You need to use advertised_address and advertised_port just below listen directive. g-)
Wei Wang wrote:
I have a problem running SER behind firewall. Here is the network diagram:
|UA1|--|FW1| +--|FW|--|SER| \ / +--+ / \ |UA2|--|FW2| +--|MediaProxy|
Where, UA1 and UA2 are Xlite soft-phones behind their own firewalls. SER is listening on private IP address 192.168.4.217. FW has public IP address 66.134.1.34 and forwards port 5060 to SER.
The ser.cfg file is pretty much copied from SER getting start guide. When UA1 calling UA2, the call established fine but UA1 will hang up by itself after ~30 seconds. The captured IP packages on SER revealed that the last ACK received from UA2 by SER was sent to FW IP address. Since port 5060 is forwarded to SER on the FW, it caused a looping situation.
The ser.cfg is listed at the end.
Thanks in advance.
Wei Wang wwang@m1global.com
======== ser.cfg ============ debug=3 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=3 #debug=9 fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) listen=192.168.4.217 #listen=66.134.1.36 port=5060 children=4 fifo="/tmp/ser_fifo" fifo_db_url="mysql://ser:s3rv1c3@localhost/ser"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/permissions.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so" loadmodule "/usr/local/lib/ser/modules/uri.so" loadmodule "/usr/local/lib/ser/modules/uri_db.so" loadmodule "/usr/local/lib/ser/modules/domain.so" loadmodule "/usr/local/lib/ser/modules/mediaproxy.so" loadmodule "/usr/local/lib/ser/modules/nathelper.so" loadmodule "/usr/local/lib/ser/modules/print.so" loadmodule "/usr/local/lib/ser/modules/xlog.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db|permissions|uri_db|usrloc", "db_url", "mysql://ser:s3rv1c3@localhost/ser") modparam("auth_db", "calculate_ha1", 1) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
modparam("nathelper", "rtpproxy_disable", 1) modparam("nathelper", "natping_interval", 0)
modparam("mediaproxy", "natping_interval", 30) #modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy.sock") modparam("mediaproxy", "mediaproxy_socket", "/var/run/proxydispatcher.sock") modparam("mediaproxy", "sip_asymmetrics", "/usr/local/etc/ser/sip-clients") modparam("mediaproxy", "rtp_asymmetrics", "/usr/local/etc/ser/rtp-clients")
modparam("registrar", "nat_flag", 6)
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
modparam("permissions", "db_mode", 1) modparam("permissions", "trusted_table", "trusted")
modparam("xlog", "buf_size", 8192)
# ------------------------- request routing logic -------------------
# main routing logic
route{ # xlog("L_INFO", "Main route [From]%fu,[To]%tu,[Req-Method]%rm,[Req-RURI]%ru[IP-src]%is ...\n"); if(method != "SUBSCRIBE") { xlog("L_INFO", "\r\n===========SIP MSG==================\r\n%mb\r\n_____END SIP MSG________________________\r\n"); };
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 4086 ) { sl_send_reply("513", "Message too big"); break; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (method == "INVITE" && client_nat_test("3")) {# xlog("L_INFO", "method==INVITE and nated: calling record_route_preset\n"); # IP ADDRESS Here record_route_preset("66.134.1.34:5060;nat=yes"); } else if (method!="REGISTER") { record_route(); }; # ------------------------- # Call Tear Down Section #------------------------- if(method=="BYE" || method=="CANCEL") { #xlog("L_INFO", "RECEIVED BYE or CANCEL..."); end_media_session(); };
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) {xlog("L_INFO", "DEBUG: loose_route...");
if((method=="INVITE" || method == "REFER") &&!has_totag()) { sl_send_reply("403", "Forbidden"); break; }; if(method == "INVITE") { if(!allow_trusted()) { if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; } else if(!check_from()) { sl_send_reply("403", "Use From=ID"); break; }; consume_credentials(); } if(client_nat_test("3") || search("^Route:.*;nat=yes")) { setflag(6); use_media_proxy(); }; }; # mark routing logic in request #append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { route(4); # mark routing logic in request #append_hf("P-hint: outbound\r\n"); route(1); break; }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if(method == "ACK") { route(1); break; } else if(method=="CANCEL") { route(1); break; } else if(method == "INVITE") { route(3); break; } else if (method=="REGISTER") { route(2); break; }; lookup("aliases"); if (!uri==myself) { route(4); #append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; append_hf("P-hint: usrloc applied\r\n"); route(1);}
route[1] { t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { if(method=="INVITE" || method == "ACK") { end_media_session(); }; sl_reply_error(); };}
route[2] { ############################ # REGISTER Message Handler ########################### sl_send_reply("100", "Trying");
if(!search("^Contact:[ ]*\*") && client_nat_test("7")) { setflag(6); fix_nated_register(); force_rport(); }; if(!www_authorize("", "subscriber")) { www_challenge("", "0"); break; }; if(!check_to()) { sl_send_reply("401", "Unauthorized"); break; }; consume_credentials(); if(!save("location")) { sl_reply_error(); };}
route[3] { ############################ # INVITE Message Handler ########################### if(client_nat_test("3")) { setflag(7); force_rport(); fix_nated_contact(); };
if(!allow_trusted()) { if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; } else if(!check_from()) { sl_send_reply("403", "Use From=ID"); break; }; }; consume_credentials(); lookup("aliases"); if(uri != myself) { route(4); route(1); break; }; if(!lookup("location")) { sl_send_reply("404", "User Not Found"); break; }; route(4); route(1);}
route[4] { #---------------------------- # NAT Traversal Section #----------------------------
if(isflagset(6) || isflagset(7)) { if(!isflagset(8)) { setflag(8); use_media_proxy(); }; };}
onreply_route[1] { if((isflagset(6) || isflagset(7)) && (status =~ "(180)|183)|2[0-9][0-9]")) {
if(!search("^Content-Length:[ ]*0")) { use_media_proxy(); }; }; if(client_nat_test("1")) { fix_nated_contact(); };} =============== END ser.cfg ================ _______________________________________________ Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers