[Serusers] Problem running SER behind firewall
Wei Wang
wwang at m1global.com
Wed May 16 16:15:58 CEST 2007
Changed the cfg file to do record_route_preset to avoid private address
being added to the Record-Route header. Now the Record-Route header
contains public address. But the problem remains.
I am quite new to SIP. I don't understand why SER sent the last ACK
received from UA1 to the firewall public address instead of UA2's public
IP. But INVITE went through fine.
Thanks,
Wei
============ tcpdump =================
10:02:09.277595 IP 68.158.174.169.33415 > 192.168.4.217.5060: SIP,
length: 757
E.......t.|AD..............cACK
sip:1002 at 63.111.4.162:17784;rinstance=59a418695e254c5a SIP/2.0^M
Via: SIP/2.0/UDP
68.158.174.169:30236;branch=z9hG4bK-d87543-a44efa3aad34e076-1--d87543-;r
port^M
Max-Forwards: 70^M
Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=9846c732>^M
Contact: <sip:1001 at 68.158.174.169:33415>^M
To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=8126ba56^M
From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=9846c732^M
Call-ID: ZTZiYWY0ZmI2ZWUyMWNmNGNkZjJlMjQzNmQ2NTBmMTk.^M
CSeq: 2 ACK^M
Proxy-Authorization: Digest
username="1001",realm="starpound.dnsalias.org",nonce="464b100a413a877d15
0f21e026e37da975d1a72b",uri="sip:1002 at starpound.dnsalias.org",response="
3fb4c3d90a7c848146d49188666e95f9",algorithm=MD5^M
User-Agent: X-Lite release 1009l stamp 38210^M
Content-Length: 0^M
^M
10:02:09.277925 IP 192.168.4.217.5060 > 66.134.1.34.5060: SIP, length:
878
E..... at .@.-.....B..".....v..ACK
sip:1002 at 63.111.4.162:17784;rinstance=59a418695e254c5a SIP/2.0^M
Record-Route: <sip:1002 at 66.134.1.34:5060;nat=yes;ftag=9846c732;lr=on>^M
Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
Via: SIP/2.0/UDP
68.158.174.169:30236;branch=z9hG4bK-d87543-a44efa3aad34e076-1--d87543-;r
port=33415^M
Max-Forwards: 16^M
Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=9846c732>^M
Contact: <sip:1001 at 68.158.174.169:33415>^M
To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=8126ba56^M
From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=9846c732^M
Call-ID: ZTZiYWY0ZmI2ZWUyMWNmNGNkZjJlMjQzNmQ2NTBmMTk.^M
CSeq: 2 ACK^M
Proxy-Authorization: Digest
username="1001",realm="starpound.dnsalias.org",nonce="464b100a413a877d15
0f21e026e37da975d1a72b",uri="sip:1002 at starpound.dnsalias.org",response="
3fb4c3d90a7c848146d49188666e95f9",algorithm=MD5^M
User-Agent: X-Lite release 1009l stamp 38210^M
Content-Length: 0^M
=========== end tcpdump ==================
________________________________________
From: Greger V. Teigre [mailto:greger at teigre.com]
Sent: Wednesday, May 16, 2007 3:58 AM
To: Wei Wang
Cc: serusers at iptel.org
Subject: Re: [Serusers] Problem running SER behind firewall
You have to use your public ip by using record_route_preset also for
non-NATed.
As you can see, the Record-Route header contains your private address.
g-)
Wei Wang wrote:
Greger,
Thanks for the help. I've added advertised_address to the ser.cfg file.
...
listen=192.168.4.217
port=5060
advertised_address=66.134.1.34
advertised_port=5060
....
But it did not seem to help.
Here is the TCP traffic:
================= START TCPDUMP =================
11:50:38.459320 IP 192.168.4.217.5060 > 66.134.1.34.5060: SIP, length:
862
E..z.. at .@..'....B..".....f..ACK
sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
Via: SIP/2.0/UDP
68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
port=33341^M
Max-Forwards: 16^M
Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
Contact: <sip:1001 at 68.158.174.169:33341>^M
To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
CSeq: 2 ACK^M
Proxy-Authorization: Digest
username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
User-Agent: X-Lite release 1009l stamp 38210^M
Content-Length: 0^M
11:50:38.459602 IP 192.168.4.1.5060 > 192.168.4.217.5060: SIP, length:
862
E..z.. at .?..%.............f-.ACK
sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
Via: SIP/2.0/UDP
68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
port=33341^M
Max-Forwards: 16^M
Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
Contact: <sip:1001 at 68.158.174.169:33341>^M
To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
CSeq: 2 ACK^M
Proxy-Authorization: Digest
username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
User-Agent: X-Lite release 1009l stamp 38210^M
Content-Length: 0^M
11:50:38.459885 IP 192.168.4.217.5060 > 66.134.1.34.5060: SIP, length:
982
E..... at .@.-.....B.."......^M.ACK
sip:1002 at 63.111.4.162:12829;rinstance=1b31f557c9fca8dd SIP/2.0^M
Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
Record-Route: <sip:192.168.4.217;ftag=8c0a471f;lr=on>^M
Via: SIP/2.0/UDP 66.134.1.34:5060;branch=0^M
Via: SIP/2.0/UDP 66.134.1.34:5060;received=192.168.4.1;branch=0^M
Via: SIP/2.0/UDP
68.158.174.169:34634;branch=z9hG4bK-d87543-d50d836cf977ab39-1--d87543-;r
port=33341^M
Max-Forwards: 15^M
Route: <sip:1002 at 66.134.1.34:5060;lr;nat=yes;ftag=8c0a471f>^M
Contact: <sip:1001 at 68.158.174.169:33341>^M
To: "1002"<sip:1002 at starpound.dnsalias.org>;tag=4a343c52^M
From: "UA1"<sip:1001 at starpound.dnsalias.org>;tag=8c0a471f^M
Call-ID: YmNkZDA2NGUzNWQ0MGRmZTBhMDc2OTdhYTFlZTFhMGE.^M
CSeq: 2 ACK^M
Proxy-Authorization: Digest
username="1001",realm="starpound.dnsalias.org",nonce="4649d7f70f1fe18816
1fde13326cf91821414477",uri="sip:1002 at starpound.dnsalias.org",response="
4e0599dd16884d25bd61cc753ca24a6b",algorithm=MD5^M
User-Agent: X-Lite release 1009l stamp 38210^M
Content-Length: 0^M
================= END TCPDUMP =================
Again, the last ACT was sent to the firewall's external IP
address(66.134.1.34).
-----Original Message-----
From: Greger V. Teigre [mailto:greger at teigre.com]
Sent: Tuesday, May 15, 2007 10:53 AM
To: Wei Wang
Cc: serusers at iptel.org
Subject: Re: [Serusers] Problem running SER behind firewall
You need to use advertised_address and advertised_port just below listen
directive.
g-)
Wei Wang wrote:
I have a problem running SER behind firewall.
Here is the network diagram:
|UA1|--|FW1| +--|FW|--|SER|
\ /
+--+
/ \
|UA2|--|FW2| +--|MediaProxy|
Where, UA1 and UA2 are Xlite soft-phones behind their own firewalls.
SER
is listening on private IP address 192.168.4.217. FW has public IP
address 66.134.1.34 and forwards port 5060 to SER.
The ser.cfg file is pretty much copied from SER getting start guide.
When UA1 calling UA2, the call established fine but UA1 will hang up
by
itself after ~30 seconds. The captured IP packages on SER revealed
that
the last ACK received from UA2 by SER was sent to FW IP address. Since
port 5060 is forwarded to SER on the FW, it caused a looping
situation.
The ser.cfg is listed at the end.
Thanks in advance.
Wei Wang
wwang at m1global.com
======== ser.cfg ============
debug=3 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=3
#debug=9
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
listen=192.168.4.217
#listen=66.134.1.36
port=5060
children=4
fifo="/tmp/ser_fifo"
fifo_db_url="mysql://ser:s3rv1c3@localhost/ser"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/permissions.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
loadmodule "/usr/local/lib/ser/modules/domain.so"
loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
loadmodule "/usr/local/lib/ser/modules/nathelper.so"
loadmodule "/usr/local/lib/ser/modules/print.so"
loadmodule "/usr/local/lib/ser/modules/xlog.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db|permissions|uri_db|usrloc", "db_url",
"mysql://ser:s3rv1c3@localhost/ser")
modparam("auth_db", "calculate_ha1", 1)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
modparam("nathelper", "rtpproxy_disable", 1)
modparam("nathelper", "natping_interval", 0)
modparam("mediaproxy", "natping_interval", 30)
#modparam("mediaproxy", "mediaproxy_socket",
"/var/run/mediaproxy.sock")
modparam("mediaproxy", "mediaproxy_socket",
"/var/run/proxydispatcher.sock")
modparam("mediaproxy", "sip_asymmetrics",
"/usr/local/etc/ser/sip-clients")
modparam("mediaproxy", "rtp_asymmetrics",
"/usr/local/etc/ser/rtp-clients")
modparam("registrar", "nat_flag", 6)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
modparam("permissions", "db_mode", 1)
modparam("permissions", "trusted_table", "trusted")
modparam("xlog", "buf_size", 8192)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# xlog("L_INFO", "Main route
[From]%fu,[To]%tu,[Req-Method]%rm,[Req-RURI]%ru[IP-src]%is ...\n");
if(method != "SUBSCRIBE") {
xlog("L_INFO", "\r\n===========SIP
MSG==================\r\n%mb\r\n_____END SIP
MSG________________________\r\n");
};
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 4086 ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (method == "INVITE" && client_nat_test("3")) {
# xlog("L_INFO", "method==INVITE and nated: calling
record_route_preset\n");
# IP ADDRESS Here
record_route_preset("66.134.1.34:5060;nat=yes");
} else if (method!="REGISTER") {
record_route();
};
# -------------------------
# Call Tear Down Section
#-------------------------
if(method=="BYE" || method=="CANCEL") {
#xlog("L_INFO", "RECEIVED BYE or CANCEL...");
end_media_session();
};
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
xlog("L_INFO", "DEBUG: loose_route...");
if((method=="INVITE" || method == "REFER") &&
!has_totag()) {
sl_send_reply("403", "Forbidden");
break;
};
if(method == "INVITE") {
if(!allow_trusted()) {
if(!proxy_authorize("", "subscriber"))
{
proxy_challenge("", "0");
break;
} else if(!check_from()) {
sl_send_reply("403", "Use
From=ID");
break;
};
consume_credentials();
}
if(client_nat_test("3")
|| search("^Route:.*;nat=yes")) {
setflag(6);
use_media_proxy();
};
};
# mark routing logic in request
#append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
route(4);
# mark routing logic in request
#append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if(method == "ACK") {
route(1);
break;
} else if(method=="CANCEL") {
route(1);
break;
} else if(method == "INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (!uri==myself) {
route(4);
#append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
t_on_reply("1");
# send it out now; use stateful forwarding as it works
reliably
# even for UDP2TCP
if (!t_relay()) {
if(method=="INVITE" || method == "ACK") {
end_media_session();
};
sl_reply_error();
};
}
route[2]
{
############################
# REGISTER Message Handler
###########################
sl_send_reply("100", "Trying");
if(!search("^Contact:[ ]*\*") && client_nat_test("7")) {
setflag(6);
fix_nated_register();
force_rport();
};
if(!www_authorize("", "subscriber")) {
www_challenge("", "0");
break;
};
if(!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
consume_credentials();
if(!save("location")) {
sl_reply_error();
};
}
route[3]
{
############################
# INVITE Message Handler
###########################
if(client_nat_test("3")) {
setflag(7);
force_rport();
fix_nated_contact();
};
if(!allow_trusted()) {
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
break;
} else if(!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
};
consume_credentials();
lookup("aliases");
if(uri != myself) {
route(4);
route(1);
break;
};
if(!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
route(4);
route(1);
}
route[4] {
#----------------------------
# NAT Traversal Section
#----------------------------
if(isflagset(6) || isflagset(7)) {
if(!isflagset(8)) {
setflag(8);
use_media_proxy();
};
};
}
onreply_route[1] {
if((isflagset(6) || isflagset(7))
&& (status =~ "(180)|183)|2[0-9][0-9]")) {
if(!search("^Content-Length:[ ]*0")) {
use_media_proxy();
};
};
if(client_nat_test("1")) {
fix_nated_contact();
};
}
=============== END ser.cfg ================
_______________________________________________
Serusers mailing list
Serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list