Neill Wilkinson wrote: > Joris, > > I also note that you fix the Contact and the Register in Router(2). > > You'll also need to fix_nated_sdp too. The media values in the SDP will need > to be modified from the private IP Address.
Neil, Where should I put these, around force_rtp_proxy? Because I thought it already did this? Like I said, I'm new to OpenSER and have quite a bit problems understanding really where all the magic happens. Thanks, - Joris > Neill....;o) > Neill Wilkinson > Principal Consultant > > Aeonvista Ltd - opening up new ideas > > > > > -----Original Message----- > From: Joris Dobbelsteen [mailto:[EMAIL PROTECTED] > Sent: 22 July 2008 09:05 > To: Robert Dyck > Cc: [email protected]; Neill Wilkinson > Subject: Re: [OpenSER-Users] OpenSER as NAT traversal proxy HELP! > > Robert Dyck wrote: >> I understand that the iptables SIP ALG has been much revised this year >> although I have not tested it myself. I believe you need at least linux >> 2.6.25. > > The unfortunate situtions is that I currently run Debian, which has the > 2.6.18 kernel. Futhermore the box runs Xen and the latest kernel does > not support Xen yet. So I'm out of luck in this department in many ways. > > Can't I get OpenSER to work, or any (maybe simpler) SIP proxy? Maybe > another solutions is more suited for the problem I have? > > - Joris > >> On Monday 21 July 2008, Joris Dobbelsteen wrote: >>> Neill Wilkinson wrote: >>>> If you are using IPtables and are familiar with how to add modules - >>>> there is a sip connection tracking module that might help: >>>> >>>> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html >>>> >>>> Neill...;o) >>>> >>>> Neill Wilkinson >>>> Principal Consultant >>>> >>>> Aeonvista Ltd - opening up new ideas >>> I have that installed, but to the outside the SIP packets still carry >>> the LAN IP address. I'm currently missing audio (at least inbound is >>> nowhere to be seen) and it doesn't really work reliable at this moment. >>> That is a real problem currently and must be solved reliably. >>> >>> The ZyXEL modem I have was intended to be the NAT router for the >>> network, but its configured differently in my case, so I can't make that >>> thing to play nicely with NAT. >>> >>> lsmod on the firewall: >>> ip_nat_sip 8832 0 >>> ip_conntrack_sip 13392 1 ip_nat_sip >>> >>> Thanks so far, >>> >>> - Joris >>> >>>> -----Original Message----- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Joris Dobbelsteen >>>> Sent: 21 July 2008 21:10 >>>> To: [email protected] >>>> Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP! >>>> >>>> Dear, >>>> >>>> I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my >>>> home phone keeps breaking voice channels (the box was not intended >>>> behind NAT and I'm, of course, using a configuration that no so well >>>> supported). >>>> >>>> What is the idea: >>>> >>>> SIP transactions should travel this way: >>>> ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet} >>>> >>>> RTP should travel this way: >>>> ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet} >>>> >>>> >>>> My current test is using X-Lite with voipbuster, but that doesn't really >>>> work. It seems that registers are functioning, at least X-Lite reports >>>> itself being registered. >>>> Voice calls always end up in timeouts, so something is really going >>>> wrong here, it might be authentication problems? >>>> >>>> An added problem is that I have just sufficient knowledge of SIP to see >>>> what it is doing, without really knowing what to expect exactly. >>>> Furthermore I have virtually no knowledge of OpenSER. I've quite a hard >>>> time even grasping the configuration I typed in. This is not really >>>> helpful >>>> >>>> What I do know: >>>> * SIP Proxy traffic is flowing. >>>> * SIP INVITES don't work at all. >>>> * SIP to RTP is communication, but I don't know if RTP is actually >>>> flowing. >>>> >>>> I stole most of the configuration from the "04 NAT Traversal" slides of >>>> the "Italy 2007 Admin course", to which there is link on the >>>> documentation site. I adapted it to make it work with the debian >>>> supplied OpenSER 1.1. >>>> >>>> How do I get this all working? >>>> What am I getting wrong? >>>> >>>> I really really appeciate any help I can get to get it working! >>>> >>>> - Joris >>>> >>>> >>>> Config is this: >>>> # ----------- global configuration parameters ------------------------ >>>> >>>> debug=4 # debug level (cmd line: -dddddddddd) >>>> fork=yes # Set to no to enter debugging mode >>>> log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode >>>> >>>> check_via=no # (cmd. line: -v) >>>> dns=no # (cmd. line: -r) >>>> rev_dns=no # (cmd. line: -R) >>>> advertised_address="82.168.191.xx" >>>> advertised_port=5060 >>>> port=5060 >>>> children=4 >>>> fifo="/tmp/openser_fifo" >>>> >>>> # >>>> # ------------------ module loading ---------------------------------- >>>> >>>> # Uncomment this if you want to use SQL database >>>> mpath="/usr/lib/openser/modules/" >>>> loadmodule "mysql.so" >>>> loadmodule "sl.so" >>>> loadmodule "tm.so" >>>> loadmodule "rr.so" >>>> loadmodule "maxfwd.so" >>>> loadmodule "usrloc.so" >>>> loadmodule "registrar.so" >>>> loadmodule "textops.so" >>>> loadmodule "nathelper.so" >>>> >>>> # Uncomment this if you want digest authentication >>>> # mysql.so must be loaded ! >>>> loadmodule "auth.so" >>>> loadmodule "auth_db.so" >>>> >>>> # ----------------- setting module-specific parameters --------------- >>>> >>>> # -- usrloc params -- >>>> >>>> modparam("usrloc", "db_mode", 0) >>>> >>>> # Uncomment this if you want to use SQL database >>>> # for persistent storage and comment the previous line >>>> #modparam("usrloc", "db_mode", 2) >>>> >>>> # -- auth params -- >>>> # Uncomment if you are using auth module >>>> # >>>> modparam("auth_db", "calculate_ha1", yes) >>>> # >>>> # If you set "calculate_ha1" parameter to yes (which true in this >>>> config), # uncomment also the following parameter) >>>> # >>>> modparam("auth_db", "password_column", "password") >>>> >>>> # -- rr params -- >>>> # add value to ;lr param to make some broken UAs happy >>>> modparam("rr", "enable_full_lr", 1) >>>> >>>> # -- nathelper params --- >>>> modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222") >>>> modparam("nathelper", "natping_interval", 30) >>>> modparam("nathelper", "ping_nated_only", 1) >>>> #modparam("nathelper", "sipping_bflag", 7) >>>> modparam("nathelper", "sipping_from", "sip:[EMAIL PROTECTED]") >>>> >>>> # ------------------------- request routing logic ------------------- >>>> >>>> # main routing logic >>>> >>>> route{ >>>> >>>> # initial sanity checks -- messages with >>>> # max_forwards==0, or excessively long requests >>>> if (!mf_process_maxfwd_header("10")) { >>>> sl_send_reply("483","Too Many Hops"); >>>> exit; >>>> }; >>>> >>>> if (msg:len >= 2048 ) { >>>> sl_send_reply("513", "Message too big"); >>>> exit; >>>> }; >>>> >>>> # NAT detection >>>> route(2); >>>> >>>> # we record-route all messages -- to make sure that >>>> # subsequent messages will go through our proxy; that's >>>> # particularly good if upstream and downstream entities >>>> # use different transport protocol >>>> if (!method=="REGISTER") >>>> record_route(); >>>> >>>> # subsequent messages withing a dialog should take the >>>> # path determined by record-routing >>>> if (loose_route()) { >>>> # mark routing logic in request >>>> append_hf("P-hint: rr-enforced\r\n"); >>>> route(1); >>>> }; >>>> >>>> if (!uri==myself) { >>>> # mark routing logic in request >>>> append_hf("P-hint: outbound\r\n"); >>>> # if you have some interdomain connections via TLS >>>> #if(uri=~"@tls_domain1.net") { >>>> # t_relay("tls:domain1.net"); >>>> # exit; >>>> #} else if(uri=~"@tls_domain2.net") { >>>> # t_relay("tls:domain2.net"); >>>> # exit; >>>> #} >>>> route(1); >>>> }; >>>> >>>> # if the request is for other domain use UsrLoc >>>> # (in case, it does not work, use the following command >>>> # with proper names and addresses in it) >>>> if (uri==myself) { >>>> >>>> if (method=="REGISTER") { >>>> >>>> # Uncomment this if you want to use digest >>>> authentication >>>> if (!www_authorize("sip.familiedobbelsteen.nl", >>>> "subscriber")) { >>>> >>>> www_challenge("sip.familiedobbelsteen.nl", "0"); >>>> exit; >>>> }; >>>> >>>> if (isflagset(5)) { >>>> # set branch flag -- when someone will >>>> call this user >>>> # INVITE will have branch flag 6 set >>>> after loopup("location") >>>> setflag(6); >>>> # if you want OPTIONS natpings >>>> uncomment next >>>> # setflag(7); >>>> }; >>>> >>>> save("location"); >>>> exit; >>>> }; >>>> >>>> lookup("aliases"); >>>> if (!uri==myself) { >>>> append_hf("P-hint: outbound alias\r\n"); >>>> route(1); >>>> }; >>>> >>>> # native SIP destinations are handled using our USRLOC >>>> DB if (!lookup("location")) { >>>> sl_send_reply("404", "Not Found"); >>>> exit; >>>> }; >>>> append_hf("P-hint: usrloc applied\r\n"); >>>> }; >>>> >>>> route(1); >>>> } >>>> >>>> >>>> route[1] { >>>> # send it out now; use stateful forwarding as it works reliably >>>> # even for UDP2TCP >>>> if (subst_uri('/(sip:.*);nat=yes/\1/i')) { >>>> setflag(6); >>>> }; >>>> >>>> if (isflagset(5) || isflagset(6)) { >>>> route(3); >>>> }; >>>> >>>> if (!t_relay()) { >>>> sl_reply_error(); >>>> }; >>>> exit; >>>> } >>>> >>>> route[2] { >>>> force_rport(); >>>> if(nat_uac_test("19")) { >>>> if (method=="REGISTER") { >>>> fix_nated_register(); >>>> } else { >>>> fix_nated_contact(); >>>> }; >>>> setflag(5); >>>> }; >>>> } >>>> >>>> route[3] { >>>> if (is_method("BYE")) { >>>> unforce_rtp_proxy(); >>>> } else if (is_method("INVITE")) { >>>> force_rtp_proxy("", "82.168.191.xx"); >>>> t_on_failure("2"); >>>> }; >>>> if (isflagset(5)) >>>> search_append('Contact:.*sip:[^>[:cntrl:]]*', >>>> ';nat=yes'); t_on_reply("1"); >>>> } >>>> >>>> failure_route[2] { >>>> if (isflagset(6)||isflagset(5)) { >>>> unforce_rtp_proxy(); >>>> }; >>>> } >>>> >>>> onreply_route[1] { >>>> if ((isflagset(5) || isflagset(6)) && status =~ >>>> "(183)|(2[0-9][0-9])") { >>>> force_rtp_proxy(); >>>> }; >>>> search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); >>>> >>>> if (isflagset(6)) { >>>> fix_nated_contact(); >>>> }; >>>> exit; >>>> } >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.openser.org/cgi-bin/mailman/listinfo/users >> > _______________________________________________ Users mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/users
