<div dir="ltr">Hi,<div>if <i>a.a.a.a</i> is PublicIP and <i>b.b.b.b</i> is Private IP ; where c.c.c.c is another Private IP address then you just need to enable multihome param "<b>mhomed=1" </b>in your opensips.cfg script and OpenSIPS should take care of relaying the packet our with proper SIP headers, the selection of the interface to "c.c.c.c" will be done automatically if the Operating System's IP routes are configured properly i.e b.b.b.b can reach c.c.c.c. </div><div><br></div><div>Next up is the rpproxy engagement, you'll need to do couple of things for that.<br></div><div>1 - start RTPproxy in bridging mode i.e -l a.a.a.a/b.b.b.b</div><div>2 - in your opensips.cfg you've to explicitly tell the rtpproxy which direction this call is flowing by use of flags and other functions.</div><div><br></div><div>i.e<br>if(call-from-WAN->LAN)</div><div><b> rtpproxy_engage("ei");</b><br><br>if(call-from-LAN->WAN)</div><div><b> rtpproxy_engage("ie");</b></div><div><br></div><div>You might need additional flags in there as this is just an example. Hope this helps.</div><div><br></div><div>Regards,</div><div>Sammy</div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 7, 2020 at 8:22 PM Matthew Schumacher <<a href="mailto:schu@schu.net" target="_blank">schu@schu.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello all,<br>
<br>
I'm trying to setup an SBC of sorts so that I can have users <br>
authenticate to opensips using a public interface, then have opensips <br>
relay and rtpproxy that request to a private sip host.<br>
<br>
Something like this:<br>
<br>
public sip client ---(proxy authetication)--> aa.aa.aa.aa <a href="http://bb.bb.bb.bb" rel="noreferrer" target="_blank">bb.bb.bb.bb</a> <br>
----(sip trunk auth by ip) ---> <a href="http://cc.cc.cc.cc" rel="noreferrer" target="_blank">cc.cc.cc.cc</a> (inside sip gateway)<br>
<br>
Where aa.aa.aa.aa and <a href="http://bb.bb.bb.bb" rel="noreferrer" target="_blank">bb.bb.bb.bb</a> live on the same host.<br>
<br>
I used osipsconfig with use_auth, use_dbacc, use_dbusrloc, use_dialog, <br>
use_multidomain, use_dialplan, have_inbound_pstn, have_outbound_pstn<br>
<br>
I then took the config it created and added rtpproxy module and config <br>
as well as force_send_socket() because when it sent sip to cc.cc.cc.c it <br>
was sourcing from aa.aa.aa.aa instead of <a href="http://bb.bb.bb.bb" rel="noreferrer" target="_blank">bb.bb.bb.bb</a>.<br>
<br>
It almost works, and actually works with one way audio from <a href="http://cc.cc.cc.cc" rel="noreferrer" target="_blank">cc.cc.cc.cc</a> <br>
through the proxy to the client, but opensips tells the client that the <br>
audio is at <a href="http://cc.cc.cc.cc" rel="noreferrer" target="_blank">cc.cc.cc.cc</a> which doesn't route.<br>
<br>
What's the best way to do multi homing? opensips seems fairly straight <br>
forward with a single IP address, but things got complicated fast when I <br>
added a second IP.<br>
<br>
I would just use b2b_init_request("top hiding"); but I get lots of loops <br>
when I do that.<br>
<br>
Thanks,<br>
Matt<br>
<br>
<br>
####### Global Parameters #########<br>
<br>
log_level=4<br>
log_stderror=yes<br>
log_facility=LOG_LOCAL0<br>
<br>
children=4<br>
<br>
/* uncomment the following lines to enable debugging */<br>
#debug_mode=yes<br>
<br>
/* uncomment the next line to enable the auto temporary blacklisting of<br>
not available destinations (default disabled) */<br>
#disable_dns_blacklist=no<br>
<br>
/* uncomment the next line to enable IPv6 lookup after IPv4 dns<br>
lookup failures (default disabled) */<br>
#dns_try_ipv6=yes<br>
<br>
/* comment the next line to enable the auto discovery of local aliases<br>
based on reverse DNS on IPs */<br>
auto_aliases=no<br>
<br>
listen=udp:<a href="http://bb.bb.bb.bb:5060" rel="noreferrer" target="_blank">bb.bb.bb.bb:5060</a> # CUSTOMIZE ME<br>
listen=udp:aa.aa.aa.aa:5060 # CUSTOMIZE ME<br>
<br>
<br>
####### Modules Section ########<br>
<br>
#set module path<br>
mpath="/usr/lib64/opensips/modules/"<br>
<br>
#### SIGNALING module<br>
loadmodule "signaling.so"<br>
<br>
#### StateLess module<br>
loadmodule "sl.so"<br>
<br>
#### Transaction Module<br>
loadmodule "tm.so"<br>
modparam("tm", "fr_timeout", 5)<br>
modparam("tm", "fr_inv_timeout", 30)<br>
modparam("tm", "restart_fr_on_each_reply", 0)<br>
modparam("tm", "onreply_avp_mode", 1)<br>
<br>
#### Record Route Module<br>
loadmodule "rr.so"<br>
/* do not append from tag to the RR (no need for this script) */<br>
modparam("rr", "append_fromtag", 0)<br>
<br>
#### MAX ForWarD module<br>
loadmodule "maxfwd.so"<br>
<br>
#### SIP MSG OPerationS module<br>
loadmodule "sipmsgops.so"<br>
<br>
#### FIFO Management Interface<br>
loadmodule "mi_fifo.so"<br>
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")<br>
modparam("mi_fifo", "fifo_mode", 0666)<br>
<br>
#### PGSQL module<br>
loadmodule "db_postgres.so"<br>
<br>
#### HTTPD module<br>
loadmodule "httpd.so"<br>
modparam("httpd", "port", 8888)<br>
<br>
#### USeR LOCation module<br>
loadmodule "usrloc.so"<br>
modparam("usrloc", "nat_bflag", "NAT")<br>
modparam("usrloc", "db_mode", 2)<br>
modparam("usrloc", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME<br>
<br>
<br>
#### REGISTRAR module<br>
loadmodule "registrar.so"<br>
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")<br>
/* uncomment the next line not to allow more than 10 contacts per AOR */<br>
#modparam("registrar", "max_contacts", 10)<br>
<br>
#### ACCounting module<br>
loadmodule "acc.so"<br>
/* what special events should be accounted ? */<br>
modparam("acc", "early_media", 0)<br>
modparam("acc", "report_cancels", 0)<br>
/* by default we do not adjust the direct of the sequential requests.<br>
if you enable this parameter, be sure the enable "append_fromtag"<br>
in "rr" module */<br>
modparam("acc", "detect_direction", 0)<br>
modparam("acc", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME<br>
<br>
#### AUTHentication modules<br>
loadmodule "auth.so"<br>
loadmodule "auth_db.so"<br>
modparam("auth_db", "calculate_ha1", yes)<br>
modparam("auth_db", "password_column", "password")<br>
modparam("auth_db", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME<br>
modparam("auth_db", "load_credentials", "")<br>
<br>
#### DOMAIN module<br>
loadmodule "domain.so"<br>
modparam("domain", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # <br>
CUSTOMIZE ME<br>
modparam("domain", "db_mode", 1) # Use caching<br>
modparam("auth_db|usrloc", "use_domain", 1)<br>
<br>
#### DIALOG module<br>
loadmodule "dialog.so"<br>
modparam("dialog", "dlg_match_mode", 1)<br>
modparam("dialog", "default_timeout", 21600) # 6 hours timeout<br>
modparam("dialog", "db_mode", 2)<br>
modparam("dialog", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME<br>
<br>
#### DIALPLAN module<br>
loadmodule "dialplan.so"<br>
modparam("dialplan", "db_url",<br>
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME<br>
<br>
#### MI_HTTP module<br>
loadmodule "mi_http.so"<br>
modparam("mi_http", "root", "json")<br>
<br>
loadmodule "proto_udp.so"<br>
loadmodule "proto_tcp.so"<br>
<br>
loadmodule "rtpproxy.so"<br>
modparam("rtpproxy", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # <br>
CUSTOMIZE ME<br>
<br>
loadmodule "json.so"<br>
loadmodule "jsonrpc.so"<br>
loadmodule "event_jsonrpc.so"<br>
<br>
####### Routing Logic ########<br>
<br>
# main request routing logic<br>
<br>
route{<br>
<br>
if (!mf_process_maxfwd_header(10)) {<br>
send_reply(483,"Too Many Hops");<br>
exit;<br>
}<br>
<br>
if (has_totag()) {<br>
<br>
# handle hop-by-hop ACK (no routing required)<br>
if ( is_method("ACK") && t_check_trans() ) {<br>
t_relay();<br>
exit;<br>
}<br>
<br>
# sequential request within a dialog should<br>
# take the path determined by record-routing<br>
if ( !loose_route() ) {<br>
# we do record-routing for all our traffic, so we should not<br>
# receive any sequential requests without Route hdr.<br>
send_reply(404,"Not here");<br>
exit;<br>
}<br>
<br>
# validate the sequential request against dialog<br>
if ( $DLG_status!=NULL && !validate_dialog() ) {<br>
xlog("In-Dialog $rm from $si (callid=$ci) is not valid <br>
according to dialog\n");<br>
## exit;<br>
}<br>
<br>
if (is_method("BYE")) {<br>
# do accounting even if the transaction fails<br>
do_accounting("db","failed");<br>
<br>
}<br>
<br>
# route it out to whatever destination was set by loose_route()<br>
# in $du (destination URI).<br>
route(relay);<br>
exit;<br>
}<br>
<br>
# CANCEL processing<br>
if (is_method("CANCEL")) {<br>
if (t_check_trans())<br>
t_relay();<br>
exit;<br>
}<br>
<br>
# absorb retransmissions, but do not create transaction<br>
t_check_trans();<br>
<br>
if ( !(is_method("REGISTER") || ($si==<a href="http://cc.cc.cc.cc" rel="noreferrer" target="_blank">cc.cc.cc.cc</a> && $sp==5060 /* <br>
CUSTOMIZE ME */) ) ) {<br>
<br>
if (is_myself("$fd")) {<br>
<br>
# authenticate if from local subscriber<br>
# authenticate all initial non-REGISTER request that <br>
pretend to be<br>
# generated by local subscriber (domain from FROM URI is local)<br>
if (!proxy_authorize("", "subscriber")) {<br>
proxy_challenge("", 0);<br>
exit;<br>
}<br>
if ($au!=$fU) {<br>
send_reply(403,"Forbidden auth ID");<br>
exit;<br>
}<br>
<br>
consume_credentials();<br>
# caller authenticated<br>
<br>
} else {<br>
# if caller is not local, then called number must be local<br>
<br>
if (!is_myself("$rd")) {<br>
send_reply(403,"Relay Forbidden");<br>
exit;<br>
}<br>
}<br>
<br>
}<br>
<br>
# preloaded route checking<br>
if (loose_route()) {<br>
xlog("L_ERR",<br>
"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");<br>
if (!is_method("ACK"))<br>
send_reply(403,"Preload Route denied");<br>
exit;<br>
}<br>
<br>
# record routing<br>
if (!is_method("REGISTER|MESSAGE"))<br>
record_route();<br>
<br>
# account only INVITEs<br>
if (is_method("INVITE")) {<br>
<br>
# create dialog with timeout<br>
if ( !create_dialog("B") ) {<br>
send_reply(500,"Internal Server Error");<br>
exit;<br>
}<br>
<br>
do_accounting("db");<br>
<br>
}<br>
<br>
<br>
if (!is_myself("$rd")) {<br>
append_hf("P-hint: outbound\r\n");<br>
<br>
route(relay);<br>
}<br>
<br>
# requests for my domain<br>
<br>
if (is_method("PUBLISH|SUBSCRIBE")) {<br>
send_reply(503, "Service Unavailable");<br>
exit;<br>
}<br>
<br>
if (is_method("REGISTER")) {<br>
# authenticate the REGISTER requests<br>
if (!www_authorize("", "subscriber")) {<br>
www_challenge("", 0);<br>
exit;<br>
}<br>
<br>
if ($au!=$tU) {<br>
send_reply(403,"Forbidden auth ID");<br>
exit;<br>
}<br>
if ($proto == "tcp")<br>
setflag(TCP_PERSISTENT);<br>
<br>
if (!save("location"))<br>
sl_reply_error();<br>
<br>
exit;<br>
}<br>
<br>
if ($rU==NULL) {<br>
# request with no Username in RURI<br>
send_reply(484,"Address Incomplete");<br>
exit;<br>
}<br>
<br>
<br>
<br>
<br>
# apply transformations from dialplan table<br>
dp_translate( 0, "$rU", $rU);<br>
<br>
if ($rU=~"^\+[1-9][0-9]+$") {<br>
<br>
<br>
$rd="<a href="http://cc.cc.cc.cc" rel="noreferrer" target="_blank">cc.cc.cc.cc</a>"; # CUSTOMIZE ME<br>
$rp=5060;<br>
force_send_socket(udp:<a href="http://bb.bb.bb.bb:5060" rel="noreferrer" target="_blank">bb.bb.bb.bb:5060</a>);<br>
rtpproxy_engage();<br>
<br>
route(relay);<br>
exit;<br>
}<br>
<br>
# do lookup with method filtering<br>
if (!lookup("location","m")) {<br>
if (!db_does_uri_exist("$ru","subscriber")) {<br>
send_reply(420,"Bad Extension");<br>
exit;<br>
}<br>
<br>
t_reply(404, "Not Found");<br>
exit;<br>
}<br>
<br>
<br>
<br>
# when routing via usrloc, log the missed calls also<br>
do_accounting("db","missed");<br>
<br>
route(relay);<br>
}<br>
<br>
<br>
route[relay] {<br>
# for INVITEs enable some additional helper routes<br>
if (is_method("INVITE")) {<br>
<br>
<br>
<br>
t_on_branch("per_branch_ops");<br>
t_on_reply("handle_nat");<br>
t_on_failure("missed_call");<br>
}<br>
<br>
<br>
<br>
if (!t_relay()) {<br>
send_reply(500,"Internal Error");<br>
}<br>
exit;<br>
}<br>
<br>
<br>
<br>
<br>
branch_route[per_branch_ops] {<br>
xlog("new branch at $ru\n");<br>
}<br>
<br>
<br>
onreply_route[handle_nat] {<br>
<br>
xlog("incoming reply\n");<br>
}<br>
<br>
<br>
failure_route[missed_call] {<br>
if (t_was_cancelled()) {<br>
exit;<br>
}<br>
<br>
# uncomment the following lines if you want to block client<br>
# redirect based on 3xx replies.<br>
##if (t_check_status("3[0-9][0-9]")) {<br>
##t_reply(404,"Not found");<br>
## exit;<br>
##}<br>
<br>
<br>
}<br>
<br>
<br>
<br>
local_route {<br>
if (is_method("BYE") && $DLG_dir=="UPSTREAM") {<br>
<br>
acc_db_request("200 Dialog Timeout", "acc");<br>
<br>
}<br>
}<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>