[OpenSIPS-Users] Example config for NATed UACs, RTPproxy, and NATed OpenSIPS (version 1.6.4)

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Jan 10 11:25:36 CET 2011


Hi Damon,

Well, the answer is simple - download the opensips virtual machine 
(http://www.voice-system.ro/shortcuts::opensips_livedvd)  were you have 
a ready to run opensips platform with NAT traversal support - you can 
see in the script form the VM how the NAT traversal is done (for 
signalling and media).

If you have questions on that, please come back here.

Regards,
Bogdan

Damon Miller wrote:
> All,
>
>
> I've seen many requests for an example working config that shows a working RTPproxy configuration with NATed clients, but I haven't seen many responses.  I recently spent an absurd amount of time getting a working configuration in place so I thought I would post it here in case it's helpful to anyone.
>
> Three quick points:
>
> 1.  I have only tested this with clients behind a NAT firewall, i.e. I haven't tested with clients that have a public IP.
>
>
> 2.  My OpenSIPS server is behind a NAT firewall itself.  To deal with this, I added the two "advertised" options, as follows:
>
> advertised_address="xx.xx.xx.xx"
> alias="xx.xx.xx.xx:5060
>
>
> (Replace the "xx.xx.xx.xx" with the NAT firewall's public IP.)
>
> I also had to use a modified version of RTPproxy that presents the firewall's public IP even though it binds to a private IP.  Here's a post which summarizes that version of RTPproxy:
>
> http://opensips-open-sip-server.1449251.n2.nabble.com/Rtpproxy-behind-the-NAT-td5008041.html
>
>
> I run RTPproxy like this:
>
> rtpproxy -A xx.xx.xx.xx -l 192.168.20.154 -s udp:127.0.0.1:12221 -m 25000 -M 65000 -F -d DBUG:LOCAL1
>
>
> 3.  I had to "tell" OpenSIPS that my firewall's public IP was one of its local domains.  I'm using MySQL as you'll see in the config file so all I had to do was insert a value into the 'domain' table.  That was pretty obvious, i.e.:
>
> mysql> insert into domain (domain) values ("xx.xx.xx.xx");
>
> (Replace 'xx.xx.xx.xx' with your public IP.)
>
>
>
> Here's my 'opensips.cfg' file:
>
> --
>
> # ----------- global configuration parameters ------------------------
> debug=3
> fork=yes
> log_facility=LOG_LOCAL0
> log_stderror=no
> children=4
> port=5060
> dns=no
> rev_dns=no
>
> advertised_address="xx.xx.xx.xx"
> alias="xx.xx.xx.xx:5060"
>
> # ------------------ module loading ----------------------------------
> mpath="/usr/local/lib64/opensips/modules/"
> loadmodule "db_mysql.so"
> loadmodule "signaling.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri.so"
> loadmodule "nathelper.so"
> loadmodule "domain.so"
>
> # ----------------- setting module-specific parameters ---------------
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
> modparam("usrloc", "db_url", "mysql://opensipsrw:opensipsrw@localhost/opensips")
> modparam("usrloc", "db_mode", 2)
> modparam("rr", "enable_full_lr", 1)
> modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:12221")
> modparam("nathelper", "nortpproxy_str", "")
> modparam("domain", "db_url", "mysql://opensipsrw:opensipsrw@localhost/opensips")
>
> ################## NAT ######################
> modparam("usrloc", "nat_bflag", 6)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "sipping_bflag", 8)
> modparam("nathelper", "received_avp", "$avp(i:801)")
> ################## NAT ######################
>
>
> # main routing logic
> route {
>
>     # initial sanity checks
>     if (!mf_process_maxfwd_header("10")) {
>         sl_send_reply("483","Too Many Hops");
>         exit;
>     };
>
>     if (msg:len >=  2048 ) {
>         sl_send_reply("513", "Message too big");
>         exit;
>     };
>
>
>     ################## NAT ######################
>     if (nat_uac_test("3")) {
>
>         if (is_method("REGISTER") && !is_present_hf("Record-Route")) {
>
>             # Rewrite contact with source IP of signalling
>             fix_nated_contact();
>
>             force_rport();
>             setbflag(6); # Mark as NATed
>
>             # if you want SIP NAT pinging
>             setbflag(8);
>         };
>     };
>     ################## NAT ######################
>
>     if (!method=="REGISTER")
>         record_route();
>
>     # subsequent messages withing a dialog should take the
>     # path determined by record-routing
>     if (loose_route()) {
>         # mark routing logic in request
>         append_hf("P-hint: rr-enforced\r\n");
>         route(1);
>     };
>
>     if (!uri==myself) {
>         # mark routing logic in request
>         append_hf("P-hint: outbound\r\n");
>         route(1);
>     };
>
>     if (uri==myself) {
>         if (method=="REGISTER") {
>             save("location");
>             exit;
>         };
>     }
>
>     if (is_method("BYE"))
>         unforce_rtp_proxy();
>   
>     if (!lookup("location","m")) {
>         switch ($retcode) {
>             case -1:
>             case -3:
>                 t_newtran();
>                 t_on_failure("1");
>                 t_reply("404", "Not Found");
>                 exit;
>             case -2:
>                 sl_send_reply("405", "Method Not Allowed");
>                 exit;
>         }
>     };
>
>     route(1);
> }
>
>
>
> route[1] {
>
>     ################## NAT ######################
>     if (uri=~"[@:](192\.168\.10\.172\.(1[6-9]2[0-9]3[0-1])\.)" && !search("^Route:")) {
>         sl_send_reply("479", "We don't forward to private IP addresses");
>         exit;
>     };
>
>     # if client or server know to be behind a NAT, enable relay
>     if (isbflagset(6)) {
>         if (has_body("application/sdp")) {
>             rtpproxy_offer("o");
>         };
>     };
>
>     t_on_reply("1");
>     ################## NAT ######################
>
>
>     # send it out now; use stateful forwarding as it works
>     # reliably even for UDP2TCP
>     if (!t_relay()) {
>         sl_reply_error();
>     };
>
>     exit;
> }
>
>
>
> onreply_route[1] {
>
>     ################## NAT ######################
>     if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>         fix_nated_contact();
>         if (has_body("application/sdp")) {
>             rtpproxy_answer("o");
>         };
>
>         # Is this a transaction behind a NAT and we did not
>         # know at time of request processing?
>     } else if (nat_uac_test("1")) {
>         fix_nated_contact();
>     };
>     ################## NAT ######################
>
> }
>
> failure_route[1] {
>     unforce_rtp_proxy();
> }
>
> --
>
>
> I hope this saves someone some time.
>
>
>
> Damon
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Event - expo, conf, social, bootcamp
2 - 4 February 2011, ITExpo, Miami,  USA
www.voice-system.ro




More information about the Users mailing list