[OpenSIPS-Users] Example config for NATed UACs, RTPproxy, and NATed OpenSIPS (version 1.6.4)
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Jan 12 19:59:05 CET 2011
James, never user openVZ so far..there are a log of VM technologies out
there :)....For the moment we release the opensips live distro on VMware
as that;s the main what we used...not sure what are the other main VM
tech used by other people...
Regards,
Bogdan
James Lamanna wrote:
> Bogdan,
> Wow, I didn't know about the live DVD.
> Any chance someone could create this as an OpenVZ container in
> addition to VMWare?
>
> -- James
>
> On Mon, Jan 10, 2011 at 2:25 AM, Bogdan-Andrei Iancu
> <bogdan at voice-system.ro> wrote:
>
>> Hi Damon,
>>
>> Well, the answer is simple - download the opensips virtual machine
>> (http://www.voice-system.ro/shortcuts::opensips_livedvd) were you have a
>> ready to run opensips platform with NAT traversal support - you can see in
>> the script form the VM how the NAT traversal is done (for signalling and
>> media).
>>
>> If you have questions on that, please come back here.
>>
>> Regards,
>> Bogdan
>>
>> Damon Miller wrote:
>>
>>> All,
>>>
>>>
>>> I've seen many requests for an example working config that shows a working
>>> RTPproxy configuration with NATed clients, but I haven't seen many
>>> responses. I recently spent an absurd amount of time getting a working
>>> configuration in place so I thought I would post it here in case it's
>>> helpful to anyone.
>>>
>>> Three quick points:
>>>
>>> 1. I have only tested this with clients behind a NAT firewall, i.e. I
>>> haven't tested with clients that have a public IP.
>>>
>>>
>>> 2. My OpenSIPS server is behind a NAT firewall itself. To deal with
>>> this, I added the two "advertised" options, as follows:
>>>
>>> advertised_address="xx.xx.xx.xx"
>>> alias="xx.xx.xx.xx:5060
>>>
>>>
>>> (Replace the "xx.xx.xx.xx" with the NAT firewall's public IP.)
>>>
>>> I also had to use a modified version of RTPproxy that presents the
>>> firewall's public IP even though it binds to a private IP. Here's a post
>>> which summarizes that version of RTPproxy:
>>>
>>>
>>> http://opensips-open-sip-server.1449251.n2.nabble.com/Rtpproxy-behind-the-NAT-td5008041.html
>>>
>>>
>>> I run RTPproxy like this:
>>>
>>> rtpproxy -A xx.xx.xx.xx -l 192.168.20.154 -s udp:127.0.0.1:12221 -m 25000
>>> -M 65000 -F -d DBUG:LOCAL1
>>>
>>>
>>> 3. I had to "tell" OpenSIPS that my firewall's public IP was one of its
>>> local domains. I'm using MySQL as you'll see in the config file so all I
>>> had to do was insert a value into the 'domain' table. That was pretty
>>> obvious, i.e.:
>>>
>>> mysql> insert into domain (domain) values ("xx.xx.xx.xx");
>>>
>>> (Replace 'xx.xx.xx.xx' with your public IP.)
>>>
>>>
>>>
>>> Here's my 'opensips.cfg' file:
>>>
>>> --
>>>
>>> # ----------- global configuration parameters ------------------------
>>> debug=3
>>> fork=yes
>>> log_facility=LOG_LOCAL0
>>> log_stderror=no
>>> children=4
>>> port=5060
>>> dns=no
>>> rev_dns=no
>>>
>>> advertised_address="xx.xx.xx.xx"
>>> alias="xx.xx.xx.xx:5060"
>>>
>>> # ------------------ module loading ----------------------------------
>>> mpath="/usr/local/lib64/opensips/modules/"
>>> loadmodule "db_mysql.so"
>>> loadmodule "signaling.so"
>>> loadmodule "sl.so"
>>> loadmodule "tm.so"
>>> loadmodule "rr.so"
>>> loadmodule "maxfwd.so"
>>> loadmodule "usrloc.so"
>>> loadmodule "registrar.so"
>>> loadmodule "textops.so"
>>> loadmodule "mi_fifo.so"
>>> loadmodule "uri.so"
>>> loadmodule "nathelper.so"
>>> loadmodule "domain.so"
>>>
>>> # ----------------- setting module-specific parameters ---------------
>>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>>> modparam("usrloc", "db_url",
>>> "mysql://opensipsrw:opensipsrw@localhost/opensips")
>>> modparam("usrloc", "db_mode", 2)
>>> modparam("rr", "enable_full_lr", 1)
>>> modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:12221")
>>> modparam("nathelper", "nortpproxy_str", "")
>>> modparam("domain", "db_url",
>>> "mysql://opensipsrw:opensipsrw@localhost/opensips")
>>>
>>> ################## NAT ######################
>>> modparam("usrloc", "nat_bflag", 6)
>>> modparam("nathelper", "ping_nated_only", 1)
>>> modparam("nathelper", "sipping_bflag", 8)
>>> modparam("nathelper", "received_avp", "$avp(i:801)")
>>> ################## NAT ######################
>>>
>>>
>>> # main routing logic
>>> route {
>>>
>>> # initial sanity checks
>>> if (!mf_process_maxfwd_header("10")) {
>>> sl_send_reply("483","Too Many Hops");
>>> exit;
>>> };
>>>
>>> if (msg:len >= 2048 ) {
>>> sl_send_reply("513", "Message too big");
>>> exit;
>>> };
>>>
>>>
>>> ################## NAT ######################
>>> if (nat_uac_test("3")) {
>>>
>>> if (is_method("REGISTER") && !is_present_hf("Record-Route")) {
>>>
>>> # Rewrite contact with source IP of signalling
>>> fix_nated_contact();
>>>
>>> force_rport();
>>> setbflag(6); # Mark as NATed
>>>
>>> # if you want SIP NAT pinging
>>> setbflag(8);
>>> };
>>> };
>>> ################## NAT ######################
>>>
>>> if (!method=="REGISTER")
>>> record_route();
>>>
>>> # subsequent messages withing a dialog should take the
>>> # path determined by record-routing
>>> if (loose_route()) {
>>> # mark routing logic in request
>>> append_hf("P-hint: rr-enforced\r\n");
>>> route(1);
>>> };
>>>
>>> if (!uri==myself) {
>>> # mark routing logic in request
>>> append_hf("P-hint: outbound\r\n");
>>> route(1);
>>> };
>>>
>>> if (uri==myself) {
>>> if (method=="REGISTER") {
>>> save("location");
>>> exit;
>>> };
>>> }
>>>
>>> if (is_method("BYE"))
>>> unforce_rtp_proxy();
>>> if (!lookup("location","m")) {
>>> switch ($retcode) {
>>> case -1:
>>> case -3:
>>> t_newtran();
>>> t_on_failure("1");
>>> t_reply("404", "Not Found");
>>> exit;
>>> case -2:
>>> sl_send_reply("405", "Method Not Allowed");
>>> exit;
>>> }
>>> };
>>>
>>> route(1);
>>> }
>>>
>>>
>>>
>>> route[1] {
>>>
>>> ################## NAT ######################
>>> if (uri=~"[@:](192\.168\.10\.172\.(1[6-9]2[0-9]3[0-1])\.)" &&
>>> !search("^Route:")) {
>>> sl_send_reply("479", "We don't forward to private IP addresses");
>>> exit;
>>> };
>>>
>>> # if client or server know to be behind a NAT, enable relay
>>> if (isbflagset(6)) {
>>> if (has_body("application/sdp")) {
>>> rtpproxy_offer("o");
>>> };
>>> };
>>>
>>> t_on_reply("1");
>>> ################## NAT ######################
>>>
>>>
>>> # send it out now; use stateful forwarding as it works
>>> # reliably even for UDP2TCP
>>> if (!t_relay()) {
>>> sl_reply_error();
>>> };
>>>
>>> exit;
>>> }
>>>
>>>
>>>
>>> onreply_route[1] {
>>>
>>> ################## NAT ######################
>>> if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>>> fix_nated_contact();
>>> if (has_body("application/sdp")) {
>>> rtpproxy_answer("o");
>>> };
>>>
>>> # Is this a transaction behind a NAT and we did not
>>> # know at time of request processing?
>>> } else if (nat_uac_test("1")) {
>>> fix_nated_contact();
>>> };
>>> ################## NAT ######################
>>>
>>> }
>>>
>>> failure_route[1] {
>>> unforce_rtp_proxy();
>>> }
>>>
>>> --
>>>
>>>
>>> I hope this saves someone some time.
>>>
>>>
>>>
>>> Damon
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>> --
>> Bogdan-Andrei Iancu
>> OpenSIPS Event - expo, conf, social, bootcamp
>> 2 - 4 February 2011, ITExpo, Miami, USA
>> www.voice-system.ro
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
--
Bogdan-Andrei Iancu
OpenSIPS Event - expo, conf, social, bootcamp
2 - 4 February 2011, ITExpo, Miami, USA
www.voice-system.ro
More information about the Users
mailing list