
>> >         use_media_proxy();
>> >         }
>> >     }
>> >     exit;
>> > }
>> >
>> >
>> > Thanks again for helping. Really appreciate it.
>> >
>> > Regards
>> > Deon
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>




More information about the Users mailing list