I think I have this working. For anyone else trying to do similar thing (or placing Kamailio behind FW/NAT), here is my cookbook.
We are trying to setup the following:
[UAS] <------> (PubIP)[FireWall/One-to-OneNAT]<-------->(PrivIP)[Kamailio/RTPProxy](PrivIP)<---------->(PrivIP2)[UAC]
UAC/UAS cannot reach each other directly.
For simplicity I am running RTPProxy on same machines as Kamailio. But this can be changed.
Versions/Patches/fixes you need if you are running 3.1.2 : (Trunk/3.2 has these):
a. Fixed forward.c for mhome to work properly (included in 3.1.4).
b. rr module from trunk to be able to use 2 strings for record_route_preset
c. Patched rtpproxy module to actually use the forced ip supplied to force_rtp_proxy. Patch at the end of this message
d. rtpproxy version 1.2.1
What to do:
1. Setup FW/NAT rules to map public IP to PrivateIP and allow communications to/from UAS
2. Setup RTPProxy in "bridged" mode (e.g -F -l 10.10.5.90/10.10.5.90 -s udp:10.10.5.90:9005) listening on PrivateIP.
3. Setup the config file to:
a. Setup modparams to make the above rtpproxy available. Use set_rtp_proxy_set if you have more than one instance.
b. Do the following where you are processing Outbound *initial* invite (i.e. check totag) (Call from UAC to UAS)
set_advertised_address("YourPublicIP ");
if(!has_totag()) { record_route_preset("YourPublicIP:5060;r2=on;nat=yes","YourPrivateIp:5060;r2=on;nat=yes"); }
force_rtp_proxy("ocfaei"," YourPublicIP ");
c. Do the following where you are processing Inbound invite (Call from UAS to UAC)
if(!has_totag()) { record_route_preset("YourPrivateIP:5060;r2=on;nat=yes", "YourPublicIp:5060;r2=on;nat=yes"); }
force_rtp_proxy("ocfaei");
d. Do the following where you are processing replies (180/183/2XX)
For Inbound Calls
force_rtp_proxy("ocfa","YourPublicIP");
For Outbound Calls
force_rtp_proxy("ocfa");
e. Unforce RTPProxy on BYE or Failures.
Do not use record_route in the above scenario. If you have it now, remove it or make sure it doesn't get called for this specific case.
Explanation:
In #b, you are fixing the Via headers to use public IP, setting Record-Route headers so that ACK/RE-INVITE can find way back and are force fixing SDP with public IP for outbound calls.
In #c, You are doing same thing except no need to fix Via and the route set is reversed. No need to force fix SDP either since it is figured out automatically.
In #d, You are force fixing the SDP to use the public IP for inbound or usual for outbound so that the audio stream from UAS can be relayed.
The r2=on parameter is required (as well as enabling double rr, which is default) so that the proxy can deal with the route sets properly
Hope the above helps others.
SV.
Rtpproxy Path
2226,2233c2226
< LM_DBG("Str2 is %s\n", str2);
< if(str2) {
< newip.s = str2;
< LM_DBG("NewIp is %s\n", newip.s);
< }
< else {
< newip.s = (argc < 2) ? str2 : argv[1];
< }
---
> newip.s = (argc < 2) ? str2 : argv[1];
Ovidiu,
Thanks for your time. The "fixes" I pulled in is the latest rr module only. I didn't see anything in that diff to make this work. Could you elaborate a little?
However, I was able to get "Outbound" working properly by adding ";r2=on" to the record_route_preset IPs. In going through the source code, I noticed that this is what regular record_route uses to enable double rr and it would automatically take both headers out if it sees that. That seems to have worked. Any pitfals with this?
I am still working on "Inbound". For some reason my carrier GW keeps resending invites even after receiving ACK. I need to see if it is an issue with the carrier.
Thanks
SV.
-----Original Message-----
From: Ovidiu Sas [mailto:osas@voipembedded.com]
Sent: Tuesday, September 06, 2011 9:50 AM
To: SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List
Subject: Re: [SR-Users] Kamailio + rtpproxy talking to multiple carrier gateways
It seems that something is miss configured on your server. The fixes that I made in the trunk (and you pulled in your local 3.1 repo) were designed to handle the scenario that you are trying to implement.
The ACK should be handled properly and routed to the upstream carrier (following the same path as the initial INVITE).
Regards,
Ovidiu Sas
On Mon, Sep 5, 2011 at 5:07 PM, Sarat C. Vemuri <sarat.vemuri(a)fthco.com> wrote:
> Again, I apologize for this clumsy way of replying.
>
> Ovidiu,
>
> Thanks for the pointer on set_advertised_address. I had to patch rtpproxy module (and rr module for the two parameters to request_route_preset) since I am running 3.1.
>
> However, I still have a problem with ACKs after following what you suggested.
>
> INVITE from Internal to Carrier routes properly (two Request-Route headers, one internal IP and other public IP). On 200 OK, the carrier GW properly copies the route set in to Route header. Now the route contains two entries, the public IP and the private IP of Kamailio. The Internal UAC then sends the ACK back to Kamailio. Everything is fine till this point. Now, Kamailio removes the top entry, which is the private IP and then promptly sends the ACK to the public IP of itself!. Of course, that doesn't go anywhere.
>
> How do I remove the "public IP" entry from the route set before forwarding the reply to Internal UAC? Is there another way to deal with this? I've tried to set an alias= core parameter with the public IP, but doesn't seem to have any effect. The public IP is not reachable from internal network.
>
> Thanks for your help
>
> SV.
> ------------------------------
>
> Message: 3
> Date: Sat, 3 Sep 2011 16:44:22 -0700
> From: Ovidiu Sas <osas(a)voipembedded.com>
> Subject: Re: [SR-Users] Kamailio + rtpproxy talking to multiple
> carrier gateways - some via Firewall/NAT
> To: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
> Users Mailing List" <sr-users(a)lists.sip-router.org>
> Message-ID:
>
> <CAND0Lkt_dpcTm2WKMywMhX6rdsX1ia0r=LYrzB1WfX3oN32Wrg(a)mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
> It is feasable to what you want: kamailio behind NAT proxying traffic
> from/to public internet to/from private network.
> You will need to properly craft the INVITE and use proper record route headers.
> Use set_advertised_address when needed:
> http://kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#set_advertis
> ed_address Also, use record_route_preset (note that there are two
> parameters):
> http://kamailio.org/docs/modules/devel/modules_k/rr.html#id2547566
>
> That should do it. You don't need any patches for rtpproxy.
> Just use force_rtpp_proxy (and force the IP address):
> http://kamailio.org/docs/modules/devel/modules/rtpproxy.html#id2546034
>
>
> Note: Make sure that you understand how in-dialog requests are routed
> by a proxy in order to know how to properly handle the initial INVITE.
>
>
> Regards,
> Ovidiu Sas
>
> On Sat, Sep 3, 2011 at 2:53 PM, Sarat C. Vemuri <sarat.vemuri(a)fthco.com> wrote:
>> We are trying to configure Kamailio ?(3.1.x) as a ?boarder proxy?
>> where it acts as the front for various carrier gateways so that
>> internal UACs and UASs are unaware of the carrier gateways.
>>
>>
>>
>> Let me try to present a clear picture of our setup.
>>
>> 1.?????? Kamailio has several NICs (physical or vlan).? Each on a
>> different subnet. One subnet is internal/has routes for internal.?
>> Other subnets are private connections to carriers or a ?route to public Internet.
>>
>> 2.?????? All of these subnets are non-routable from Internet. In
>> addition , the carrier private connections are not routable internally.
>>
>> 3.?????? Connection to public internet is via a FW/NAT (one-to-one
>> NAT), which maps to one of the interfaces.
>>
>> 4.?????? All internal? UAC/UAS connect on the internal subnet.
>>
>> 5.?????? We are using RTPProxy? (at least one instance per carrier)
>> to relay media between internal and carrier subnets
>>
>>
>>
>> We are able to make this setup up work great except for one
>> scenario.? One of the carriers is only reachable via public
>> Internet.? Due to security requirements, our Kamailio cannot have a
>> public IP address and must use FW/NAT. I guess this scenario is
>> ??Proxy behind NAT? and not really encouraged. But I would like to
>> see if there is a way to make this work.? We cannot use the
>> ?advertised_address? since it changes the IP for every ?route?.
>>
>>
>>
>> We were able to get this mostly ?working by doing the following
>>
>> 1.?????? mhomed=1
>>
>> 2.?????? Small patch in the rtpproxy module so that ?force_rtp_proxy
>> actually uses the IP address passed (public IP).
>>
>> 3.?????? Using request_route_preset(?publicIP?)
>>
>>
>>
>> The above ?mostly? works.? By that I mean, the INVITE transaction is
>> properly passed between internal UAS and carrier SBC and the call is setup.
>> However, further transactions (BYE/re-INVITE) etc do not work
>> properly. So, far-end hangups are not ?working etc.
>>
>>
>>
>> I?ve searched various archives of this and other SER lists looking to
>> see if anyone was able to get this scenario working, but couldn?t
>> find a definitive answer.? Most of them point to using ?advertised_address?.
>>
>>
>>
>> So, and ideas on how to make ?Proxy behind NAT? work without using
>> advertised_address?? Am I wasting my time?
>>
>>
>>
>> Thanks in advance for any help you can offer.
>>
>>
>>
>> SV.
>>
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>> list sr-users(a)lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
> list sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
Hi!
Recently I had a problem with permanent usrloc entries when upgrading a
server from SER 0.9 to Kamailio 3.1.
Obviously the problem was that the permanent entries had "flag=128" and
now expires=0 is used, see old thread:
http://old.nabble.com/usrloc-permanent-records-and-strptime-td17668417.html
The strange thing is, that even setting the expiry to 2099-0...... did
not worked and Kamailio deleted the "expired" entries. Only setting it
to "1970-01-01 01:00:00" worked.
Any ideas what could been wrong?
Further I wonder why Kamailio uses 01:00:00 for the permanent entry? The
server is currently running in timezon CEST (UTC+2), thus IMO 02:00:00
would be more logical.
Above thread also mentions problems with day-light-saving changes. Are
there really problems? How do you solve those problems? I think the best
workaround is to set system time always to UTC.
Thanks
Klaus
Hi,
I have a question about the assignment of Role permissions to limit some
Users privileges in Siremis. I defined a user , and then a Role denying some
actions, but I couldn’t deny the action from de SER menu . The Role
permissions only show the modules on Application Menu from Administration
Tab . What if I want to deny access to some items inside SER Menu , like
modifying the ACL services or /and Rounting services?
Regards,
*Camila Troncoso **|* Ingeniero de Desarrollo
VoissNet S.A. *|*ctroncoso(a)redvoiss.net
Santiago - Chile *|* +56 2 2408535
www.redvoiss.net
Hello
I want to store in a file access and disconnections to the system. To
access (registrar), I thought scheduling a perl script and executed
with the perl module, the problem I find with disconnections. Since
the user can be disconnected for various reasons, had planned to do a
script that runs an SQL table location and according to the expires
field, see if disconnection has occurred or not. Would have to run
this script in cron every X minutes. Is there a simpler way to check
this or have Kamailio some function for it?. Thank you.
Best regards
Again, I apologize for this clumsy way of replying.
Ovidiu,
Thanks for the pointer on set_advertised_address. I had to patch rtpproxy module (and rr module for the two parameters to request_route_preset) since I am running 3.1.
However, I still have a problem with ACKs after following what you suggested.
INVITE from Internal to Carrier routes properly (two Request-Route headers, one internal IP and other public IP). On 200 OK, the carrier GW properly copies the route set in to Route header. Now the route contains two entries, the public IP and the private IP of Kamailio. The Internal UAC then sends the ACK back to Kamailio. Everything is fine till this point. Now, Kamailio removes the top entry, which is the private IP and then promptly sends the ACK to the public IP of itself!. Of course, that doesn't go anywhere.
How do I remove the "public IP" entry from the route set before forwarding the reply to Internal UAC? Is there another way to deal with this? I've tried to set an alias= core parameter with the public IP, but doesn't seem to have any effect. The public IP is not reachable from internal network.
Thanks for your help
SV.
------------------------------
Message: 3
Date: Sat, 3 Sep 2011 16:44:22 -0700
From: Ovidiu Sas <osas(a)voipembedded.com>
Subject: Re: [SR-Users] Kamailio + rtpproxy talking to multiple
carrier gateways - some via Firewall/NAT
To: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" <sr-users(a)lists.sip-router.org>
Message-ID:
<CAND0Lkt_dpcTm2WKMywMhX6rdsX1ia0r=LYrzB1WfX3oN32Wrg(a)mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
It is feasable to what you want: kamailio behind NAT proxying traffic
from/to public internet to/from private network.
You will need to properly craft the INVITE and use proper record route headers.
Use set_advertised_address when needed:
http://kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#set_advertised_ad…
Also, use record_route_preset (note that there are two parameters):
http://kamailio.org/docs/modules/devel/modules_k/rr.html#id2547566
That should do it. You don't need any patches for rtpproxy.
Just use force_rtpp_proxy (and force the IP address):
http://kamailio.org/docs/modules/devel/modules/rtpproxy.html#id2546034
Note: Make sure that you understand how in-dialog requests are routed
by a proxy in order to know how to properly handle the initial INVITE.
Regards,
Ovidiu Sas
On Sat, Sep 3, 2011 at 2:53 PM, Sarat C. Vemuri <sarat.vemuri(a)fthco.com> wrote:
> We are trying to configure Kamailio ?(3.1.x) as a ?boarder proxy? where it
> acts as the front for various carrier gateways so that internal UACs and
> UASs are unaware of the carrier gateways.
>
>
>
> Let me try to present a clear picture of our setup.
>
> 1.?????? Kamailio has several NICs (physical or vlan).? Each on a different
> subnet. One subnet is internal/has routes for internal.? Other subnets are
> private connections to carriers or a ?route to public Internet.
>
> 2.?????? All of these subnets are non-routable from Internet. In addition ,
> the carrier private connections are not routable internally.
>
> 3.?????? Connection to public internet is via a FW/NAT (one-to-one NAT),
> which maps to one of the interfaces.
>
> 4.?????? All internal? UAC/UAS connect on the internal subnet.
>
> 5.?????? We are using RTPProxy? (at least one instance per carrier) to relay
> media between internal and carrier subnets
>
>
>
> We are able to make this setup up work great except for one scenario.? One
> of the carriers is only reachable via public Internet.? Due to security
> requirements, our Kamailio cannot have a public IP address and must use
> FW/NAT. I guess this scenario is ??Proxy behind NAT? and not really
> encouraged. But I would like to see if there is a way to make this work.? We
> cannot use the ?advertised_address? since it changes the IP for every
> ?route?.
>
>
>
> We were able to get this mostly ?working by doing the following
>
> 1.?????? mhomed=1
>
> 2.?????? Small patch in the rtpproxy module so that ?force_rtp_proxy
> actually uses the IP address passed (public IP).
>
> 3.?????? Using request_route_preset(?publicIP?)
>
>
>
> The above ?mostly? works.? By that I mean, the INVITE transaction is
> properly passed between internal UAS and carrier SBC and the call is setup.
> However, further transactions (BYE/re-INVITE) etc do not work properly. So,
> far-end hangups are not ?working etc.
>
>
>
> I?ve searched various archives of this and other SER lists looking to see if
> anyone was able to get this scenario working, but couldn?t find a definitive
> answer.? Most of them point to using ?advertised_address?.
>
>
>
> So, and ideas on how to make ?Proxy behind NAT? work without using
> advertised_address?? Am I wasting my time?
>
>
>
> Thanks in advance for any help you can offer.
>
>
>
> SV.
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
Hi
I want to use Kamailio to handle both signalling and media always.
My scenario is the following PSTN==>KAMAILIO==>ASTERISK. I have a dialplan
that points to ASTERISK when a call comes into Kamailio. Signalling is fine,
however i cant seem to get the Media to work, i have installed the RTPPROXY
as suggested by RTPPROXY module and have implemented it into the routing
logic, however i have one way audio. The PSTN side cannot hear anything.
I dont use the Kamailio for sip registrations or for users behind NAT. I
just use a simple dialplan for forwarding SIP messages to our certain VOIP
carriers, however some of our carriers request that we use both signalling
and media from the same IP thats why i need to implement this scenario.
Is this possible?
Thanking you in advance for your help!
Phillip
Hi,
I am using the git version of kamailio, and i am experiencing problem
This message is repeated in log with all kind of mysql query
(insert/delete/select)
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: db_mysql
[km_dbase.c:124]: driver error on query: Commands out of sync; you can't
run this command now
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: <core>
[db_query.c:103]: error while submitting query
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: usrloc
[udomain.c:570]: db_query failed
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: db_mysql
[km_dbase.c:124]: driver error on query: Commands out of sync; you can't
run this command now
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: <core>
[db_query.c:186]: error while submitting query
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: usrloc
[ucontact.c:513]: inserting contact in db failed
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: usrloc
[urecord.c:474]: failed to insert in database
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: registrar
[save.c:430]: failed to insert contact
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: db_mysql
[km_dbase.c:124]: driver error on query: Commands out of sync; you can't
run this command now
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: <core>
[db_query.c:242]: error while submitting query
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: usrloc
[urecord.c:426]: failed to delete from database
Aug 27 22:04:05 hal /usr/sbin/kamailio[25681]: ERROR: usrloc
[udomain.c:896]: DB delete failed
I am using stable debian so db_mysql.so linked with libmysqlclient.so.16
I read mysql doc and it is saying about this error the following:
"Commands out of sync; you can't run this command now"
http://dev.mysql.com/doc/refman/5.0/en/commands-out-of-sync.html
So this problem cause it that not freed the last result.
Only one assumption:
Could it related to this change:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=commitdiff;h=df…
Any help appreciated.
Regards,
Misi
Alex,
Sorry about this clumsy way of replying, but I am stuck with Outlook 2010 and Exchange.
You stated the problem correctly. Carrier GWs (UAS) and internal clients (UAC) cannot reach each other directly (TCP/UDP). They have to go through Kamailio and rtpproxy. I am goint to reply to Ovidiu as well with some more details.
Thanks
SV.
------------------------------
Message: 2
Date: Sat, 03 Sep 2011 19:12:38 -0400
From: Alex Balashov <abalashov(a)evaristesys.com>
Subject: Re: [SR-Users] Kamailio + rtpproxy talking to multiple
carrier gateways - some via Firewall/NAT
To: sr-users(a)lists.sip-router.org
Message-ID: <4E62B466.20808(a)evaristesys.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 09/03/2011 05:53 PM, Sarat C. Vemuri wrote:
> 3.Using request_route_preset(?publicIP?)
>
> The above ?mostly? works. By that I mean, the INVITE transaction is
> properly passed between internal UAS and carrier SBC and the call is
> setup. However, further transactions (BYE/re-INVITE) etc do not work
> properly. So, far-end hangups are not working etc.
So in other words, there is no interface to which Kamailio could be bound on a network that both the UAC and the UAS have direct network and transport-layer reachability to?
If I understand correctly, it sounds like the fundamental problem here is that the Record-Route URI introduced by the proxy in handling the initial INVITE request has to be conserved in all subsequent requests and replies. It is a requirement to use the same route set in sequential (in-dialog) requests such as reinvites or BYEs. It is also mandatory for the UAS to copy the received Record-Route into the final reply (i.e. 200 OK).
The problem is that you then have to choose the network address in the Record-Route. If either the UAC or the UAS cannot directly reach it, your problem arises.
Is this an accurate statement of the problem? I wanted to verify before continuing.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/