Hi Deon,<br><br>I don't have experience doing what you're trying to doing. Only comment I have is that I doubt short-circuiting media-relay based upon SIP message source IPs is unlikely to work well.<br><br>Kennard<br>
<br><div class="gmail_quote">On Tue, Nov 2, 2010 at 11:17 PM, Deon Vermeulen <span dir="ltr"><<a href="mailto:vermeulen.deon@gmail.com">vermeulen.deon@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Morning Kennard<br>
<br>
I really appreciate your feedback.<br>
<br>
I will be serving different networks, but will have control over most<br>
of them or at least be able to assist 3rd party vendors for those I<br>
don't.<br>
<br>
As for another NAT device behind the "Main" Firewall, there wouldn't<br>
be an issue like that, but would be a "nice to have" just in case I<br>
run into something like that.<br>
<br>
I think it would be best that I explain what I would like to achieve<br>
to clarify what my idea is:<br>
<br>
I have a Multi-Tenant solution running on Multiple Asterisk Servers.<br>
The solution currently works for customer that has an VPN/MPLS<br>
connection to me, but I would like to expand my services over the<br>
Internet for smaller customers who can not afford VPN/MPLS connections<br>
to me, but would like to make use of this service.<br>
I would also like to extend this service to have Follow me for my<br>
current customers via their mobile devices, from home, etc...<br>
The Multi-Tenant Asterisk Servers use one Database and handle all<br>
Media including Hunt groups, IVR, Speed Dials, Black/White listing,<br>
Connectivity to the PSTN via external Gateways, etc...<br>
I am looking at OpenSIPS to only help resolve the NAT issue and do<br>
Load-Balancing between my Asterisk Multi-Tenant servers.<br>
<br>
Hope this clarifies what I am looking to achieving.<br>
<br>
I would really appreciate your help with this.<br>
Perhaps a sample config of how you would do this would be awesome.<br>
<br>
Thanks again.<br>
<br>
Best Regards<br>
Deon<br>
<br>
<br>
So, I am looking at OpenSIPS to help provide LoadBalancing/Load<br>
Sharing between couple of Asterisk Servers, which will cut down a lot<br>
on expenses.<br>
<div><div></div><div class="h5"><br>
On 03 Nov 2010, at 5:26 AM, Kennard White wrote:<br>
<br>
> Hi Deon,<br>
><br>
> For better or worse there are many ways to configure opensips<br>
> depending upon exactly what you are doing. Re your route6, it should<br>
> be invoked from some branch route. One way branch routes are<br>
> established is using t_on_branch(). Your route(3) (or somewhere)<br>
> must be doing a lookup() and establish a branch route.<br>
><br>
> As someone else said, a key question with what you're trying to do<br>
> is: is your network an open or closed environment? If open<br>
> environment (where you cannot control/know the networks where your<br>
> users are) then non-ICE short-circuiting media relay will fail for<br>
> people behind non-hairpinning firewalls or double firewalls. ICE<br>
> (and yes, full ICE, not just STUN) is more robust way of avoiding<br>
> media-relay when not needed. Of course, it has its own issues :-).<br>
><br>
> Kennard<br>
><br>
> On Tue, Nov 2, 2010 at 11:11 AM, Deon Vermeulen <<a href="mailto:vermeulen.deon@gmail.com">vermeulen.deon@gmail.com</a><br>
> > wrote:<br>
> Hi Kennard<br>
><br>
> Thanks for the ideas.<br>
> I really appreciate it.<br>
><br>
> I got the config as an example from the Building Telephony systems<br>
> with OpenSER.<br>
> I choose the OpenSER implementation as it describes the implenetation<br>
> of MediaProxy.<br>
> Reason for choosing MediaProxy is because I am very, very interested<br>
> in getting the ICE feature.<br>
><br>
> I thought best to first get this config working before playing around<br>
> with the ICE configuration.<br>
><br>
> Could you be so kind and perhaps show me where I should call up<br>
> route(6)?<br>
><br>
> I use fully qualified domain names (i.e <a href="http://domaina.com" target="_blank">domaina.com</a>) for the domain.<br>
> At the moment I specify the proxy with the IP of my Server as I<br>
> haven't setup the DNS records yet.<br>
><br>
> I really appreciate your feedback and assistance.<br>
><br>
> Regards<br>
> Deon<br>
><br>
><br>
> On 02 Nov 2010, at 5:08 PM, Kennard White wrote:<br>
><br>
> > Hi Deon,<br>
> ><br>
> > Some ideas:<br>
> > 1. Capture the SIP traffic and see if media proxy is being invoked<br>
> > in the request and/or response (look for your P-hint messages), and<br>
> > the IP addresses.<br>
> > 2. Add xlog messages when you invoke mediarelay to confirm that they<br>
> > are getting called.<br>
> > 3. You're comparing $dd (which is a domain) to $si (which is an IP<br>
> > address). I don't think this will work in the general case, but<br>
> > maybe you're using IP addresses as your domains?<br>
> > 4. I don't see the code that invokes route(6) -- I assume that is in<br>
> > a branch_route not the request route?<br>
> ><br>
> > Good luck,<br>
> > Kennard<br>
> ><br>
> > On Tue, Nov 2, 2010 at 5:25 AM, Deon Vermeulen <<a href="mailto:vermeulen.deon@gmail.com">vermeulen.deon@gmail.com</a><br>
> > > wrote:<br>
> > Hi List<br>
> ><br>
> > I'm trying to setup NAT to NOT use MediaProxy when it detects that 2<br>
> > devices are behind the same NAT Device, but rather have coms go<br>
> > directly between them.<br>
> > At the moment I can dial between the 2 phones and answer the call.<br>
> > The callee phone says "Call Established" upon answer, but the caller<br>
> > phone still says "trying/connecting".<br>
> > I am sure this has something to do with my configuration, but I have<br>
> > "NO IDEA" where to start looking.<br>
> > The phones are setup to use their local IPs with no other STUN, ICE,<br>
> > or "proxy like" configurations.<br>
> > Below is a snipped from my opensips.cfg with the NAT configs and<br>
> would<br>
> > really appreciate any help to get this working.<br>
> ><br>
> > modparam("rr", "enable_full_lr", 1)<br>
> > modparam("registrar", "received_avp", "$avp(i:42)")<br>
> > modparam("usrloc", "db_mode", 2)<br>
> > modparam("usrloc", "nat_bflag", 6)<br>
> > modparam("domain", "db_mode", 1) # Use caching<br>
> > modparam("auth_db|usrloc|uri|avpops", "use_domain", 1)<br>
> > modparam("auth_db|alias_db|domain|uri|uri_db|usrloc|permissions|<br>
> > siptrace|group|avpops|presence", "db_url", "mysql://<br>
> > opensips:opensipsrw@localhost/opensips")<br>
> > modparam("nathelper", "natping_interval", 10)<br>
> > modparam("nathelper", "received_avp", "$avp(i:42)")<br>
> > modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy-<br>
> > dispatcher.sock")<br>
> > modparam("mediaproxy", "mediaproxy_timeout", 500)<br>
> > modparam("mi_datagram", "socket_name", "/var/run/opensips/<br>
> > opensips.sock")<br>
> > modparam("mi_datagram", "children_count", 4)<br>
> ><br>
> ><br>
> > # ------------------------- request routing logic<br>
> > ------------------- #<br>
> ><br>
> > route{<br>
> ><br>
> > #<br>
> > # -- 1 -- Request Validation<br>
> > #<br>
> > if (!mf_process_maxfwd_header("10")) {<br>
> > sl_send_reply("483","Too Many Hops");<br>
> > exit;<br>
> > }<br>
> ><br>
> > if (msg:len >= 2048 ) {<br>
> > sl_send_reply("513", "Message too big");<br>
> > exit;<br>
> > }<br>
> ><br>
> > #<br>
> > # -- 2 -- Routing Preprocessing<br>
> > #<br>
> > ## Record-route all except Register<br>
> > ## Mark packets with nat=yes<br>
> > ## This mark will be used to identify the request in the loose<br>
> > ## route section<br>
> > if(!is_method("REGISTER")){<br>
> > if(nat_uac_test("19")){<br>
> > record_route(";nat=yes");<br>
> > } else {<br>
> > record_route();<br>
> > }<br>
> > }<br>
> ><br>
> > ##Loose_route packets<br>
> > if (has_totag()) {<br>
> > #sequential request withing a dialog should<br>
> > # take the path determined by record-routing<br>
> > if (loose_route()) {<br>
> > #Check authentication of re-invites<br>
> > if(method=="INVITE") {<br>
> > if (!proxy_authorize("","subscriber")) {<br>
> > proxy_challenge("","1");<br>
> > exit;<br>
> > } else if (!db_check_from()) {<br>
> > sl_send_reply("403", "Forbidden, use From=ID");<br>
> > exit;<br>
> > }<br>
> > }<br>
> > ## BYE and CANCEL message handling<br>
> > if(method=="BYE" || method=="CANCEL") {<br>
> > end_media_session();<br>
> > }<br>
> > ##Detect requests in the dialog behind NAT and flag with 6<br>
> > if(nat_uac_test("19") || search("^Route:.*;nat=yes")){<br>
> > append_hf("P-hint: LR|fixcontact,setflag6,<br>
> mediaproxy<br>
> > \r\n");<br>
> > fix_contact();<br>
> > setbflag(6);<br>
> > use_media_proxy();<br>
> > }<br>
> > route(1);<br>
> > } else {<br>
> > sl_send_reply("404","Not here");<br>
> > }<br>
> > exit;<br>
> > }<br>
> ><br>
> > #CANCEL processing<br>
> > if (is_method("CANCEL")) {<br>
> > if (t_check_trans()) {<br>
> > end_media_session();<br>
> > t_relay();<br>
> > }<br>
> > exit;<br>
> > }<br>
> ><br>
> > t_check_trans();<br>
> ><br>
> > #<br>
> > # -- 3 -- Determine Request Target<br>
> > #<br>
> > if (method=="REGISTER") {<br>
> > route(2);<br>
> > } else {<br>
> > route(3);<br>
> > }<br>
> > }<br>
> ><br>
> ><br>
> > route[1] {<br>
> > #<br>
> > # -- 4 -- Forward request to target<br>
> > #<br>
> > # Forward statefully<br>
> > t_on_reply("1");<br>
> > t_on_failure("1");<br>
> > if (!t_relay()) {<br>
> > sl_reply_error();<br>
> > }<br>
> > exit;<br>
> > }<br>
> ><br>
> > route[2] {<br>
> > ## Register request handler<br>
> > if (is_uri_host_local()) {<br>
> > if (!www_authorize("", "subscriber")) {<br>
> > www_challenge("", "1");<br>
> > exit;<br>
> > }<br>
> ><br>
> > if (!db_check_to()) {<br>
> > sl_send_reply("403", "Forbidden");<br>
> > exit;<br>
> > }<br>
> ><br>
> > # Test to see if Caller is behind NAT<br>
> > if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {<br>
> > setbflag(6);<br>
> > fix_nated_register();<br>
> > force_rport();<br>
> > }<br>
> > save("location");<br>
> > exit;<br>
> ><br>
> > } else {<br>
> > sl_send_reply("403", "Forbidden");<br>
> > }<br>
> > }<br>
> ><br>
> ><br>
> > route[3] {<br>
> > ## Requests handler<br>
> > if (is_from_local()){<br>
> > # From an internal domain -> check the credentials and the<br>
> > FROM<br>
> > #if(!allow_trusted()){<br>
> > if (!proxy_authorize("","subscriber")) {<br>
> > proxy_challenge("","0");<br>
> > exit;<br>
> > } else if(!db_check_from()) {<br>
> > sl_send_reply("403", "Forbidden, use From=ID");<br>
> > exit;<br>
> > }<br>
> ><br>
> > if (client_nat_test("3")) {<br>
> > append_hf("P-hint: route(3)|<br>
> > setflag7,forcerport,fix_contact\r\n");<br>
> > setbflag(7);<br>
> > force_rport();<br>
> > fix_contact();<br>
> > }<br>
> ><br>
> > ..............<br>
> ><br>
> > route[6] {<br>
> > #<br>
> > # -- NAT Traversal handling --<br>
> > #<br>
> > # Route[6] is the routing block responsible for activating the<br>
> > MediaProxy, whenever<br>
> > # the caller or callee is behind NAT (flags 6 or 7<br>
> respectively).<br>
> > if (isbflagset(6) || isbflagset(7)) {<br>
> > if ( $dd == $si ) {<br>
> > xlog("L_INFO", "Both users behind same NAT, so we<br>
> > dont use MediaProxy\n");<br>
> > resetbflag(6); # Unset NAT flag general.<br>
> > resetbflag(7); # Unset NAT flag general.<br>
> > } else<br>
> > append_hf("P-hint: Route[6]: mediaproxy \r\n");<br>
> > use_media_proxy();<br>
> > }<br>
> > }<br>
> ><br>
> > .............<br>
> ><br>
> > onreply_route[1] {<br>
> > #<br>
> > #-- On-replay block routing --<br>
> > #<br>
> > if (client_nat_test("1")) {<br>
> > append_hf("P-hint: Onreply-route - fixcontact \r\n");<br>
> > fix_contact();<br>
> > }<br>
> ><br>
> > if ((isbflagset(6) || isbflagset(7)) && (status=~"(180)|(183)|<br>
> > 2[0-9][0-9]")) {<br>
> > if (search("^Content-Type:[ ]*application/sdp")) {<br>
> > append_hf("P-hint: onreply_route|usemediaproxy \r\n");<br>
> > use_media_proxy();<br>
> > }<br>
> > }<br>
> > exit;<br>
> > }<br>
> ><br>
> ><br>
> > Thanks again for helping. Really appreciate it.<br>
> ><br>
> > Regards<br>
> > Deon<br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br>