Linus Surguy wrote:
I've configured ser to listen on two ports, in the ser.cfg:
listen=a.b.c.d:5060 listen=a.b.c.d:5062
The idea is that 'normal' public traffic and traffic that can be handled by normal 'nat' detectors will be directed to port 5060, but traffic that I know is difficult is directed to register and use a.b.c.d:5062 as the SIP server.
This all works great in the NAT (inside) -> SER -> somewhere direction, but I've discovered that when any device which registers to the 5062 port, the fact that it arrived on an alternative port doesnt seem to be remembered.
Therefore, when I have a somewhere -> SER -> NAT (inside) call, (on a 5062 registered device) although SER remembers the port on the NAT device to forward the INVITE to, it sends it from port 5060 - which at least on my test nat router is enough for it to reject the packet and not pass it inside.
Hi Linus,
I can confirm your observations. We suffer the same problem. The only difference is that we use the "alternate" port only for the broken SIP Aware NAT implementations. For everybody else, we use port 5060. We deal with the "difficult" NAT traffic by creating a special SER group called rtpproxy and inserting these special users in it. Outgoing/Incoming calls from these users will be handled by rtpproxy.
The code snippet would look like:
# Check if caller is on the rtp_proxy group if ((is_user_in("From", "rtp_proxy"))) { setflag(2); force_rport(); fix_nated_contact(); . . };
# Check if called user is on the rtp_proxy group if ((is_user_in("To", "rtp_proxy")) & !(isflagset(2))) { setflag(2); force_rport(); . }; .
This would greatly reduce the number of problems you are having. For our part, if we keep on finding more and more of these broken SIP Aware NAT implementations we might just have to switch all our network to a port different from 5060. This is getting pretty ridiculous, every day we seem to find more and more of these bad NATs.
Ricardo.
Any thoughts? Is this a configuration item I've missed, or is this a current issue with SER?
Linus
(* The other reason for using port 5062 is that it 'SIP aware' but possibily broken NAT routers won't rewrite the traffic if its not on port 5060)
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers