[OpenSIPS-Users] 2 UAs behind same NAT Device
Kennard White
kennard_white at logitech.com
Wed Nov 3 19:43:05 CET 2010
Hi Deon,
I don't have experience doing what you're trying to doing. Only comment I
have is that I doubt short-circuiting media-relay based upon SIP message
source IPs is unlikely to work well.
Kennard
On Tue, Nov 2, 2010 at 11:17 PM, Deon Vermeulen <vermeulen.deon at gmail.com>wrote:
> Morning Kennard
>
> I really appreciate your feedback.
>
> I will be serving different networks, but will have control over most
> of them or at least be able to assist 3rd party vendors for those I
> don't.
>
> As for another NAT device behind the "Main" Firewall, there wouldn't
> be an issue like that, but would be a "nice to have" just in case I
> run into something like that.
>
> I think it would be best that I explain what I would like to achieve
> to clarify what my idea is:
>
> I have a Multi-Tenant solution running on Multiple Asterisk Servers.
> The solution currently works for customer that has an VPN/MPLS
> connection to me, but I would like to expand my services over the
> Internet for smaller customers who can not afford VPN/MPLS connections
> to me, but would like to make use of this service.
> I would also like to extend this service to have Follow me for my
> current customers via their mobile devices, from home, etc...
> The Multi-Tenant Asterisk Servers use one Database and handle all
> Media including Hunt groups, IVR, Speed Dials, Black/White listing,
> Connectivity to the PSTN via external Gateways, etc...
> I am looking at OpenSIPS to only help resolve the NAT issue and do
> Load-Balancing between my Asterisk Multi-Tenant servers.
>
> Hope this clarifies what I am looking to achieving.
>
> I would really appreciate your help with this.
> Perhaps a sample config of how you would do this would be awesome.
>
> Thanks again.
>
> Best Regards
> Deon
>
>
> So, I am looking at OpenSIPS to help provide LoadBalancing/Load
> Sharing between couple of Asterisk Servers, which will cut down a lot
> on expenses.
>
> On 03 Nov 2010, at 5:26 AM, Kennard White wrote:
>
> > Hi Deon,
> >
> > For better or worse there are many ways to configure opensips
> > depending upon exactly what you are doing. Re your route6, it should
> > be invoked from some branch route. One way branch routes are
> > established is using t_on_branch(). Your route(3) (or somewhere)
> > must be doing a lookup() and establish a branch route.
> >
> > As someone else said, a key question with what you're trying to do
> > is: is your network an open or closed environment? If open
> > environment (where you cannot control/know the networks where your
> > users are) then non-ICE short-circuiting media relay will fail for
> > people behind non-hairpinning firewalls or double firewalls. ICE
> > (and yes, full ICE, not just STUN) is more robust way of avoiding
> > media-relay when not needed. Of course, it has its own issues :-).
> >
> > Kennard
> >
> > On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <
> vermeulen.deon at gmail.com
> > > wrote:
> > Hi Kennard
> >
> > Thanks for the ideas.
> > I really appreciate it.
> >
> > I got the config as an example from the Building Telephony systems
> > with OpenSER.
> > I choose the OpenSER implementation as it describes the implenetation
> > of MediaProxy.
> > Reason for choosing MediaProxy is because I am very, very interested
> > in getting the ICE feature.
> >
> > I thought best to first get this config working before playing around
> > with the ICE configuration.
> >
> > Could you be so kind and perhaps show me where I should call up
> > route(6)?
> >
> > I use fully qualified domain names (i.e domaina.com) for the domain.
> > At the moment I specify the proxy with the IP of my Server as I
> > haven't setup the DNS records yet.
> >
> > I really appreciate your feedback and assistance.
> >
> > Regards
> > Deon
> >
> >
> > On 02 Nov 2010, at 5:08 PM, Kennard White wrote:
> >
> > > Hi Deon,
> > >
> > > Some ideas:
> > > 1. Capture the SIP traffic and see if media proxy is being invoked
> > > in the request and/or response (look for your P-hint messages), and
> > > the IP addresses.
> > > 2. Add xlog messages when you invoke mediarelay to confirm that they
> > > are getting called.
> > > 3. You're comparing $dd (which is a domain) to $si (which is an IP
> > > address). I don't think this will work in the general case, but
> > > maybe you're using IP addresses as your domains?
> > > 4. I don't see the code that invokes route(6) -- I assume that is in
> > > a branch_route not the request route?
> > >
> > > Good luck,
> > > Kennard
> > >
> > > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <
> vermeulen.deon at gmail.com
> > > > wrote:
> > > Hi List
> > >
> > > I'm trying to setup NAT to NOT use MediaProxy when it detects that 2
> > > devices are behind the same NAT Device, but rather have coms go
> > > directly between them.
> > > At the moment I can dial between the 2 phones and answer the call.
> > > The callee phone says "Call Established" upon answer, but the caller
> > > phone still says "trying/connecting".
> > > I am sure this has something to do with my configuration, but I have
> > > "NO IDEA" where to start looking.
> > > The phones are setup to use their local IPs with no other STUN, ICE,
> > > or "proxy like" configurations.
> > > Below is a snipped from my opensips.cfg with the NAT configs and
> > would
> > > really appreciate any help to get this working.
> > >
> > > modparam("rr", "enable_full_lr", 1)
> > > modparam("registrar", "received_avp", "$avp(i:42)")
> > > modparam("usrloc", "db_mode", 2)
> > > modparam("usrloc", "nat_bflag", 6)
> > > modparam("domain", "db_mode", 1) # Use caching
> > > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)
> > > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|
> > > siptrace|group|avpops|presence", "db_url", "mysql://
> > > opensips:opensipsrw at localhost/opensips")
> > > modparam("nathelper", "natping_interval", 10)
> > > modparam("nathelper", "received_avp", "$avp(i:42)")
> > > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-
> > > dispatcher.sock")
> > > modparam("mediaproxy", "mediaproxy_timeout", 500)
> > > modparam("mi_datagram", "socket_name", "/var/run/opensips/
> > > opensips.sock")
> > > modparam("mi_datagram", "children_count", 4)
> > >
> > >
> > > # ------------------------- request routing logic
> > > ------------------- #
> > >
> > > route{
> > >
> > > #
> > > # -- 1 -- Request Validation
> > > #
> > > if (!mf_process_maxfwd_header("10")) {
> > > sl_send_reply("483","Too Many Hops");
> > > exit;
> > > }
> > >
> > > if (msg:len >= 2048 ) {
> > > sl_send_reply("513", "Message too big");
> > > exit;
> > > }
> > >
> > > #
> > > # -- 2 -- Routing Preprocessing
> > > #
> > > ## Record-route all except Register
> > > ## Mark packets with nat=yes
> > > ## This mark will be used to identify the request in the loose
> > > ## route section
> > > if(!is_method("REGISTER")){
> > > if(nat_uac_test("19")){
> > > record_route(";nat=yes");
> > > } else {
> > > record_route();
> > > }
> > > }
> > >
> > > ##Loose_route packets
> > > if (has_totag()) {
> > > #sequential request withing a dialog should
> > > # take the path determined by record-routing
> > > if (loose_route()) {
> > > #Check authentication of re-invites
> > > if(method=="INVITE") {
> > > if (!proxy_authorize("","subscriber")) {
> > > proxy_challenge("","1");
> > > exit;
> > > } else if (!db_check_from()) {
> > > sl_send_reply("403", "Forbidden, use From=ID");
> > > exit;
> > > }
> > > }
> > > ## BYE and CANCEL message handling
> > > if(method=="BYE" || method=="CANCEL") {
> > > end_media_session();
> > > }
> > > ##Detect requests in the dialog behind NAT and flag with 6
> > > if(nat_uac_test("19") || search("^Route:.*;nat=yes")){
> > > append_hf("P-hint: LR|fixcontact,setflag6,
> > mediaproxy
> > > \r\n");
> > > fix_contact();
> > > setbflag(6);
> > > use_media_proxy();
> > > }
> > > route(1);
> > > } else {
> > > sl_send_reply("404","Not here");
> > > }
> > > exit;
> > > }
> > >
> > > #CANCEL processing
> > > if (is_method("CANCEL")) {
> > > if (t_check_trans()) {
> > > end_media_session();
> > > t_relay();
> > > }
> > > exit;
> > > }
> > >
> > > t_check_trans();
> > >
> > > #
> > > # -- 3 -- Determine Request Target
> > > #
> > > if (method=="REGISTER") {
> > > route(2);
> > > } else {
> > > route(3);
> > > }
> > > }
> > >
> > >
> > > route[1] {
> > > #
> > > # -- 4 -- Forward request to target
> > > #
> > > # Forward statefully
> > > t_on_reply("1");
> > > t_on_failure("1");
> > > if (!t_relay()) {
> > > sl_reply_error();
> > > }
> > > exit;
> > > }
> > >
> > > route[2] {
> > > ## Register request handler
> > > if (is_uri_host_local()) {
> > > if (!www_authorize("", "subscriber")) {
> > > www_challenge("", "1");
> > > exit;
> > > }
> > >
> > > if (!db_check_to()) {
> > > sl_send_reply("403", "Forbidden");
> > > exit;
> > > }
> > >
> > > # Test to see if Caller is behind NAT
> > > if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
> > > setbflag(6);
> > > fix_nated_register();
> > > force_rport();
> > > }
> > > save("location");
> > > exit;
> > >
> > > } else {
> > > sl_send_reply("403", "Forbidden");
> > > }
> > > }
> > >
> > >
> > > route[3] {
> > > ## Requests handler
> > > if (is_from_local()){
> > > # From an internal domain -> check the credentials and the
> > > FROM
> > > #if(!allow_trusted()){
> > > if (!proxy_authorize("","subscriber")) {
> > > proxy_challenge("","0");
> > > exit;
> > > } else if(!db_check_from()) {
> > > sl_send_reply("403", "Forbidden, use From=ID");
> > > exit;
> > > }
> > >
> > > if (client_nat_test("3")) {
> > > append_hf("P-hint: route(3)|
> > > setflag7,forcerport,fix_contact\r\n");
> > > setbflag(7);
> > > force_rport();
> > > fix_contact();
> > > }
> > >
> > > ..............
> > >
> > > route[6] {
> > > #
> > > # -- NAT Traversal handling --
> > > #
> > > # Route[6] is the routing block responsible for activating the
> > > MediaProxy, whenever
> > > # the caller or callee is behind NAT (flags 6 or 7
> > respectively).
> > > if (isbflagset(6) || isbflagset(7)) {
> > > if ( $dd == $si ) {
> > > xlog("L_INFO", "Both users behind same NAT, so we
> > > dont use MediaProxy\n");
> > > resetbflag(6); # Unset NAT flag general.
> > > resetbflag(7); # Unset NAT flag general.
> > > } else
> > > append_hf("P-hint: Route[6]: mediaproxy \r\n");
> > > use_media_proxy();
> > > }
> > > }
> > >
> > > .............
> > >
> > > onreply_route[1] {
> > > #
> > > #-- On-replay block routing --
> > > #
> > > if (client_nat_test("1")) {
> > > append_hf("P-hint: Onreply-route - fixcontact \r\n");
> > > fix_contact();
> > > }
> > >
> > > if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|
> > > 2[0-9][0-9]")) {
> > > if (search("^Content-Type:[ ]*application/sdp")) {
> > > append_hf("P-hint: onreply_route|usemediaproxy \r\n");
> > > use_media_proxy();
> > > }
> > > }
> > > exit;
> > > }
> > >
> > >
> > > Thanks again for helping. Really appreciate it.
> > >
> > > Regards
> > > Deon
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101103/64cb8546/attachment-0001.htm
More information about the Users
mailing list