[OpenSIPS-Users] Sip user behind a NAT
Ignacio Gonzalez
mylaneza at gmail.com
Tue Aug 7 23:53:41 CEST 2012
1. Yes my proxy is behind a NAT, and my public ip address is mydomain.com,
i created a rule in my router to bind 5060 ports of my nat ip address.
2. Yes i'm using rtp proxy. I do not understand the rest of the question.
RTP proxy is in the same machine of opensips. And I created the rule of a
set of ports to bind the public ip and the nat ip.
2012/8/7 Ali Pey <alipey at gmail.com>
> Ignacio,
>
> Your configuration script heavily depends on your network setup:
>
> 1- Is your proxy server behind a nat? If so, do you know your public IP
> address?
> 2- Are you using rtp proxy? What's the path for your rtp - through what
> devices with what IPs?
>
>
> On Tue, Aug 7, 2012 at 2:53 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>
>> Hi Ali, I use this configuration script to start my opensips proxy and it
>> start, I only want to know, Do you see something wrong?
>> I put in bold the modifications a made to add the nat_traversal module
>> and the advertised_address parameter.
>>
>> In the documentation it says that nat_traversal is straight forward when
>> using a single proxy, ( that is my case ).
>>
>> "In this case the usage is straight forward. The nat_keepalive() function
>> needs to be called before save_location() for REGISTER requests, before
>> handle_subscribe() for SUBSCRIBE requests and before t_relay() for the
>> first INVITE of a dialog. "
>>
>> I do not configure any subscription, and I did not find the save_location
>> function, I assumed that save("location") is a newer version of this
>> function.
>>
>> #CONFIG FILE
>>
>> debug=3
>> log_stderror=no
>> log_facility=LOG_LOCAL1
>>
>> fork=yes
>> children=4
>>
>> #debug=6
>> #fork=no
>> #log_stderror=yes
>>
>> #disable_dns_blacklist=no
>>
>> #dns_try_ipv6=yes
>>
>> auto_aliases=no
>>
>> *advertised_address="mydomain.com"*
>>
>> listen=udp:192.168.1.220:5060 # CUSTOMIZE ME
>>
>> disable_tcp=no
>> listen=tcp:192.168.1.220:5060 # CUSTOMIZE ME
>>
>> disable_tls=yes
>>
>> mpath="/home/syrium/opensips_proxy/lib/opensips/modules/"
>>
>> loadmodule "signaling.so"
>>
>> loadmodule "sl.so"
>>
>> loadmodule "tm.so"
>> modparam("tm", "fr_timer", 5)
>> modparam("tm", "fr_inv_timer", 30)
>> modparam("tm", "restart_fr_on_each_reply", 0)
>> modparam("tm", "onreply_avp_mode", 1)
>>
>> loadmodule "rr.so"
>> modparam("rr", "append_fromtag", 0)
>>
>> loadmodule "maxfwd.so"
>>
>> loadmodule "sipmsgops.so"
>>
>> loadmodule "mi_fifo.so"
>> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>> modparam("mi_fifo", "fifo_mode", 0666)
>>
>> loadmodule "uri.so"
>> modparam("uri", "use_uri_table", 0)
>> modparam("uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "db_mysql.so"
>>
>> loadmodule "usrloc.so"
>> modparam("usrloc", "nat_bflag", 10)
>> modparam("usrloc", "db_mode", 2)
>> modparam("usrloc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "registrar.so"
>> modparam("registrar", "tcp_persistent_flag", 7)
>> modparam("registrar", "received_avp", "$avp(received_nh)")
>> #modparam("registrar", "max_contacts", 10)
>>
>> loadmodule "acc.so"
>> modparam("acc", "early_media", 0)
>> modparam("acc", "report_cancels", 0)
>> modparam("acc", "detect_direction", 0)
>> modparam("acc", "failed_transaction_flag", 3)
>> modparam("acc", "db_flag", 1)
>> modparam("acc", "db_missed_flag", 2)
>> modparam("acc", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> loadmodule "auth.so"
>> loadmodule "auth_db.so"
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "password_column", "password")
>> modparam("auth_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>> modparam("auth_db", "load_credentials", "")
>>
>> loadmodule "domain.so"
>> modparam("domain", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>> modparam("domain", "db_mode", 1) # Use caching
>> modparam("auth_db|usrloc|uri", "use_domain", 1)
>>
>> loadmodule "dialog.so"
>> modparam("dialog", "dlg_match_mode", 1)
>> modparam("dialog", "default_timeout", 21600) # 6 hours timeout
>> modparam("dialog", "db_mode", 2)
>> modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
>> # CUSTOMIZE ME
>>
>> *loadmodule "nat_traversal.so"*
>>
>> loadmodule "nathelper.so"
>> modparam("nathelper", "natping_interval", 10)
>> modparam("nathelper", "ping_nated_only", 1)
>> modparam("nathelper", "received_avp", "$avp(received_nh)")
>>
>> loadmodule "rtpproxy.so"
>> modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE
>> ME
>>
>> ####### Routing Logic ########
>>
>> route{
>> force_rport();
>> if (nat_uac_test("23")) {
>> if (is_method("REGISTER")) {
>> fix_nated_register();
>> setbflag(10);
>> } else {
>> fix_nated_contact();
>> setflag(10);
>> }
>> }
>>
>>
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> exit;
>> }
>>
>> if (has_totag()) {
>> # sequential request withing a dialog should
>> # take the path determined by record-routing
>> if (loose_route()) {
>>
>> # validate the sequential request against dialog
>> if ( $DLG_status!=NULL && !validate_dialog() ) {
>> xlog("In-Dialog $rm from $si (callid=$ci) is not valid
>> according to dialog\n");
>> ## exit;
>> }
>>
>> if (is_method("BYE")) {
>> setflag(1); # do accounting ...
>> setflag(3); # ... even if the transaction fails
>> } else if (is_method("INVITE")) {
>> # even if in most of the cases is useless, do RR for
>> # re-INVITEs alos, as some buggy clients do change route
>> set
>> # during the dialog.
>> record_route();
>> }
>>
>> if (check_route_param("nat=yes"))
>> setflag(10);
>>
>> # route it out to whatever destination was set by
>> loose_route()
>> # in $du (destination URI).
>> route(1);
>> } else {
>>
>> if ( is_method("ACK") ) {
>> if ( t_check_trans() ) {
>> # non loose-route, but stateful ACK; must be an ACK
>> after
>> # a 487 or e.g. 404 from upstream server
>> t_relay();
>> exit;
>> } else {
>> # ACK without matching transaction ->
>> # ignore and discard
>> exit;
>> }
>> }
>> sl_send_reply("404","Not here");
>> }
>> exit;
>> }
>>
>> # CANCEL processing
>> if (is_method("CANCEL"))
>> {
>> if (t_check_trans())
>> t_relay();
>> exit;
>> }
>>
>> t_check_trans();
>>
>> if ( !(is_method("REGISTER") ) ) {
>>
>> if (is_from_local())
>> {
>>
>> # authenticate if from local subscriber
>> # authenticate all initial non-REGISTER request that pretend
>> to be
>> # generated by local subscriber (domain from FROM URI is
>> local)
>> if (!proxy_authorize("", "subscriber")) {
>> proxy_challenge("", "0");
>> exit;
>> }
>> if (!db_check_from()) {
>> sl_send_reply("403","Forbidden auth ID");
>> exit;
>> }
>>
>> consume_credentials();
>> # caller authenticated
>>
>> } else {
>> # if caller is not local, then called number must be local
>>
>> if (!is_uri_host_local()) {
>> send_reply("403","Rely forbidden");
>> exit;
>> }
>> }
>>
>> }
>>
>> # preloaded route checking
>> if (loose_route()) {
>> xlog("L_ERR", "Attempt to route with preloaded Route's
>> [$fu/$tu/$ru/$ci]");
>> if (!is_method("ACK"))
>> sl_send_reply("403","Preload Route denied");
>> exit;
>> }
>>
>> # record routing
>> if (!is_method("REGISTER|MESSAGE"))
>> record_route();
>>
>> # account only INVITEs
>> if (is_method("INVITE")) {
>>
>> # create dialog with timeout
>> if ( !create_dialog("B") ) {
>> send_reply("500","Internal Server Error");
>> exit;
>> }
>>
>> setflag(1); # do accounting
>> }
>>
>>
>> if (!is_uri_host_local()) {
>> append_hf("P-hint: outbound\r\n");
>>
>> route(1);
>> }
>>
>> # requests for my domain
>>
>> if (is_method("PUBLISH|SUBSCRIBE"))
>> {
>> sl_send_reply("503", "Service Unavailable");
>> exit;
>> }
>>
>> if (is_method("REGISTER"))
>> {
>>
>> # authenticate the REGISTER requests
>> if (!www_authorize("", "subscriber"))
>> {
>> www_challenge("", "0");
>> exit;
>> }
>>
>> if (!db_check_to())
>> {
>> sl_send_reply("403","Forbidden auth ID");
>> exit;
>> }
>>
>> if ( proto==TCP || 0 )
>> setflag(7);
>>
>> *if ( client_nat_test("3") ) {
>> nat_keepalive();
>> }*
>>
>> if (!save("location"))
>> sl_reply_error();
>>
>> exit;
>> }
>>
>> if ($rU==NULL) {
>> # request with no Username in RURI
>> sl_send_reply("484","Address Incomplete");
>> exit;
>> }
>>
>> # do lookup with method filtering
>> if (!lookup("location","m")) {
>> if (!db_does_uri_exist()) {
>> send_reply("420","Bad Extension");
>> exit;
>> }
>>
>> t_newtran();
>> t_reply("404", "Not Found");
>> exit;
>> }
>>
>> if ( isbflagset(10) )
>> setflag(10);
>>
>> # when routing via usrloc, log the missed calls also
>> setflag(2);
>> route(1);
>> }
>>
>>
>> route[1] {
>> # for INVITEs enable some additional helper routes
>> if (is_method("INVITE")) {
>>
>> if (isflagset(10)) {
>> rtpproxy_offer("ro");
>> }
>>
>> t_on_branch("2");
>> t_on_reply("2");
>> t_on_failure("1");
>>
>> *if ( client_nat_test("3") ) {
>> nat_keepalive();
>> }*
>>
>> }
>>
>> if (isflagset(10)) {
>> add_rr_param(";nat=yes");
>> }
>>
>>
>>
>> if (!t_relay()) {
>> send_reply("500","Internal Error");
>> };
>> exit;
>> }
>>
>> branch_route[2] {
>> xlog("new branch at $ru\n");
>> }
>>
>> onreply_route[2] {
>> if ( nat_uac_test("1") )
>> fix_nated_contact();
>> if ( isflagset(10) )
>> rtpproxy_answer("ro");
>> xlog("incoming reply\n");
>> }
>>
>> failure_route[1] {
>> if ( t_was_cancelled() ) {
>> exit;
>> }
>> }
>>
>> local_route {
>> if (is_method("BYE") && $DLG_dir=="UPSTREAM") {
>>
>> acc_db_request("200 Dialog Timeout", "acc");
>>
>> }
>> }
>>
>> Thanks for your time Ali.
>>
>>
>> 2012/8/7 Ignacio Gonzalez <mylaneza at gmail.com>
>>
>>> Ok aly, I will read more, i have created the configuration script
>>> already with opensips-cp, I created a residential script and I selected the
>>> NAT option but that option just install nathelper module, and this why I
>>> asked you if nathelper and nat traversal module were mutually exclusive. I
>>> will add nat traversal to my configuration script.
>>>
>>> Another question, where can I read about the differences between
>>> residential and trunking scripts?
>>>
>>>
>>> 2012/8/7 Ali Pey <alipey at gmail.com>
>>>
>>>> Ignacio,
>>>>
>>>> You need to implement nat traversal in your routing script -
>>>> opensips.cfg. IMO, forget about the opensips-cp until you get it to work.
>>>> Once you know how it works, then you know how you can do with the config
>>>> tool. Sounds like you need lots more reading/testing :)
>>>>
>>>> Regards,
>>>> Ali Pey
>>>>
>>>>
>>>> On Mon, Aug 6, 2012 at 1:38 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>
>>>>> Ok, i red the NAT_TRAVERSAL module, i don't know how to configure
>>>>> using the configuration tool, do I have to configure it manual? The
>>>>> NAT_TRAVERSAL module and the NATHELPER module are mutually exclusive?
>>>>>
>>>>>
>>>>> 2012/8/5 Ali Pey <alipey at gmail.com>
>>>>>
>>>>>> Hello Ignacio,
>>>>>>
>>>>>> Yes, you can handle nat and you don't need stun, turn or ICE. In
>>>>>> fact, it's always better to turn off any nat traversal feature on the phone
>>>>>> when you are using a proxy server such as OpenSIPS.
>>>>>>
>>>>>> Check out the nat traveral module and advertized_ip. How you
>>>>>> implement it depends on your network setup:
>>>>>> http://www.opensips.org/html/docs/modules/1.8.x/nat_traversal.html
>>>>>>
>>>>>> Regards,
>>>>>> Ali Pey
>>>>>>
>>>>>> On Sat, Aug 4, 2012 at 5:31 PM, Ignacio Gonzalez <mylaneza at gmail.com>wrote:
>>>>>>
>>>>>>> Hello everybody, I have configured my opensips proxy with
>>>>>>> NAT_TRAVERSAL support using the new tool for configuration. I developed a
>>>>>>> softphone using JAIN-SIP, I think JAIN-SIP does not implements STUN, TURN
>>>>>>> and ICE for NAT Traversal ( RFC 6314), is any way to do nat traversal
>>>>>>> without making a new softphone with another library?
>>>>>>>
>>>>>>> I also have tested this softphone with Inphonex, and this company
>>>>>>> use openSER in its proxy and the softphone works fine, but i don't know how
>>>>>>> they do that, so I thought to ask if is something I can do in the
>>>>>>> configuration file of my proxy or they use something else to solve this
>>>>>>> problem.
>>>>>>>
>>>>>>> Thanks for all.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opensips.org
>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120807/0d52f4f0/attachment-0001.htm>
More information about the Users
mailing list