[Serusers] problem with NAT and mhomd SER and RTP proxy
Shi Hoch
shi at i-p-hi.com
Wed Sep 22 11:21:00 CEST 2004
the problem is that only one side is heard during the conversation.
Now viewing the capture of SIP session i can see that the NATed client's SDP and Contact header were changed correctly
but still the RTP proxy is listening for data from 192.168.10.14 instead of data from the NAT ip.
attached the output of RTP proxy during debug mode the ser.cfg file please help!!!
RTP proxy was started with the command:
rtpproxy -2f -l 192.168.10.62/80.178.94.82
RTP proxy Output:
rtpproxy: rtpproxy started, pid 23524
rtpproxy: new session 227142944229442YbiJ-400--500 at 192.168.10.14, tag 1c-2023537854 requested
rtpproxy: new session on a port 64900 created, tag 1c-2023537854
rtpproxy: pre-filling caller's address with 192.168.10.14:8000
*Remark client 192.168.10.14 is behind a NAT
rtpproxy: lookup on a ports 64900/64900, session timer restarted
rtpproxy: pre-filling callee's address with 192.168.10.12:8000
rtpproxy: session timeout
rtpproxy: RTP stats: 330 in from callee, 0 in from caller, 330 relayed, 0 dropped
rtpproxy: RTCP stats: 2 in from callee, 0 in from caller, 2 relayed, 0 dropped
rtpproxy: session on ports 64900/64900 is cleaned up
SER.cfg :
#
#
#
# ----------- global configuration parameters ------------------------
/*
debug=3 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
*/
#Uncomment these lines to enter debugging mode
/*debug=7
fork=yes
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
listen=192.168.10.62
listen=80.178.94.82
mhomed=yes
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/lib/ser/modules/mysql.so"
loadmodule "/lib/ser/modules/sl.so"
loadmodule "/lib/ser/modules/tm.so"
loadmodule "/lib/ser/modules/rr.so"
loadmodule "/lib/ser/modules/maxfwd.so"
loadmodule "/lib/ser/modules/usrloc.so"
loadmodule "/lib/ser/modules/registrar.so"
loadmodule "/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/lib/ser/modules/auth.so"
loadmodule "/lib/ser/modules/auth_db.so"
# !! Nathelper
loadmodule "/lib/ser/modules/nathelper.so"
# EXEC module
#loadmodule "/lib/ser/modules/exec.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_url", "mysql://ser:******@localhost/ser")
modparam("usrloc", "db_mode", 1)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 10) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
modparam("nathelper", "rtpproxy_sock", "/var/run/rtpproxy.sock") #rtp proxy socket
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
break;
};
if (method !="REGISTER" && !proxy_authorize("", "subscriber")){
proxy_challenge("", "0");
break;
};
if (method == "BYE" || method == "CANCEL")
unforce_rtp_proxy();
# !! Nathelper
# Special handling for NATed clients; first, NAT test is
# executed: it looks for via!=received and RFC1918 addresses
# in Contact (may fail if line-folding is used); also,
# the received test should, if completed, should check all
# vias for rpesence of received
if (nat_uac_test("3") && dst_ip == 80.178.94.82) {
sl_send_reply("", "Client is behind NAT");
# Allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) {
log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric
# communication. We tested quite many of them and majority is
# smart enough to be symmetric. In some phones it takes a configuration
# option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is
# called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of signalling
if (method == "INVITE") {
sl_send_reply("", "Client is behind NAT And Requested a call");
if (fix_nated_sdp("1")) sl_send_reply("", "Client SDP Replaced"); # Add direction=active to SDP
};
force_rport(); # Add rport parameter to topmost Via
setflag(6); # Mark as NATed
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
sl_send_reply("", "loose route");
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
sl_send_reply("", "outbound");
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
break;
};
if (dst_ip == 192.168.10.62){
save("secure_loc");
} else {
if (dst_ip == 80.178.94.82){
save("net_loc");
} else {
sl_send_reply("403", "Call cannot be served here");
};
};
break;
};
lookup("aliases");
if (!uri==myself) {
sl_send_reply("", "aliases outbound");
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (method == "INVITE") {
# exec_msg("env > /root/sip_call_env ");
if (lookup("secure_loc")) {
sl_send_reply("","secure loc");
if (dst_ip == 192.168.10.62){
sl_send_reply("","192.168.10.62");
if (force_rtp_proxy("FAII"))
t_on_reply("1");
};
if (dst_ip == 80.178.94.82){
sl_send_reply("","80.178.94.82");
if (force_rtp_proxy("FAEI"))
t_on_reply("1");
};
} else if (lookup("net_loc")) {
sl_send_reply("","net loc");
if (dst_ip == 192.168.10.62){
sl_send_reply("","192.168.10.62");
if (force_rtp_proxy("FAIE")){
t_on_reply("1");
sl_send_reply("","FAEI");
};
};
if (dst_ip == 80.178.94.82){
sl_send_reply("","80.178.94.82");
if (force_rtp_proxy("FAEE"))
t_on_reply("1");
};
} else {
sl_send_reply("403", "Call cannot be served here");
break;
};
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
t_on_reply("1");
if (!t_relay()) {
sl_reply_error();
};
}
onreply_route[1] {
if (dst_ip == 80.178.94.82 && nat_uac_test("1")) {
fix_nated_contact();
if (status =~ "(183)|2[0-9][0-9]") fix_nated_sdp("1");
};
if (status =~ "(183)|2[0-9][0-9]") force_rtp_proxy("FA");
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20040922/cbec6795/attachment.htm>
More information about the sr-users
mailing list