Conditions as follows :

* SER runs on a Public IP

* SER works without auth & database modules,

* Nearly all user behind NAT (but routers configured to do port forwarding for TCP/UDP 5060) to help SER in some cases,

* Users numbers in format of 833XXXXXXX 834XXXXXXX and they should call each P2P-SIP-Calls (if not behind NAT),

* If a user need to call PSTN end point (SIP Gateway located at 212.154.32.154) the call traffic should flow over SER to SIP Gateway via T1 connection already located between that systems so SER handles all voice traffic by help of RTP Proxy.

* UA's registers on SER (Zyxel Prestige 2000, Zyxel Prestige 200W, Cisco ATA186 etc.)

Problem is users cannot call each other (if i comment lines for nathelper they can call)

It's clear i think, and below is my ser.cfg, what do i need extra or erase.

<-<-<-<-< MY SER.CFG STARTS HERE >->->->->

#
# $Id nathelper.cfg,v 1.1.2.1 20050301 by Ozan Blotter Exp $
#
# simple quick-start config script including nathelper support

# This default script includes nathelper support. To make it work
# you will also have to install Maxim's RTP proxy. The proxy is enforced
# if one of the parties is behind a NAT.
#
# If you have an endpoing in the public internet which is known to
# support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
# then you don't have to force RTP proxy. If you don't want to enforce
# RTP proxy for some destinations than simply use t_relay() instead of
# route(1)
#
# Sections marked with !! Nathelper contain modifications for nathelper
#
# NOTE !! This config is EXPERIMENTAL !
#
# ----------- global configuration parameters ------------------------

# debug=3 # debug level (cmd line -dddddddddd)
# fork=yes
# log_stderror=no # (cmd line -E)

/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/

check_via=no    # (cmd. line -v)
dns=no           # (cmd. line -r)
rev_dns=no      # (cmd. line -R)
port=5060
children=4
fifo="/tmp/ser_fifo"

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"

# !! Nathelper
loadmodule "/usr/local/lib/ser/modules/nathelper.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

modparam("usrloc", "db_mode", 0)

# -- rr params --
# add value to ;lr param to make some broken UAs happy

modparam("rr", "enable_full_lr", 1)

# !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 10) # Ping interval 10 seconds
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT

# ------------------------- request routing logic -------------------

# main routing logic

route{

        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
            sl_send_reply("483","Too Many Hops");
            break;
        };
        if (msg:len > max_len ) {
            sl_send_reply("513", "Message Too Big");
            break;
        };

        # if ((method=="NOTIFY")&& search("^Event: Keep-Alive")) {
        #    ls_send_reply("200","OK");
        #    break;
        # };

        # !! Nathelper
        # Special handling for NATed clients; first, NAT test is
        # executed it looks for via!=received and RFC1918 addresses
        # in Contact (may fail if line-folding is used); also,
        # the received test should, if completed, should check all
        # vias for rpesence of received
            if (nat_uac_test("3")) {

        # Allow RR-ed requests, as these may indicate that
        # a NAT-enabled proxy takes care of it; unless it is
        # a REGISTER
            if (method=="REGISTER" || ! search("^Record-Route:")) {
        # log("LOG: Someone trying to register from private IP, rewriting\$

        # This will work only for user agents that support symmetric
        # communication. We tested quite many of them and majority is
        # smart enough to be symmetric. In some phones it takes a configuration
        # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it $
        # called symmetric media and symmetric signalling.

            fix_nated_contact(); # Rewrite contact with source IP of signalling
            if (method == "INVITE") {
            fix_nated_sdp("1"); # Add direction=active to SDP
                };

            force_rport(); # Add rport parameter to topmost Via
            setflag(6);    # Mark as NATed
                };
        };

        # we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        if (!method=="REGISTER") record_route();

        # subsequent messages withing a dialog should take the
        # path determined by record-routing
        if (loose_route()) {
                # mark routing logic in request
                append_hf("P-hint: rr-enforced\r\n");
                route(1);
                break;
        };

        if (!uri==myself) {
                # mark routing logic in request
                append_hf("P-hint: outbound\r\n");
                route(1);
                break;
        };

        # if the request is for other domain use UsrLoc
        # (in case, it does not work, use the following command
        # with proper names and addresses in it)
        if (uri==myself) {

if (method=="REGISTER") {

if (!(uri=~"sip:(833)|(834)")) {
t_relay_to_udp("212.154.32.154","5060");

                        save("location");
                        break;
                };

        # lookup(aliases);
        # if (!uri==myself) {
        # append_hf("P-hint: outbound alias\r\n");
        # route(1);
        # break;
        # };

                # native SIP destinations are handled using our USRLOC DB
                if (!lookup("location")) {
                        sl_send_reply("404", "Not Found");
                        break;
                };

       };
        append_hf("P-hint: usrloc applied\r\n");
        route(1);
}

route[1]
{
        # !! Nathelper
        if (uri=~"[@:](192\.168\.|10\.172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !searc$
            sl_send_reply("479", "We don't forward to private IP addresses");
            break;
        };

        # if client or server know to be behind a NAT, enable relay
        if (isflagset(6)) {
            force_rtp_proxy();
        };

        # NAT processing of replies; apply to all transactions (for example,
        # re-INVITEs from public to private UA are hard to identify as
        # NATed at the moment of request processing); look at replies
        t_on_reply("1");

        # send it out now; use stateful forwarding as it works reliably
        # even for UDP2TCP
        if (!t_relay()) {
                sl_reply_error();
        };
}

        # !! Nathelper
        onreply_route[1] {
        # NATed transaction
        if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
        fix_nated_contact();

        if (!search("^Content-Length:\0")){
        force_rtp_proxy();
        };

        # otherwise, is it a transaction behind a NAT and we did not
        # know at time of request processing (RFC1918 contacts)
        } else if (nat_uac_test("1")) {
        fix_nated_contact();

        if (!search("^Content-Length:\0")){
        force_rtp_proxy();
        };

        # otherwise, is it a transaction behind a NAT and we did not
        # know at time of request processing (RFC1918 contacts)
        } else if (nat_uac_test("1")) {
        fix_nated_contact();
        };
}

<-<-<-<-< MY SER.CFG ENDS HERE >->->->->