Re: [Serusers] NAT Traversal

Hi, I'm working on a popular cenario (I think) of SER's implementation but I'm having some difficult on making clients behind NAT to work well. I tried to use rtpproxy and mediaproxy (not together, of course) but without success. Here is my scenario: SER with public IP address with rtpproxy and/or mediaproxy up and running. Clients are behind NAT with NO firewall blocking any ports. Or even one client behind NAT and other with valid IP (by the way, all clients that are not behind nat works fine). The one behind nat do not receive any voice but can send it. I'm attaching my ser.cfg (both, the rtpproxy and mediaproxy one) and appreciate any help. Thank's in advance. -- Thomas Storino Britis TCNet Informatica e Telecomunicacoes LTDA

# # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $ # # simple quick-start config script # # ----------- global configuration parameters ------------------------ debug=3 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E) # TCNet Configuration # hostname matching an alias will satisfy the condition uri==myself. listen="200.167.20.34" alias="e-voip.com.br" alias="200.167.20.34" uid="ser" gid="ser" check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo" fifo_db_url="mysql://ser:pass@localhost/ser" # Modules loadmodule "/tcnet/ser/lib/ser/modules/domain.so" loadmodule "/tcnet/ser/lib/ser/modules/mysql.so" loadmodule "/tcnet/ser/lib/ser/modules/sl.so" loadmodule "/tcnet/ser/lib/ser/modules/tm.so" loadmodule "/tcnet/ser/lib/ser/modules/rr.so" loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so" loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so" loadmodule "/tcnet/ser/lib/ser/modules/registrar.so" loadmodule "/tcnet/ser/lib/ser/modules/auth.so" loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so" loadmodule "/tcnet/ser/lib/ser/modules/uri.so" loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so" loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so" loadmodule "/tcnet/ser/lib/ser/modules/mediaproxy.so" loadmodule "/tcnet/ser/lib/ser/modules/textops.so" loadmodule "/tcnet/ser/lib/ser/modules/avpops.so" loadmodule "/tcnet/ser/lib/ser/modules/acc.so" # Modules parameter # auth_db modparam("auth_db|uri_db|usrloc", "db_url", "mysql://ser:pass@localhost/ser") modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") # mediaproxy modparam("mediaproxy", "mediaproxy_socket", "/var/run/proxydispatcher.sock") modparam("mediaproxy", "natping_interval", 30) modparam("mediaproxy", "sip_asymmetrics", "/tcnet/mediaproxy/sip-asymmetrics-clients") modparam("mediaproxy", "rtp_asymmetrics", "/tcnet/mediaproxy/rtp-asymmetrics-clients") # usrloc modparam("usrloc", "db_mode", 2) # rr modparam("rr", "enable_full_lr", 1) # registrar modparam("registrar", "nat_flag", 6) # acc modparam("acc", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_fmt", "miocfst") modparam("acc", "failed_transactions", 1) # tm modparam("tm", "fr_inv_timer", 27) modparam("tm", "fr_inv_timer_avp", "inv_timeout") # main routing logic route { if (method == "BYE" || method == "CANCEL") { end_media_session(); setflag(1); # accounting setflag(2); # missed call }; # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { if (method!="ACK") { sl_send_reply("483", "Too Many Hops"); break; }; }; if (msg:len > max_len) { if (method!="ACK") { sl_send_reply("513", "Message too big"); break; }; }; if (method!="REGISTER") { record_route (); }; if (loose_route()) { if (method=="BYE" || method=="CANCEL") { end_media_session(); setflag(1); setflag(2); }; if (method=="INVITE" || method=="ACK") { use_media_proxy(); }; route(1); break; }; if (uri == myself) { if (method == "REGISTER") { if (search("^(Contact|m): .*(a)(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) { log("LOG: alert: someone trying to set aor==contact\n"); sl_send_reply("476", "No Server Address in Contacts Allowed"); break; }; route(2); # WWW authentication if (!save("location")) { sl_reply_error(); }; break; }; if (method == "INVITE") { route(3); # PROXY authentication if (uri=~"^sip:0") { route(4); # Asterisk }; consume_credentials(); #lookup("location"); if (!lookup("location")) { if (!lookup("aliases")) { if (uri=~"^sip:[3789][0-9]") { prefix("035"); route(4); # Asterisk } else { sl_send_reply ("404", "Not Found"); break; }; }; }; setflag(1); setflag(2); route(1); break; }; }; route(1); } # Fix NATED client on reply route. onreply_route[1] { if (client_nat_test("1") && status=~"(183)|(2[0-9][0-9])") { fix_contact(); }; use_media_proxy (); } # Normal relay route[1] { if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); break; }; t_on_reply("1"); t_on_failure("1"); if (!t_relay()) { sl_reply_error(); }; } # WWW authentication route[2] { if (client_nat_test("3")) { setflag(6); force_rport(); fix_contact(); }; sl_send_reply("100", "Trying"); if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; if (!check_to()) { sl_send_reply ("401", "Unauthorized"); break; }; } # PROXY authentication route[3] { if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; } # Asterisk - E-Voip route[4] { t_on_reply("1"); rewritehost("200.167.20.26"); avp_write("i:45", "inv_timeout"); } failure_route[1] { end_media_session(); }

# # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $ # # simple quick-start config script # # ----------- global configuration parameters ------------------------ debug=3 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E) # TCNet Configuration # hostname matching an alias will satisfy the condition uri==myself. listen="200.167.20.34" alias="e-voip.com.br" alias="200.167.20.34" uid="ser" gid="ser" check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo" fifo_db_url="mysql://ser:pass@localhost/ser" # Modules loadmodule "/tcnet/ser/lib/ser/modules/mysql.so" loadmodule "/tcnet/ser/lib/ser/modules/sl.so" loadmodule "/tcnet/ser/lib/ser/modules/tm.so" loadmodule "/tcnet/ser/lib/ser/modules/rr.so" loadmodule "/tcnet/ser/lib/ser/modules/maxfwd.so" loadmodule "/tcnet/ser/lib/ser/modules/usrloc.so" loadmodule "/tcnet/ser/lib/ser/modules/registrar.so" loadmodule "/tcnet/ser/lib/ser/modules/auth.so" loadmodule "/tcnet/ser/lib/ser/modules/auth_db.so" loadmodule "/tcnet/ser/lib/ser/modules/uri.so" loadmodule "/tcnet/ser/lib/ser/modules/uri_db.so" loadmodule "/tcnet/ser/lib/ser/modules/nathelper.so" loadmodule "/tcnet/ser/lib/ser/modules/textops.so" loadmodule "/tcnet/ser/lib/ser/modules/avpops.so" loadmodule "/tcnet/ser/lib/ser/modules/acc.so" # Modules parameter # auth_db modparam("auth_db|uri_db|usrloc", "db_url", "mysql://ser:pass@localhost/ser") modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") # nathelper modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # usrloc modparam("usrloc", "db_mode", 2) # rr modparam("rr", "enable_full_lr", 1) # registrar modparam("registrar", "nat_flag", 6) # acc modparam("acc", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_fmt", "miocfst") modparam("acc", "failed_transactions", 1) # tm modparam("tm", "fr_inv_timer", 27) modparam("tm", "fr_inv_timer_avp", "inv_timeout") # main routing logic route { if (method == "BYE" || method == "CANCEL") { unforce_rtp_proxy(); setflag(1); # accounting setflag(2); # missed call }; # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too Many Hops"); break; }; if (msg:len > max_len) { sl_send_reply("513", "Message too big"); break; }; if (method!="REGISTER") { record_route (); }; if (loose_route()) { if (method == "BYE") { setflag(1); setflag(2); unforce_rtp_proxy(); }; route(1); break; }; if (uri == myself) { if (method=="INVITE") { fix_nated_sdp ("1"); }; if (method == "REGISTER") { if (search("^(Contact|m): .*(a)(200\.167\.20\.34|evoip03\.tcnet\.com\.br|sip\.e-voip\.com\.br)")) { log("LOG: alert: someone trying to set aor==contact\n"); sl_send_reply("476", "No Server Address in Contacts Allowed"); break; }; route(2); # WWW authentication if (!save("location")) { sl_reply_error(); }; break; }; if (method == "INVITE") { route(3); # PROXY authentication if (uri=~"^sip:0") { route(4); # Asterisk }; consume_credentials(); #lookup("location"); if (!lookup("location")) { if (!lookup("aliases")) { if (uri=~"^sip:[3789][0-9]") { prefix("035"); route(4); # Asterisk } else { sl_send_reply ("404", "Not Found"); break; }; }; }; setflag(1); setflag(2); route(1); break; }; }; route(1); } # Fix NATED client on reply route. onreply_route[1] { if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") { if (!search("Content-Length:[ ]*0")) { force_rtp_proxy(); }; }; } # Normal relay route[1] { if (uri =~ "[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); break; }; t_on_reply("1"); if (isflagset(6) || isflagset(5)) { log (1, "oi"); force_rtp_proxy (); }; if (!t_relay()) { sl_reply_error(); }; } # WWW authentication route[2] { if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) { setflag(6); fix_nated_register(); force_rport(); }; sl_send_reply("100", "Trying"); if (!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; if (!check_to()) { sl_send_reply ("401", "Unauthorized"); break; }; if (isflagset(5)) { setflag(6); }; } # PROXY authentication route[3] { if (nat_uac_test("19")) { setflag(6); }; if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; }; } # Asterisk - E-Voip route[4] { if (isflagset(6)) { force_rport(); fix_nated_contact(); force_rtp_proxy(); }; t_on_reply("1"); rewritehost("200.167.20.26"); avp_write("i:45", "inv_timeout"); }

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers