[Serusers] UA's behind the same NAT

Greger V. Teigre greger at teigre.com
Thu Nov 10 08:40:52 CET 2005 

Atle,
Thanks for pointing this out, I was exhausted ;-) after my long email.  We 
have received requests for this feature at onsip.org a few times. The reason 
why we haven't added it is exactly the issue you point out.  We have at one 
point talked about adding an Appendix to the Getting Started document called 
"Suggestions for additions and changes to your ser.cfg"  where things like 
this can be documented separately. People can then add the feature to their 
configs themselves if they like.
g-)

----- Original Message ----- 
From: "Atle Samuelsen" <clona at cyberhouse.no>
To: "Greger V. Teigre" <greger at teigre.com>
Cc: "Noel Sharpe" <noels at radnetwork.co.uk>; "'SER Users'" 
<serusers at lists.iptel.org>
Sent: Thursday, November 10, 2005 8:19 AM
Subject: Re: [Serusers] UA's behind the same NAT


>
> Hi Noel,
>
> Just a tought,
> (dont know if your users does this, but just to lighten the aera)
>
> what happens if there is a double NAT here, and you say, that users
> behind the same nat (atleast with the logic G wrote) they would have the
> same source-ip and the same ruri ip, but would'nt be on the same
> physical lan..
>
>
> see setup :
>          B  C
>          NAT-->UA2
>     A    /
> ser - NAT
>         \
>         NAT -->UA1
>         D  E
>
> A= Public IP
> B= NAT1's public IP
> C= NAT1's Local Subnet
> D= NAT2's public ip
> E= NAT2's Local subnet
>
> The from would look like:
> (ua2)
> from:blabla<sip:UA2 at C>
> (UA1)
> from:blublu<sip:UA1 at E>
>
> e.request-uri would be :
> (UA2)
> sip:ua2 at A
> (UA1)
> sip:ua1 at a
>
> SourceIP for both request's would be A, So, you cant really (by this)
> know if UA1 and UA2 is behind the same nat, esesially if there is a
> double, or triple or so...
>
> -Atle
>
>
> * Greger V. Teigre <greger at teigre.com> [051110 07:50]:
>> Noel,
>> If you send the config showing how you do it, it will be easier to 
>> comment.
>> :-)
>>
>> In general, what you should do is this:
>> - Starting from onsip.org configs, there are three locations you need to
>> change: route[4] NAT Traversal, loose route handling and onreply
>> - I suggest creating a new route block where you test the src_ip of the
>> message against the looked up location of ruri/domain, i.e. this only 
>> works
>> after a successful lookup("location") has been done. This should be the
>> (untested) code snippet:
>> avp_write("$ruri/domain", "i:624");
>> if (avp_check("i:624","eq/$src_ip")) {
>>  setflag(SAME_NAT);
>> }
>> (NOTE: I'm not sure about how avp_write will handle $ruri/domain as :port
>> is at the end of the domain for ruri after a lookup. You should probably
>> turn on debugging and use avp_print)
>> - Then run the test from the NAT traversal route, as well as the loose
>> route (not in onreply) and check for the flag before doing 
>> force_rtp_proxy
>> - In onreply add && !isflagset(SAME_NAT) to the NAT if test
>>
>> No guarantees... This has not been tested.  However, if you can report 
>> that
>> it works (or whatever was wrong), I will submit the code piece as a
>> suggestion for the ONsip.org Getting Started document.
>> g-)
>>
>>
>> ----- Original Message ----- 
>> From: "Noel Sharpe" <noels at radnetwork.co.uk>
>> To: "'SER Users'" <serusers at lists.iptel.org>
>> Sent: Wednesday, November 09, 2005 9:15 PM
>> Subject: [Serusers] UA's behind the same NAT
>>
>>
>> >Hi All
>> >
>> >I am trying to improve my proxy setup to force clients behind the same 
>> >NAT
>> >device to connect each other directly.  My setup is fairly complex,
>> >(rtpproxy / NAT Helper, PSTN gateways,  different peers etc)  but it's
>> >loosely based on the OnSip.org setup.
>> >The current config works correctly for all clients, whether behind a NAT
>> >or not, but I'd prefer not to have to use RTP proxy to allow UA's on the
>> >same nat to contact each other.  I've seen the document from the AVPops
>> >module, but I can't get the example to work.  I think the problem is 
>> >WHERE
>> >I put the avpops config.  As this works on FWD, I think it's possible.
>> >Has anyone got this working?
>> >
>> >Noel
>> >
>> >
>> >_______________________________________________
>> >Serusers mailing list
>> >serusers at lists.iptel.org
>> >http://lists.iptel.org/mailman/listinfo/serusers
>> >
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>
>

More information about the sr-users mailing list