[OpenSIPS-Users] Opensips behind a NAT - change record-route

Răzvan Crainea razvan at opensips.org
Fri Jan 12 04:35:46 EST 2018 

Hi, John!

See the answers inline.

Best regards,

Răzvan Crainea
OpenSIPS Developer
www.opensips-solutions.com

On 01/11/2018 07:16 PM, John Hablitzel wrote:
> Relatively new to OpenSIPS but have been working with Asterisk and 
> VoIP for several years.  We want to use the load balancer or 
> dispatcher modules to distribute inbound calls from a SIP provider 
> among several Asterisk servers.  This will be coming in from another 
> private network that is out of our control, therefore security is 
> definitely required.  We won't be using OpenSIPS to control far-end 
> clients that are behind NAT (far-end).
>
> I know that it is recommended in this situation that OpenSIPS be on a 
> public IP (or IP on the "outside" network", but the requirement in 
> this particular situation is that this must be behind a NAT firewall, 
> as there are other IP communications from servers on the the internal 
> network that must use this same outside IP for communications with 
> other services.  The outside network provider only allows us to have a 
> single IP on their network for everything.
>
> I have the inbound calls mostly working now in my lab with the LB 
> module, using RTPProxy to anchor the media and some of the nathelper 
> stuff.  However am seeing issues with the ACK on the 200OK being sent 
> to the internal OpenSIPS IP and not the external IP on the NAT.  I 
> believe this is due to the Internal IP being in the record-route 
> header on the 200OK.  Pouring through the forums and other 
> documentation I can find, I haven't been able to find any way to 
> change this.
>
> So I have 2 questions:
> 1) Is OpenSIPS even capable of operating in this mode?  In everything 
> I've read, there is a bunch of documentation about handling NAT at the 
> far-end, where UAC's are behind a NAT, but very little (and nothing 
> with any concrete solution) about using OpenSIPS server behind a NAT.
Yes, OpenSIPS can operate in this mode, you can read more about this in 
this blogpost:
https://blog.opensips.org/2017/10/25/running-opensips-in-the-cloud/
> 2) if it is possible, can anyone provide a sample .cfg where they are 
> have accomplished it?  I tried adding record_route_preset to the reply 
> section, but OpenSIPS complains saying it can't be added in a reply 
> section.
I think the answer to the second question is actually another article 
that we are preparing: how to have OpenSIPS behind NAT, bridging between 
two networks. Unfortunately it's not yet ready.

IMO, the simplest way to achieve what you want is to use in OpenSIPS two 
different listeners: one towards the trunk provider, with the proper 
advertised IP address, and one towards the asterisk boxes:

listen=udp:10.95.95.220:5080 as 192.168.85.252:5060 # replace last 5060 
with your public port
listen=udp:10.95.95.220:5060 # listener for communicating with Asterisk

Now, all you have to do, is to change the interface used: after 
lb_start(), force the usage of the private interface:

force_send_socket(udp:10.95.95.220:5060); # forces the message to go out 
throught he private interface

Hope this helps you.

PS: for large posts, and scripts, please use an external storage, such 
as pastebin.com

Best regards,
Răzvan

More information about the Users mailing list