Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint, so i'm using this:
function to check the destination (i tried using $sndto(ip) but it always returns NULL):
route[CHECK_DEST_NET] { if ( $du=~"sip:172..*" ) { setflag(FLAG_TO_PRIVATE); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PRIVATE -> [$du]\n" ); } else { setflag(FLAG_TO_PUBLIC); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PUBLIC -> [$du]\n" ); }
return; }
on my relay:
route(CHECK_DEST_NET);
if (isflagset(FLAG_TO_PRIVATE)) { xlog("L_ERR", "[RELAY] forcing socket to PRIVATE NET\n" ); force_send_socket(LISTEN_INSIDE_IF:LISTEN_INSIDE_PORT); } else { xlog("L_ERR", "[RELAY] forcing socket to PUBLIC NET\n" ); force_send_socket(LISTEN_OUTSIDE_IF:LISTEN_OUTSIDE_PORT); }
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
anyone? :)
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 4:37 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint, so i'm using this:
function to check the destination (i tried using $sndto(ip) but it always returns NULL):
route[CHECK_DEST_NET] { if ( $du=~"sip:172..*" ) { setflag(FLAG_TO_PRIVATE); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PRIVATE -> [$du]\n" ); } else { setflag(FLAG_TO_PUBLIC); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PUBLIC -> [$du]\n" ); }
return; }
on my relay:
route(CHECK_DEST_NET);
if (isflagset(FLAG_TO_PRIVATE)) { xlog("L_ERR", "[RELAY] forcing socket to PRIVATE NET\n" ); force_send_socket(LISTEN_INSIDE_IF:LISTEN_INSIDE_PORT); } else { xlog("L_ERR", "[RELAY] forcing socket to PUBLIC NET\n" ); force_send_socket(LISTEN_OUTSIDE_IF:LISTEN_OUTSIDE_PORT); }
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
mhomed=1
Kam will auto select the socket
On Mon, Apr 1, 2019 at 1:59 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
anyone? :)
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 4:37 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint, so i'm using this:
function to check the destination (i tried using $sndto(ip) but it always returns NULL):
route[CHECK_DEST_NET] { if ( $du=~"sip:172..*" ) { setflag(FLAG_TO_PRIVATE); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PRIVATE -> [$du]\n" ); } else { setflag(FLAG_TO_PUBLIC); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PUBLIC -> [$du]\n" ); }
return; }
on my relay:
route(CHECK_DEST_NET);
if (isflagset(FLAG_TO_PRIVATE)) { xlog("L_ERR", "[RELAY] forcing socket to PRIVATE NET\n" ); force_send_socket(LISTEN_INSIDE_IF:LISTEN_INSIDE_PORT); } else { xlog("L_ERR", "[RELAY] forcing socket to PUBLIC NET\n" ); force_send_socket(LISTEN_OUTSIDE_IF:LISTEN_OUTSIDE_PORT); }
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
Hello guys,
this is my scenario, as you see, the public-facing ip is using port 5060 while the internal 5066. All works ok (with force_socket), but when forwarding the ACK, kamailio uses the wrong ip (5060), when it should be using 5066.
U PUBLIC:58031 -> 172.31.69.53:5060 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 100 trying -- your call is important to us.
U 172.31.69.53:5066 -> 172.31.65.238:5080 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 100 Trying.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 200 OK.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 200 OK.
U PUBLIC:58031 -> 172.31.69.53:5060 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0. ************BELOW*************
U 172.31.69.53:5060 -> 172.31.65.238:5080 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:08 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
-- 3 logicians walk into a bar. The bartender asks "Do you all want a drink?" The first logician says "I don't know." The second logician says "I don't know." The third logician says "Yes!"
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Have you tried proposed suggestions?
On Mon, Apr 1, 2019, 2:12 PM David Villasmil, < david.villasmil.work@gmail.com> wrote:
Hello guys,
this is my scenario, as you see, the public-facing ip is using port 5060 while the internal 5066. All works ok (with force_socket), but when forwarding the ACK, kamailio uses the wrong ip (5060), when it should be using 5066.
U PUBLIC:58031 -> 172.31.69.53:5060 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 100 trying -- your call is important to us.
U 172.31.69.53:5066 -> 172.31.65.238:5080 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 100 Trying.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 200 OK.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 200 OK.
U PUBLIC:58031 -> 172.31.69.53:5060 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0. ************BELOW*************
U 172.31.69.53:5060 -> 172.31.65.238:5080 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:08 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
-- 3 logicians walk into a bar. The bartender asks "Do you all want a drink?" The first logician says "I don't know." The second logician says "I don't know." The third logician says "Yes!"
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thanks Sergiu,
yep, mhomed=1 is there
But it's still failing to select the right socket Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:19 PM Sergiu Pojoga pojogas@gmail.com wrote:
Have you tried proposed suggestions?
On Mon, Apr 1, 2019, 2:12 PM David Villasmil, < david.villasmil.work@gmail.com> wrote:
Hello guys,
this is my scenario, as you see, the public-facing ip is using port 5060 while the internal 5066. All works ok (with force_socket), but when forwarding the ACK, kamailio uses the wrong ip (5060), when it should be using 5066.
U PUBLIC:58031 -> 172.31.69.53:5060 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 100 trying -- your call is important to us.
U 172.31.69.53:5066 -> 172.31.65.238:5080 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 100 Trying.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 200 OK.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 200 OK.
U PUBLIC:58031 -> 172.31.69.53:5060 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0. ************BELOW*************
U 172.31.69.53:5060 -> 172.31.65.238:5080 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:08 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
-- 3 logicians walk into a bar. The bartender asks "Do you all want a drink?" The first logician says "I don't know." The second logician says "I don't know." The third logician says "Yes!"
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I suppose you've also defined your `listen=` list?
On Mon, Apr 1, 2019 at 2:25 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Thanks Sergiu,
yep, mhomed=1 is there
But it's still failing to select the right socket Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:19 PM Sergiu Pojoga pojogas@gmail.com wrote:
Have you tried proposed suggestions?
On Mon, Apr 1, 2019, 2:12 PM David Villasmil, < david.villasmil.work@gmail.com> wrote:
Hello guys,
this is my scenario, as you see, the public-facing ip is using port 5060 while the internal 5066. All works ok (with force_socket), but when forwarding the ACK, kamailio uses the wrong ip (5060), when it should be using 5066.
U PUBLIC:58031 -> 172.31.69.53:5060 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 100 trying -- your call is important to us.
U 172.31.69.53:5066 -> 172.31.65.238:5080 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 100 Trying.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 200 OK.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 200 OK.
U PUBLIC:58031 -> 172.31.69.53:5060 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0. ************BELOW*************
U 172.31.69.53:5060 -> 172.31.65.238:5080 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:08 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
-- 3 logicians walk into a bar. The bartender asks "Do you all want a drink?" The first logician says "I don't know." The second logician says "I don't know." The third logician says "Yes!"
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Sergiu,
I don't think mhomed will help in this case, since both sockets are able to reach the endpoint. They are both on the same subnet.
listen=udp:172.31.69.53:5060 advertuse PUBLIC:5060 listen=udp:172.31.69.53:5066
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:23 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Thanks Sergiu,
yep, mhomed=1 is there
But it's still failing to select the right socket Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:19 PM Sergiu Pojoga pojogas@gmail.com wrote:
Have you tried proposed suggestions?
On Mon, Apr 1, 2019, 2:12 PM David Villasmil, < david.villasmil.work@gmail.com> wrote:
Hello guys,
this is my scenario, as you see, the public-facing ip is using port 5060 while the internal 5066. All works ok (with force_socket), but when forwarding the ACK, kamailio uses the wrong ip (5060), when it should be using 5066.
U PUBLIC:58031 -> 172.31.69.53:5060 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 100 trying -- your call is important to us.
U 172.31.69.53:5066 -> 172.31.65.238:5080 INVITE sip:*TESTCALL@myserver.com;transport=UDP SIP/2.0.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 100 Trying.
U 172.31.65.238:5080 -> 172.31.69.53:5066 SIP/2.0 200 OK.
U 172.31.69.53:5060 -> PUBLIC:58031 SIP/2.0 200 OK.
U PUBLIC:58031 -> 172.31.69.53:5060 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0. ************BELOW*************
U 172.31.69.53:5060 -> 172.31.65.238:5080 ACK sip:*TESTCALL@172.31.65.238:5080;transport=udp SIP/2.0.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:08 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 17:37:45, David Villasmil wrote:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Have you tried something like:
ip rule add from int.ernal.ip.addr lookup mytable ip route add default dev external_interface_device table mytable
echo "234 mytable" >>/etc/iproute2/rt_tables
Antony.
-- 3 logicians walk into a bar. The bartender asks "Do you all want a drink?" The first logician says "I don't know." The second logician says "I don't know." The third logician says "Yes!"
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 20:29:22, David Villasmil wrote:
Sergiu,
I don't think mhomed will help in this case, since both sockets are able to reach the endpoint. They are both on the same subnet.
Why?
What is the purpose of this rather odd networking setup?
Antony
This is an AWS instance. And i want to segregate public from private. AWS does not provide actual public IPs on the instances themselves, so on the same interface:
5060 will serve public requests. 5066 will server private requests.
The firewall will only allow public traffic to port 5060 while blocking 5066. Only internal ips will be allowed to 5066.
David
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:35 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 20:29:22, David Villasmil wrote:
Sergiu,
I don't think mhomed will help in this case, since both sockets are able
to
reach the endpoint. They are both on the same subnet.
Why?
What is the purpose of this rather odd networking setup?
Antony
-- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years."
John von Neumann (1949)
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I think i see what's happening, ACK is going through the REALY route, but at that point it does NOT have a$du (and $sndto(ip) is null)
note: all those ERROR is juts me logging.
ERROR: <script>: [WITHINDLG] ACK Packet coming from PUBLIC:58031 and going to <null> exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=710 a=5 n=route exec: *** cfgtrace:request_route=[NATMANAGE] c=[/etc/kamailio/kamailio.cfg] l=950 a=2 n=return exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=715 a=5 n=route exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=624 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=621 a=25 n=is_method exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=627 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=624 a=25 n=is_method exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=631 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=627 a=25 n=is_method exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=631 a=5 n=route exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=600 a=26 n=xlog ERROR: <script>: [CHECK_SOURCE] Packet received on: 172.31.69.53:5060 exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=601 a=26 n=xlog exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=602 a=26 n=xlog exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=610 a=16 n=if *DEBUG: pv [pv_core.c:1122]: pv_get_dsturi(): no destination URI* exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=608 a=39 n=setflag exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=609 a=26 n=xlog DEBUG: pv [pv_core.c:1122]: pv_get_dsturi(): no destination URI *ERROR: <script>: [CHECK_SOURCE] Packet going to PUBLIC -> [<null>]*
whereas an INVITE _does_ have a $du (remember all work, except ACK)
ERROR: <script>: [WITHINDLG] ACK Packet coming from PUBLIC:58031 and going to <null> exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=710 a=5 n=route exec: *** cfgtrace:request_route=[NATMANAGE] c=[/etc/kamailio/kamailio.cfg] l=950 a=2 n=return exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=715 a=5 n=route exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=624 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=621 a=25 n=is_method exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=627 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=624 a=25 n=is_method exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=631 a=16 n=if exec: *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=627 a=25 n=is_method exec: *** cfgtrace:request_route=[DEFAULT_ROUTE] c=[/etc/kamailio/kamailio.cfg] l=631 a=5 n=route exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=600 a=26 n=xlog ERROR: <script>: [CHECK_SOURCE] Packet received on: 172.31.69.53:5060 exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=601 a=26 n=xlog exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=602 a=26 n=xlog exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=610 a=16 n=if DEBUG: pv [pv_core.c:1122]: pv_get_dsturi(): no destination URI exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=608 a=39 n=setflag exec: *** cfgtrace:request_route=[CHECK_DEST_NET] c=[/etc/kamailio/kamailio.cfg] l=609 a=26 n=xlog DEBUG: pv [pv_core.c:1122]: pv_get_dsturi(): no destination URI ERROR: <script>: [CHECK_SOURCE] Packet going to PUBLIC -> [<null>]
Why would an ACK not have a $du?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:50 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
This is an AWS instance. And i want to segregate public from private. AWS does not provide actual public IPs on the instances themselves, so on the same interface:
5060 will serve public requests. 5066 will server private requests.
The firewall will only allow public traffic to port 5060 while blocking 5066. Only internal ips will be allowed to 5066.
David
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 7:35 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 20:29:22, David Villasmil wrote:
Sergiu,
I don't think mhomed will help in this case, since both sockets are
able to
reach the endpoint. They are both on the same subnet.
Why?
What is the purpose of this rather odd networking setup?
Antony
-- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years."
John von Neumann (1949)
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 20:50:46, David Villasmil wrote:
This is an AWS instance. And i want to segregate public from private. AWS does not provide actual public IPs on the instances themselves, so on the same interface:
5060 will serve public requests. 5066 will server private requests.
The firewall will only allow public traffic to port 5060 while blocking 5066. Only internal ips will be allowed to 5066.
Can't you use a single (private) IP and a single port number, but provide different services based on the peer's IP address (private or public)?
Antony.
On Mon, Apr 1, 2019 at 7:35 PM Antony Stone wrote:
What is the purpose of this rather odd networking setup?
Hello Antony,
I suppose i could, but i don't much like the thought. I would like to have totally separate IP/port combination. And, in any case, it wouldn't really answer the question, right?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:03 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 20:50:46, David Villasmil wrote:
This is an AWS instance. And i want to segregate public from private. AWS does not provide actual public IPs on the instances themselves, so on the same interface:
5060 will serve public requests. 5066 will server private requests.
The firewall will only allow public traffic to port 5060 while blocking 5066. Only internal ips will be allowed to 5066.
Can't you use a single (private) IP and a single port number, but provide different services based on the peer's IP address (private or public)?
Antony.
On Mon, Apr 1, 2019 at 7:35 PM Antony Stone wrote:
What is the purpose of this rather odd networking setup?
-- The Magic Words are Squeamish Ossifrage.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 21:07:59, David Villasmil wrote:
Hello Antony,
I suppose i could, but i don't much like the thought. I would like to have totally separate IP/port combination.
Okay.
And, in any case, it wouldn't really answer the question, right?
No, but it might not be the right question to ask :)
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
Antony.
On Mon, Apr 1, 2019 at 8:03 PM Antony Stone wrote:
Can't you use a single (private) IP and a single port number, but provide different services based on the peer's IP address (private or public)?
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:07:59, David Villasmil wrote:
Hello Antony,
I suppose i could, but i don't much like the thought. I would like to
have
totally separate IP/port combination.
Okay.
And, in any case, it wouldn't really answer the question, right?
No, but it might not be the right question to ask :)
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
Antony.
On Mon, Apr 1, 2019 at 8:03 PM Antony Stone wrote:
Can't you use a single (private) IP and a single port number, but
provide
different services based on the peer's IP address (private or public)?
-- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics.
mnemonic for 3.14159265358979
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
The way I've always done this for things like AWS or natted is to use one ip/port and advertise the external address and then if I have another ip use that for internal... if I only have one IP, use a different port.
Example 1:
listen=udp:192.168.25.31:5060 advertise 1.2.3.4:5060 #-- Public Socket listen=udp:192.168.25.33:5060 #-- Private Socket
Example 2:
listen=udp:192.168.25.31:5060 advertise 1.2.3.4:5060 #-- Public Socket listen=udp:192.168.25.31:5080 #-- Private Socket
Fred Posner fred@qxork.com https://qxork.com Direct/SMS: +1 (224) 334-3733 Direct/SMS: +1 (336) 439-3733
Need Fred? Call Fred. 336-HEY-FRED Matrix: @fred:matrix.lod.com
On 4/1/19 3:26 PM, Antony Stone wrote:
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct contact with the private IPs.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:27 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
-- There's a good theatrical performance about puns on in the West End. It's a play on words.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 21:38:21, David Villasmil wrote:
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct contact with the private IPs.
No, because (again, unless AWS works in some totally strange way that I can't imagine being the case) those two private IPs would be in different subnets, so only one is locally addressable by the other privately addressed machines.
Antony.
They're not, they're in the same subnet. At least on my tests. Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:47 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:38:21, David Villasmil wrote:
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct
contact
with the private IPs.
No, because (again, unless AWS works in some totally strange way that I can't imagine being the case) those two private IPs would be in different subnets, so only one is locally addressable by the other privately addressed machines.
Antony.
-- The Royal Society for the Prevention of Cruelty to Animals was formed in 1824. The National Society for the Prevention of Cruelty to Children was not formed until 1884. That says something about the British.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Monday 01 April 2019 at 21:51:13, David Villasmil wrote:
They're not, they're in the same subnet. At least on my tests.
In that case I can only wonder why AWS works like this.
I think I've run out of networking-based suggestions to fulfilling your requirements.
Antony.
On Mon, Apr 1, 2019 at 8:47 PM Antony Stone wrote:
No, because (again, unless AWS works in some totally strange way that I can't imagine being the case) those two private IPs would be in different subnets, so only one is locally addressable by the other privately addressed machines.
Well,
As suggested, i decided to go with a single ip address. Thanks everyone!
Thanks to @Federico Cabiddu federico.cabiddu@gmail.com i understood why the ACK has no $du. This is because all record-routes have been consumed because this is the final hop.
So no record-route, no $du. I have to use the ruri.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 9:01 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:51:13, David Villasmil wrote:
They're not, they're in the same subnet. At least on my tests.
In that case I can only wonder why AWS works like this.
I think I've run out of networking-based suggestions to fulfilling your requirements.
Antony.
On Mon, Apr 1, 2019 at 8:47 PM Antony Stone wrote:
No, because (again, unless AWS works in some totally strange way that I can't imagine being the case) those two private IPs would be in
different
subnets, so only one is locally addressable by the other privately addressed machines.
-- "Can you keep a secret?" "Well, I shouldn't really tell you this, but... no."
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Well,
As suggested, i decided to go with a single ip address. Thanks everyone!
Thanks to @Federico Cabiddu federico.cabiddu@gmail.com i understood why the ACK has no $du. This is because all record-routes have been consumed because this is the final hop.
So no record-route, no $du. I have to use the ruri.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:38 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct contact with the private IPs.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:27 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
-- There's a good theatrical performance about puns on in the West End. It's a play on words.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
David, out of curiosity, are you finally using only one listen= line or two in your AWS setup?
More specific: are you only listening on one port with the ‘advertise’ set or are you finally listenting on two ports?
If your are using one port only you might find yourself using egress (billed) traffic between your instances, so make sure in the captures your are really seeing your internal IP in the RR headers when talking to internal servers instead of the egress (public) IP.
Thanks, Joel
On Mon, Apr 1, 2019 at 13:54 David Villasmil david.villasmil.work@gmail.com wrote:
Well,
As suggested, i decided to go with a single ip address. Thanks everyone!
Thanks to @Federico Cabiddu federico.cabiddu@gmail.com i understood why the ACK has no $du. This is because all record-routes have been consumed because this is the final hop.
So no record-route, no $du. I have to use the ruri.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:38 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct contact with the private IPs.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:27 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
-- There's a good theatrical performance about puns on in the West End. It's a play on words.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hey Joel!
I’m using only one. I will double-check that!
Thanks
David
On Tue, 2 Apr 2019 at 15:44, Joel Serrano joel@textplus.com wrote:
David, out of curiosity, are you finally using only one listen= line or two in your AWS setup?
More specific: are you only listening on one port with the ‘advertise’ set or are you finally listenting on two ports?
If your are using one port only you might find yourself using egress (billed) traffic between your instances, so make sure in the captures your are really seeing your internal IP in the RR headers when talking to internal servers instead of the egress (public) IP.
Thanks, Joel
On Mon, Apr 1, 2019 at 13:54 David Villasmil < david.villasmil.work@gmail.com> wrote:
Well,
As suggested, i decided to go with a single ip address. Thanks everyone!
Thanks to @Federico Cabiddu federico.cabiddu@gmail.com i understood why the ACK has no $du. This is because all record-routes have been consumed because this is the final hop.
So no record-route, no $du. I have to use the ruri.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:38 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
actually that's a good point, the default gateway. But, ven if i have 2 different IPs, those 2 would still have direct contact with the private IPs.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Mon, Apr 1, 2019 at 8:27 PM Antony Stone < Antony.Stone@kamailio.open.source.it> wrote:
On Monday 01 April 2019 at 21:19:13, David Villasmil wrote:
point taken.
But if i do have two separate interfaces, i would still have the same issue, wouldn't i?
No, because (unless AWS works in some totally strange way that I can't imagine being the case) the two interfaces would have different IPs and different routes, and only one would be your default route to the Internet (ie: public IP addresses).
Then your "internal" machines would connect to the IP on an interface which only routes back to them and can't see the Internet, and public connections would come in to a different IP on another interface which can route back to them.
Someone with personal familiarity with AWS systems may be able to inject a more definite answer here.
Antony.
On Mon, Apr 1, 2019 at 8:17 PM Antony Stone wrote:
Do you prefer to ask "how can I make this strange networking setup operate?" or "how can I arrange my networking so that this service works?"
-- There's a good theatrical performance about puns on in the West End. It's a play on words.
Please reply to thelist; please *don't* CC me.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello
Check your reply_route.
An example I use with public and private interfaces and mhomed=1
onreply_route[MANAGE_REPLY] { xdbg("incoming reply\n"); if(t_check_status("(180|183|200)")){ fix_nated_contact(); }
El lun., 1 de abr. de 2019 12:38 p. m., David Villasmil < david.villasmil.work@gmail.com> escribió:
Hello guys, I have public and private IPs, and i need to force the sending socket replying to internal out externals endpoint, so i'm using this:
function to check the destination (i tried using $sndto(ip) but it always returns NULL):
route[CHECK_DEST_NET] { if ( $du=~"sip:172..*" ) { setflag(FLAG_TO_PRIVATE); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PRIVATE -> [$du]\n" ); } else { setflag(FLAG_TO_PUBLIC); xlog("L_ERR", "[CHECK_SOURCE] Packet going to PUBLIC -> [$du]\n" ); }
return; }
on my relay:
route(CHECK_DEST_NET);
if (isflagset(FLAG_TO_PRIVATE)) { xlog("L_ERR", "[RELAY] forcing socket to PRIVATE NET\n" ); force_send_socket(LISTEN_INSIDE_IF:LISTEN_INSIDE_PORT); } else { xlog("L_ERR", "[RELAY] forcing socket to PUBLIC NET\n" ); force_send_socket(LISTEN_OUTSIDE_IF:LISTEN_OUTSIDE_PORT); }
This works nicely, except for ACKs and potentially other packets sent statelessly?
Anyone knows how to fix this?
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Antony Stone -
David Villasmil -
Fred Posner -
Joel Serrano -
Mauricio Tejeda -
Sergiu Pojoga