[Serusers] NAT Traversal
Greger V. Teigre
greger at teigre.com
Sat Nov 12 07:14:12 CET 2005
Seems like you could use the Getting Started document from ONsip.org ;-)
g-)
----- Original Message -----
From: "Thomas Britis" <thomas at tcnet.com.br>
To: <serusers at lists.iptel.org>
Sent: Friday, November 11, 2005 5:58 PM
Subject: [Serusers] NAT Traversal
> Hi,
>
> I'm working on a popular cenario (I think) of SER's implementation but
> I'm having some difficult on making clients behind NAT to work well.
> I tried to use rtpproxy and mediaproxy (not together, of course) but
> without success.
> Here is my scenario: SER with public IP address with rtpproxy and/or
> mediaproxy up and running. Clients are behind NAT with NO firewall
> blocking any ports. Or even one client behind NAT and other with valid
> IP (by the way, all clients that are not behind nat works fine). The one
> behind nat do not receive any voice but can send it.
>
> I'm attaching my ser.cfg (both, the rtpproxy and mediaproxy one) and
> appreciate any help.
>
> Thank's in advance.
> --
> Thomas Storino Britis
> TCNet Informatica e Telecomunicacoes LTDA
>
--------------------------------------------------------------------------------
> #
> # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
> #
> # simple quick-start config script
> #
>
> # ----------- global configuration parameters ------------------------
>
> debug=3 # debug level (cmd line: -dddddddddd)
> fork=yes
> log_stderror=no # (cmd line: -E)
>
> # TCNet Configuration
> # hostname matching an alias will satisfy the condition uri==myself.
> listen="200.167.20.34"
> alias="e-voip.com.br"
> alias="200.167.20.34"
> uid="ser"
> gid="ser"
>
> check_via=no # (cmd. line: -v)
> dns=no # (cmd. line: -r)
> rev_dns=no # (cmd. line: -R)
> port=5060
> children=4
> fifo="/tmp/ser_fifo"
> fifo_db_url="mysql://ser:pass@localhost/ser"
>
> # Modules
> loadmodule "/tcnet/ser/lib/ser/modules/domain.so"
> loadmodule "/tcnet/ser/lib/ser/modules/mysql.so"
> loadmodule "/tcnet/ser/lib/ser/modules/sl.so"
> loadmodule "/tcnet/ser/lib/ser/modules/tm.so"
> loadmodule "/tcnet/ser/lib/ser/modules/rr.so"
> loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so"
> loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so"
> loadmodule "/tcnet/ser/lib/ser/modules/registrar.so"
> loadmodule "/tcnet/ser/lib/ser/modules/auth.so"
> loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so"
> loadmodule "/tcnet/ser/lib/ser/modules/uri.so"
> loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so"
> loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so"
> loadmodule "/tcnet/ser/lib/ser/modules/mediaproxy.so"
> loadmodule "/tcnet/ser/lib/ser/modules/textops.so"
> loadmodule "/tcnet/ser/lib/ser/modules/avpops.so"
> loadmodule "/tcnet/ser/lib/ser/modules/acc.so"
>
> # Modules parameter
> # auth_db
> modparam("auth_db|uri_db|usrloc", "db_url",
> "mysql://ser:pass@localhost/ser")
> modparam("auth_db", "calculate_ha1", 1)
> modparam("auth_db", "password_column", "password")
>
> # mediaproxy
> modparam("mediaproxy", "mediaproxy_socket",
> "/var/run/proxydispatcher.sock")
> modparam("mediaproxy", "natping_interval", 30)
> modparam("mediaproxy", "sip_asymmetrics",
> "/tcnet/mediaproxy/sip-asymmetrics-clients")
> modparam("mediaproxy", "rtp_asymmetrics",
> "/tcnet/mediaproxy/rtp-asymmetrics-clients")
>
> # usrloc
> modparam("usrloc", "db_mode", 2)
>
> # rr
> modparam("rr", "enable_full_lr", 1)
>
> # registrar
> modparam("registrar", "nat_flag", 6)
>
> # acc
> modparam("acc", "radius_config",
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
> modparam("acc", "log_level", 1)
> modparam("acc", "log_flag", 1)
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 2)
> modparam("acc", "log_fmt", "miocfst")
> modparam("acc", "failed_transactions", 1)
>
> # tm
> modparam("tm", "fr_inv_timer", 27)
> modparam("tm", "fr_inv_timer_avp", "inv_timeout")
>
> # main routing logic
> route {
>
> if (method == "BYE" || method == "CANCEL") {
> end_media_session();
> setflag(1); # accounting
> setflag(2); # missed call
> };
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> if (method!="ACK") {
> sl_send_reply("483", "Too Many Hops");
> break;
> };
> };
> if (msg:len > max_len) {
> if (method!="ACK") {
> sl_send_reply("513", "Message too big");
> break;
> };
> };
>
> if (method!="REGISTER") {
> record_route ();
> };
>
> if (loose_route()) {
> if (method=="BYE" || method=="CANCEL") {
> end_media_session();
> setflag(1);
> setflag(2);
> };
> if (method=="INVITE" || method=="ACK") {
> use_media_proxy();
> };
> route(1);
> break;
> };
>
> if (uri == myself) {
> if (method == "REGISTER") {
> if (search("^(Contact|m):
> .*@(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) {
> log("LOG: alert: someone trying to set aor==contact\n");
> sl_send_reply("476", "No Server Address in Contacts Allowed");
> break;
> };
>
> route(2); # WWW authentication
>
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> if (method == "INVITE") {
> route(3); # PROXY authentication
> if (uri=~"^sip:0") {
> route(4); # Asterisk
> };
>
> consume_credentials();
>
> #lookup("location");
> if (!lookup("location")) {
> if (!lookup("aliases")) {
> if (uri=~"^sip:[3789][0-9]") {
> prefix("035");
> route(4); # Asterisk
> } else {
> sl_send_reply ("404", "Not Found");
> break;
> };
> };
> };
> setflag(1);
> setflag(2);
> route(1);
> break;
> };
> };
> route(1);
> }
>
> # Fix NATED client on reply route.
> onreply_route[1] {
> if (client_nat_test("1") && status=~"(183)|(2[0-9][0-9])") {
> fix_contact();
> };
> use_media_proxy ();
> }
>
> # Normal relay
> route[1] {
>
> if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) {
> sl_send_reply("479", "We don't forward to private IP addresses");
> break;
> };
>
> t_on_reply("1");
> t_on_failure("1");
>
> if (!t_relay()) {
> sl_reply_error();
> };
> }
>
> # WWW authentication
> route[2] {
> if (client_nat_test("3")) {
> setflag(6);
> force_rport();
> fix_contact();
> };
>
> sl_send_reply("100", "Trying");
>
> if (!www_authorize("", "subscriber")) {
> www_challenge("", "0");
> break;
> };
>
> if (!check_to()) {
> sl_send_reply ("401", "Unauthorized");
> break;
> };
>
> }
>
> # PROXY authentication
> route[3] {
> if (!proxy_authorize("", "subscriber")) {
> proxy_challenge("", "0");
> break;
> };
> }
>
> # Asterisk - E-Voip
> route[4] {
> t_on_reply("1");
> rewritehost("200.167.20.26");
> avp_write("i:45", "inv_timeout");
> }
>
> failure_route[1] {
> end_media_session();
> }
>
--------------------------------------------------------------------------------
> #
> # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
> #
> # simple quick-start config script
> #
>
> # ----------- global configuration parameters ------------------------
>
> debug=3 # debug level (cmd line: -dddddddddd)
> fork=yes
> log_stderror=no # (cmd line: -E)
>
> # TCNet Configuration
> # hostname matching an alias will satisfy the condition uri==myself.
> listen="200.167.20.34"
> alias="e-voip.com.br"
> alias="200.167.20.34"
> uid="ser"
> gid="ser"
>
> check_via=no # (cmd. line: -v)
> dns=no # (cmd. line: -r)
> rev_dns=no # (cmd. line: -R)
> port=5060
> children=4
> fifo="/tmp/ser_fifo"
> fifo_db_url="mysql://ser:pass@localhost/ser"
>
> # Modules
> loadmodule "/tcnet/ser/lib/ser/modules/mysql.so"
> loadmodule "/tcnet/ser/lib/ser/modules/sl.so"
> loadmodule "/tcnet/ser/lib/ser/modules/tm.so"
> loadmodule "/tcnet/ser/lib/ser/modules/rr.so"
> loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so"
> loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so"
> loadmodule "/tcnet/ser/lib/ser/modules/registrar.so"
> loadmodule "/tcnet/ser/lib/ser/modules/auth.so"
> loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so"
> loadmodule "/tcnet/ser/lib/ser/modules/uri.so"
> loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so"
> loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so"
> loadmodule "/tcnet/ser/lib/ser/modules/textops.so"
> loadmodule "/tcnet/ser/lib/ser/modules/avpops.so"
> loadmodule "/tcnet/ser/lib/ser/modules/acc.so"
>
> # Modules parameter
> # auth_db
> modparam("auth_db|uri_db|usrloc", "db_url",
> "mysql://ser:pass@localhost/ser")
> modparam("auth_db", "calculate_ha1", 1)
> modparam("auth_db", "password_column", "password")
>
> # nathelper
> modparam("nathelper", "natping_interval", 30)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
>
> # usrloc
> modparam("usrloc", "db_mode", 2)
>
> # rr
> modparam("rr", "enable_full_lr", 1)
>
> # registrar
> modparam("registrar", "nat_flag", 6)
>
> # acc
> modparam("acc", "radius_config",
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
> modparam("acc", "log_level", 1)
> modparam("acc", "log_flag", 1)
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 2)
> modparam("acc", "log_fmt", "miocfst")
> modparam("acc", "failed_transactions", 1)
>
> # tm
> modparam("tm", "fr_inv_timer", 27)
> modparam("tm", "fr_inv_timer_avp", "inv_timeout")
>
> # main routing logic
> route {
>
> if (method == "BYE" || method == "CANCEL") {
> unforce_rtp_proxy();
> setflag(1); # accounting
> setflag(2); # missed call
> };
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483", "Too Many Hops");
> break;
> };
> if (msg:len > max_len) {
> sl_send_reply("513", "Message too big");
> break;
> };
>
> if (method!="REGISTER") {
> record_route ();
> };
>
> if (loose_route()) {
> if (method == "BYE") {
> setflag(1);
> setflag(2);
> unforce_rtp_proxy();
> };
> route(1);
> break;
> };
>
> if (uri == myself) {
> if (method=="INVITE") {
> fix_nated_sdp ("1");
> };
>
> if (method == "REGISTER") {
> if (search("^(Contact|m):
> .*@(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) {
> log("LOG: alert: someone trying to set aor==contact\n");
> sl_send_reply("476", "No Server Address in Contacts Allowed");
> break;
> };
>
> route(2); # WWW authentication
>
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> if (method == "INVITE") {
> route(3); # PROXY authentication
> if (uri=~"^sip:0") {
> route(4); # Asterisk
> };
>
> consume_credentials();
>
> #lookup("location");
> if (!lookup("location")) {
> if (!lookup("aliases")) {
> if (uri=~"^sip:[3789][0-9]") {
> prefix("035");
> route(4); # Asterisk
> } else {
> sl_send_reply ("404", "Not Found");
> break;
> };
> };
> };
> setflag(1);
> setflag(2);
> route(1);
> break;
> };
> };
> route(1);
> }
>
> # Fix NATED client on reply route.
> onreply_route[1] {
> if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
> if (!search("Content-Length:[ ]*0")) {
> force_rtp_proxy();
> };
> };
> }
>
> # Normal relay
> route[1] {
>
> if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) {
> sl_send_reply("479", "We don't forward to private IP addresses");
> break;
> };
>
> t_on_reply("1");
>
> if (isflagset(6) || isflagset(5)) {
> log (1, "oi");
> force_rtp_proxy ();
> };
>
> if (!t_relay()) {
> sl_reply_error();
> };
> }
>
> # WWW authentication
> route[2] {
> if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
> setflag(6);
> fix_nated_register();
> force_rport();
> };
>
> sl_send_reply("100", "Trying");
>
> if (!www_authorize("", "subscriber")) {
> www_challenge("", "0");
> break;
> };
>
> if (!check_to()) {
> sl_send_reply ("401", "Unauthorized");
> break;
> };
>
> if (isflagset(5)) {
> setflag(6);
> };
> }
>
> # PROXY authentication
> route[3] {
> if (nat_uac_test("19")) {
> setflag(6);
> };
>
> if (!proxy_authorize("", "subscriber")) {
> proxy_challenge("", "0");
> break;
> };
> }
>
> # Asterisk - E-Voip
> route[4] {
> if (isflagset(6)) {
> force_rport();
> fix_nated_contact();
> force_rtp_proxy();
> };
>
> t_on_reply("1");
> rewritehost("200.167.20.26");
> avp_write("i:45", "inv_timeout");
> }
>
--------------------------------------------------------------------------------
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
More information about the sr-users
mailing list