Hi Serusers, I have been playing around this logic for some time now and it's giving me a bit of headache. Any help will be very appreciated. Here's what I got. I use the default setting for rtpproxy and tested all the nat scenarios from PC-PC work great. Now I want to have the PC to call out to PSTN and only allow registered client to be able to make call to pstn gateway and at the same time to go thru rtpproxy. My gateway ip address is 64.200.219.134 port 5060, it's a cisco as5350. Below is my configuration, where should I put the setting and any hint or example will be very appreciated. ----------------------
# # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
#debug=7 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=7 fork=no log_stderror=yes */ listen=64.200.219.135 listen=127.0.0.1
alias=unlimitedtalk.net alias=64.200.219.135
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/nathelper.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/acc.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# ------------- tm parameters
modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)
# ------------- rr parameters # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------- accounting parameters
modparam("acc", "log_missed_flag", 3) modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1)
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 10)
# database location modparam("usrloc", "db_url", "mysql://ser:heslo@localhost/ser")
# ------------- auth parameters
# database location modparam("auth_db", "db_url", "mysql://ser:heslo@localhost/ser")
# allows clear text passwords in the mysql database modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database modparam("auth_db", "password_column", "password")
# !! Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ----------------- setting module-specific parameters ---------------
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; };
# !! Nathelper # Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!www_authorize("unlimitedtalk.net", "subscriber")) {
www_challenge("unlimitedtalk.net", "0"); break; };
save("location"); break; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")){ sl_send_reply("479", "We don't forward to private IP addresses"); break; };
# if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); };
# NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
# !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; } ----------------------------
Thanks in advance, Ted
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Hi Ted,
What you have to do is to added in (uri==myself) section, before lookup(location) the GW diversion. Something like:
if (uri=~"uri_GW_like") { t_relay_to_udp("GW_IP","GW_PORT"); break; }
Best regards, Marian Dumitru
Trung Nguyen wrote:
Hi Serusers, I have been playing around this logic for some time now and it's giving me a bit of headache. Any help will be very appreciated. Here's what I got. I use the default setting for rtpproxy and tested all the nat scenarios from PC-PC work great. Now I want to have the PC to call out to PSTN and only allow registered client to be able to make call to pstn gateway and at the same time to go thru rtpproxy. My gateway ip address is 64.200.219.134 port 5060, it's a cisco as5350. Below is my configuration, where should I put the setting and any hint or example will be very appreciated.
# # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ # # simple quick-start config script #
# ----------- global configuration parameters
#debug=7 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=7 fork=no log_stderror=yes */ listen=64.200.219.135 listen=127.0.0.1
alias=unlimitedtalk.net alias=64.200.219.135
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/nathelper.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/acc.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters
# ------------- tm parameters
modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)
# ------------- rr parameters # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------- accounting parameters
modparam("acc", "log_missed_flag", 3) modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1)
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 10)
# database location modparam("usrloc", "db_url", "mysql://ser:heslo@localhost/ser")
# ------------- auth parameters
# database location modparam("auth_db", "db_url", "mysql://ser:heslo@localhost/ser")
# allows clear text passwords in the mysql database modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database modparam("auth_db", "password_column", "password")
# !! Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ----------------- setting module-specific parameters
# ------------------------- request routing logic
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long
requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure
that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; };
# !! Nathelper # Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
if (method == "REGISTER" || !
search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user
agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite
contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; };
# we record-route all messages -- to make sure
that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should
take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; }; # if the request is for other domain use
UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!www_authorize("unlimitedtalk.net", "subscriber")) {
www_challenge("unlimitedtalk.net", "0"); break; };
save("location"); break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound
alias\r\n"); route(1); break; };
# native SIP destinations are handled
using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")){ sl_send_reply("479", "We don't forward to private IP addresses"); break; };
# if client or server know to be behind a NAT,
enable relay if (isflagset(6)) { force_rtp_proxy(); };
# NAT processing of replies; apply to all
transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1");
# send it out now; use stateful forwarding as
it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
# !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; }
Thanks in advance, Ted
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Ted,
What you have to do is to added in (uri==myself) section, before lookup(location) the GW diversion. Something like:
if (uri=~"uri_GW_like") { t_relay_to_udp("GW_IP","GW_PORT"); break; }
Best regards, Marian Dumitru
Trung Nguyen wrote:
Hi Serusers, I have been playing around this logic for some time now and it's giving me a bit of headache. Any help will be very appreciated. Here's what I got. I use the default setting for rtpproxy and tested all the nat scenarios from PC-PC work great. Now I want to have the PC to call out to PSTN and only allow registered client to be able to make call to pstn gateway and at the same time to go thru rtpproxy. My gateway ip address is 64.200.219.134 port 5060, it's a cisco as5350. Below is my configuration, where should I put the setting and any hint or example will be very appreciated.