Re: [SR-Users] What is the typical network setup for kamailio?
Am Mi., 3. Okt. 2018 um 22:50 Uhr schrieb Sergiu Pojoga : > Hi Kevin, > > Main objective would be to detect NAT, and if so, fix SDP instead of > involving rtpproxy. Both ways of course, requests and replies. > > Something like this: > > if (nat_uac_test("8")) > > fix_nated_sdp("15"); > > Thank you very much! This works perfectly fine! > Cheers! > > On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich wrote: > >> Hi! >> >> Sorry if you received an empty email, accidently clicked the send button >> when resizing the windows. >> >> I am finally able to test a setup with both kamailio and asterisk on >> public network. >> Currently I struggle with RTP flow - what do I need to change to have rtp >> flow directly to asterisk instead of rtpproxy? >> Rtpproxy is working fine but when I disable NAT, there is no audio (did >> not yet check SDP). >> >> Kind regards >> Kevin >> >> Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < >> savolai...@erinaco.ru>: >> >>> is RTP folowing to FS directly in this case? >>> >>> Yes, it woks fine in 99% and no any additional STUN/ICE are required >>> >>> On 16 August 2018 at 13:32, Kevin Olbrich wrote: >>> Hi Dmitri, is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod). Kevin Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolai...@erinaco.ru>: > Hi Kevin. > I use Kamailio as FreeSwitch set balancer almost without rtpengine > (rtpengine > is used only in some specific cases). All in public IPs. > I just tune FS SIP profile to let it get requests only from Kamailio > IP:PORT and add same firewall rules also. > All RPC commands work via local interface only. > PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio > (PUBLIC) ==> Carrier > > > On 16 August 2018 at 12:57, Kevin Olbrich wrote: > >> Hi! >> >> I am working successfully with Kamailio in my lab setup where >> Kamailio is the SBC for Asterisk. >> The network layout is looking like this: >> >> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> >> Asterisk <== PUBLIC NET ==> Carrier >> >> Each public network is reachable from the internet and has a local >> firewall with IP whitelists. >> The internal SIP transactions are UDP-only but for external phones I >> would like to also listen for TCP/TLS. >> >> For this layout to work with rtpproxy (before we move on to >> RTPengine), we have to enable mhomed in Kamailio. >> We also have some routing issues with packets leaving with the wrong >> IP via rtpproxy (when call between carrier and external phone needs to be >> bridged). >> >> Most examples show that Asterisk is deployed on the same network as >> the external interface of Kamailio (-> Asterisk exposed to the public >> network). >> In our tests, this works much better but I have great security >> concerns because this Asterisk instance itself does not need to be >> reachable from external. >> >> How do other users deploy Kamailio in front of Asterisk or similar as >> SBC to secure internals? >> There is lot of docs for Kamailio's config but IMHO less for the >> setup as DMZ (SBC) proxy. >> >> Thank you very much. >> >> Kind regards >> Kevin >> >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> > > > -- > Savolainen Dmitri > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >>> -- >>> Savolainen Dmitri >>> ___ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Hi Kevin, Main objective would be to detect NAT, and if so, fix SDP instead of involving rtpproxy. Both ways of course, requests and replies. Something like this: if (nat_uac_test("8")) fix_nated_sdp("15"); Cheers! On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich wrote: > Hi! > > Sorry if you received an empty email, accidently clicked the send button > when resizing the windows. > > I am finally able to test a setup with both kamailio and asterisk on > public network. > Currently I struggle with RTP flow - what do I need to change to have rtp > flow directly to asterisk instead of rtpproxy? > Rtpproxy is working fine but when I disable NAT, there is no audio (did > not yet check SDP). > > Kind regards > Kevin > > Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < > savolai...@erinaco.ru>: > >> is RTP folowing to FS directly in this case? >> >> Yes, it woks fine in 99% and no any additional STUN/ICE are required >> >> On 16 August 2018 at 13:32, Kevin Olbrich wrote: >> >>> Hi Dmitri, >>> >>> is RTP folowing to FS directly in this case? This would allow us to use >>> STUN as well as ICE, etc. from Asterisk (which is currently the case >>> without Kamailio SBC in prod). >>> >>> Kevin >>> >>> >>> >>> Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < >>> savolai...@erinaco.ru>: >>> Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier On 16 August 2018 at 12:57, Kevin Olbrich wrote: > Hi! > > I am working successfully with Kamailio in my lab setup where Kamailio > is the SBC for Asterisk. > The network layout is looking like this: > > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> > Asterisk <== PUBLIC NET ==> Carrier > > Each public network is reachable from the internet and has a local > firewall with IP whitelists. > The internal SIP transactions are UDP-only but for external phones I > would like to also listen for TCP/TLS. > > For this layout to work with rtpproxy (before we move on to > RTPengine), we have to enable mhomed in Kamailio. > We also have some routing issues with packets leaving with the wrong > IP via rtpproxy (when call between carrier and external phone needs to be > bridged). > > Most examples show that Asterisk is deployed on the same network as > the external interface of Kamailio (-> Asterisk exposed to the public > network). > In our tests, this works much better but I have great security > concerns because this Asterisk instance itself does not need to be > reachable from external. > > How do other users deploy Kamailio in front of Asterisk or similar as > SBC to secure internals? > There is lot of docs for Kamailio's config but IMHO less for the setup > as DMZ (SBC) proxy. > > Thank you very much. > > Kind regards > Kevin > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- Savolainen Dmitri ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> ___ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >> >> >> -- >> Savolainen Dmitri >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Hi! Sorry if you received an empty email, accidently clicked the send button when resizing the windows. I am finally able to test a setup with both kamailio and asterisk on public network. Currently I struggle with RTP flow - what do I need to change to have rtp flow directly to asterisk instead of rtpproxy? Rtpproxy is working fine but when I disable NAT, there is no audio (did not yet check SDP). Kind regards Kevin Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < savolai...@erinaco.ru>: > is RTP folowing to FS directly in this case? > > Yes, it woks fine in 99% and no any additional STUN/ICE are required > > On 16 August 2018 at 13:32, Kevin Olbrich wrote: > >> Hi Dmitri, >> >> is RTP folowing to FS directly in this case? This would allow us to use >> STUN as well as ICE, etc. from Asterisk (which is currently the case >> without Kamailio SBC in prod). >> >> Kevin >> >> >> >> Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < >> savolai...@erinaco.ru>: >> >>> Hi Kevin. >>> I use Kamailio as FreeSwitch set balancer almost without rtpengine >>> (rtpengine >>> is used only in some specific cases). All in public IPs. >>> I just tune FS SIP profile to let it get requests only from Kamailio >>> IP:PORT and add same firewall rules also. >>> All RPC commands work via local interface only. >>> PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio >>> (PUBLIC) ==> Carrier >>> >>> >>> On 16 August 2018 at 12:57, Kevin Olbrich wrote: >>> Hi! I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this: SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS. For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged). Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external. How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy. Thank you very much. Kind regards Kevin ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >>> -- >>> Savolainen Dmitri >>> ___ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >> >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> > > > -- > Savolainen Dmitri > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Am Montag, 20. August 2018, 13:22:30 CEST schrieb Kevin Olbrich: > I browsed the files but was unable to find one using Kamailio as SBC > without exposing the Asterisk core. > > Most examples indeed expose the node and let media flow directly ( > https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Build > ing-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we > would also be able to deploy). > > There was just a single presentation that I was able to locate that had the > proxy only on the edge: > https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-An > ti-Fraud-With-HTables.pdf At least it looks like they are located behind the > SBC. > > After the research my impression is, that co-locating the B2BUA with the > Edge-Proxy and firewall-ing it, seems best practice. > We will try to add some security by bridge-firewalling and BGP. > > If anyone has a hint for a presentation with high-security edge-proxy, I > would appreciate it. Thank you. > [..] Hi Kevin, here you find a (older) presentation about a setup with private asterisk and kamailio as network edge. This is the one that we build back in the days at 1&1, slide 19 has a schematic diagram of the setup: https://skalatan.de/archive/presentations/kamailio-world-2013-presentation.pdf Best regards, Henning -- Henning Westerholt https://skalatan.de/blog/ ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
On Mon, Aug 20, 2018 at 1:04 PM Alex Balashov wrote: > On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri Savolainen wrote: > > > > > > > If Kamailio is going to act as your registrar, then you will need to > > > find some way to expose the registered contacts to Asterisk - > > > > > Matthew, could you explain why Asterisk have to know about reg contacts > in > > you approch? Asterisk just may sends all to Kamailio (second call leg) > > and let Kamailio route this call to appropriate contact. > This is fine, and you can make your outbound calls in that fashion. You do need to have Asterisk present enough information that Kamailio is aware of how to route that outbound INVITE request, but if you have sufficient information in the request URI, it can certainly make that decision. If, however, you wanted to dial PJSIP/1000 - which no other information and where 1000 is some registered device - Asterisk will need the registered contact that the device has presented to the registrar. In which case, you have to have some mechanism for Asterisk to get at that information. > > The historical problem with this "dial endpoints over a trunk peer" > approach is that such endpoints are not as privileged by Asterisk as > local AstDB bindings for various Class 5 / application purposes, e.g. > hints, voicemail, MWI, etc. > > But as I understand it, PJSIP is supposed to fix this problem and make > use of an outboard registrar a lot more transparent. > Yup - it all depends on how you configure / use things. -- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri Savolainen wrote: > > > > If Kamailio is going to act as your registrar, then you will need to > > find some way to expose the registered contacts to Asterisk - > > > Matthew, could you explain why Asterisk have to know about reg contacts in > you approch? Asterisk just may sends all to Kamailio (second call leg) > and let Kamailio route this call to appropriate contact. The historical problem with this "dial endpoints over a trunk peer" approach is that such endpoints are not as privileged by Asterisk as local AstDB bindings for various Class 5 / application purposes, e.g. hints, voicemail, MWI, etc. But as I understand it, PJSIP is supposed to fix this problem and make use of an outboard registrar a lot more transparent. -- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
For what it's worth, we've set up a network/system where Asterisk resides completely on a private network with Kamailio acting as an edge proxy. RTPEngine is necessary as well to help the media through to the private network, but that's probably not surprising. It is completely doable, although the suggestions below about simply restricting Asterisk on a public network to the locations of the Kamailio proxies also works quite well. Matching inbound requests in Asterisk to only the pool of Kamailio proxies can be done in a variety of fashions - IP address matching being the simplest. You will obviously need to think carefully about how Asterisk handles its outbound calling. If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk - we chose this route, and wrote a small REST sidecar to Kamailio for that purpose. If Asterisk is going to act as your registrar, you will need to fork the REGISTER requests to all of the Asterisk instances. Additionally, for INVITE requests being initiated by Asterisk, you will want to force those to flow through your edge proxies. This can be done using Asterisk's outbound_proxy setting on the AOR object in pjsip.conf. On Mon, Aug 20, 2018 at 6:23 AM Kevin Olbrich wrote: > Hi Henning, > > I browsed the files but was unable to find one using Kamailio as SBC > without exposing the Asterisk core. > Most examples indeed expose the node and let media flow directly ( > https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf > - interesting solution with e/iBGP which we would also be able to deploy). > > There was just a single presentation that I was able to locate that had > the proxy only on the edge: > > https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf > At least it looks like they are located behind the SBC. > > After the research my impression is, that co-locating the B2BUA with the > Edge-Proxy and firewall-ing it, seems best practice. > We will try to add some security by bridge-firewalling and BGP. > > If anyone has a hint for a presentation with high-security edge-proxy, I > would appreciate it. Thank you. > > Kind regards, > Kevin > > > Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt < > h...@kamailio.org>: > >> Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich: >> > I am working successfully with Kamailio in my lab setup where Kamailio >> is >> > the SBC for Asterisk. >> > The network layout is looking like this: >> > >> > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk >> > <== PUBLIC NET ==> Carrier >> > >> > Each public network is reachable from the internet and has a local >> firewall >> > with IP whitelists. >> > The internal SIP transactions are UDP-only but for external phones I >> would >> > like to also listen for TCP/TLS. >> > >> > For this layout to work with rtpproxy (before we move on to RTPengine), >> we >> > have to enable mhomed in Kamailio. >> > We also have some routing issues with packets leaving with the wrong IP >> via >> > rtpproxy (when call between carrier and external phone needs to be >> bridged). >> > >> > Most examples show that Asterisk is deployed on the same network as the >> > external interface of Kamailio (-> Asterisk exposed to the public >> network). >> > In our tests, this works much better but I have great security concerns >> > because this Asterisk instance itself does not need to be reachable from >> > external. >> > >> > How do other users deploy Kamailio in front of Asterisk or similar as >> SBC >> > to secure internals? >> > There is lot of docs for Kamailio's config but IMHO less for the setup >> as >> > DMZ (SBC) proxy. >> >> Hello Kevin, >> >> this is indeed a common setup to protect asterisk and to have also much >> greater flexibility with regards to balancing and/or SIP message >> adaptions. >> >> To get some ideas, have a look to the last years conferences available >> here: >> >> https://www.kamailio.org/events/ >> >> There should be some talks about using Kamailio to in front of asterisk, >> the >> talk name is usually in the file name. >> >> I think even on this year cluecon Fred Posner did a talk about Kamailio >> as >> Edge Proxy, and also on astricon there were some talks about this >> scenario if >> I remember correctly. >> >> You should also find in the Kamailio World or FOSDEM talks a lot of >> information about this scenario. You find all the talks available from >> Kamailio World in our youtube channel: >> >> https://www.youtube.com/kamailioworld >> >> Best regards, >> >> Henning >> >> -- >> Henning Westerholt >> https://skalatan.de/blog/ >> > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis
Re: [SR-Users] What is the typical network setup for kamailio?
Hi Henning, I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core. Most examples indeed expose the node and let media flow directly ( https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we would also be able to deploy). There was just a single presentation that I was able to locate that had the proxy only on the edge: https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf At least it looks like they are located behind the SBC. After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice. We will try to add some security by bridge-firewalling and BGP. If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you. Kind regards, Kevin Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt < h...@kamailio.org>: > Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich: > > I am working successfully with Kamailio in my lab setup where Kamailio is > > the SBC for Asterisk. > > The network layout is looking like this: > > > > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk > > <== PUBLIC NET ==> Carrier > > > > Each public network is reachable from the internet and has a local > firewall > > with IP whitelists. > > The internal SIP transactions are UDP-only but for external phones I > would > > like to also listen for TCP/TLS. > > > > For this layout to work with rtpproxy (before we move on to RTPengine), > we > > have to enable mhomed in Kamailio. > > We also have some routing issues with packets leaving with the wrong IP > via > > rtpproxy (when call between carrier and external phone needs to be > bridged). > > > > Most examples show that Asterisk is deployed on the same network as the > > external interface of Kamailio (-> Asterisk exposed to the public > network). > > In our tests, this works much better but I have great security concerns > > because this Asterisk instance itself does not need to be reachable from > > external. > > > > How do other users deploy Kamailio in front of Asterisk or similar as SBC > > to secure internals? > > There is lot of docs for Kamailio's config but IMHO less for the setup as > > DMZ (SBC) proxy. > > Hello Kevin, > > this is indeed a common setup to protect asterisk and to have also much > greater flexibility with regards to balancing and/or SIP message adaptions. > > To get some ideas, have a look to the last years conferences available > here: > > https://www.kamailio.org/events/ > > There should be some talks about using Kamailio to in front of asterisk, > the > talk name is usually in the file name. > > I think even on this year cluecon Fred Posner did a talk about Kamailio as > Edge Proxy, and also on astricon there were some talks about this > scenario if > I remember correctly. > > You should also find in the Kamailio World or FOSDEM talks a lot of > information about this scenario. You find all the talks available from > Kamailio World in our youtube channel: > > https://www.youtube.com/kamailioworld > > Best regards, > > Henning > > -- > Henning Westerholt > https://skalatan.de/blog/ > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich: > I am working successfully with Kamailio in my lab setup where Kamailio is > the SBC for Asterisk. > The network layout is looking like this: > > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk > <== PUBLIC NET ==> Carrier > > Each public network is reachable from the internet and has a local firewall > with IP whitelists. > The internal SIP transactions are UDP-only but for external phones I would > like to also listen for TCP/TLS. > > For this layout to work with rtpproxy (before we move on to RTPengine), we > have to enable mhomed in Kamailio. > We also have some routing issues with packets leaving with the wrong IP via > rtpproxy (when call between carrier and external phone needs to be bridged). > > Most examples show that Asterisk is deployed on the same network as the > external interface of Kamailio (-> Asterisk exposed to the public network). > In our tests, this works much better but I have great security concerns > because this Asterisk instance itself does not need to be reachable from > external. > > How do other users deploy Kamailio in front of Asterisk or similar as SBC > to secure internals? > There is lot of docs for Kamailio's config but IMHO less for the setup as > DMZ (SBC) proxy. Hello Kevin, this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions. To get some ideas, have a look to the last years conferences available here: https://www.kamailio.org/events/ There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name. I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly. You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel: https://www.youtube.com/kamailioworld Best regards, Henning -- Henning Westerholt https://skalatan.de/blog/ ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
> > is RTP folowing to FS directly in this case? Yes, it woks fine in 99% and no any additional STUN/ICE are required On 16 August 2018 at 13:32, Kevin Olbrich wrote: > Hi Dmitri, > > is RTP folowing to FS directly in this case? This would allow us to use > STUN as well as ICE, etc. from Asterisk (which is currently the case > without Kamailio SBC in prod). > > Kevin > > > > Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < > savolai...@erinaco.ru>: > >> Hi Kevin. >> I use Kamailio as FreeSwitch set balancer almost without rtpengine >> (rtpengine >> is used only in some specific cases). All in public IPs. >> I just tune FS SIP profile to let it get requests only from Kamailio >> IP:PORT and add same firewall rules also. >> All RPC commands work via local interface only. >> PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio >> (PUBLIC) ==> Carrier >> >> >> On 16 August 2018 at 12:57, Kevin Olbrich wrote: >> >>> Hi! >>> >>> I am working successfully with Kamailio in my lab setup where Kamailio >>> is the SBC for Asterisk. >>> The network layout is looking like this: >>> >>> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk >>> <== PUBLIC NET ==> Carrier >>> >>> Each public network is reachable from the internet and has a local >>> firewall with IP whitelists. >>> The internal SIP transactions are UDP-only but for external phones I >>> would like to also listen for TCP/TLS. >>> >>> For this layout to work with rtpproxy (before we move on to RTPengine), >>> we have to enable mhomed in Kamailio. >>> We also have some routing issues with packets leaving with the wrong IP >>> via rtpproxy (when call between carrier and external phone needs to be >>> bridged). >>> >>> Most examples show that Asterisk is deployed on the same network as the >>> external interface of Kamailio (-> Asterisk exposed to the public network). >>> In our tests, this works much better but I have great security concerns >>> because this Asterisk instance itself does not need to be reachable from >>> external. >>> >>> How do other users deploy Kamailio in front of Asterisk or similar as >>> SBC to secure internals? >>> There is lot of docs for Kamailio's config but IMHO less for the setup >>> as DMZ (SBC) proxy. >>> >>> Thank you very much. >>> >>> Kind regards >>> Kevin >>> >>> ___ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >> >> >> -- >> Savolainen Dmitri >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- Savolainen Dmitri ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
On Thu, Aug 16, 2018 at 11:57:03AM +0200, Kevin Olbrich wrote: > Most examples show that Asterisk is deployed on the same network as the > external interface of Kamailio (-> Asterisk exposed to the public network). > In our tests, this works much better but I have great security concerns > because this Asterisk instance itself does not need to be reachable from > external. Having a public IP doesn't mean this IP is reachable externally. If this is your concern (rightfully): firewall access to anything that doesn't need to be able to access. signature.asc Description: PGP signature ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Sorry, following -> flowing. Am Do., 16. Aug. 2018 um 12:32 Uhr schrieb Kevin Olbrich : > Hi Dmitri, > > is RTP folowing to FS directly in this case? This would allow us to use > STUN as well as ICE, etc. from Asterisk (which is currently the case > without Kamailio SBC in prod). > > Kevin > > > Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < > savolai...@erinaco.ru>: > >> Hi Kevin. >> I use Kamailio as FreeSwitch set balancer almost without rtpengine >> (rtpengine >> is used only in some specific cases). All in public IPs. >> I just tune FS SIP profile to let it get requests only from Kamailio >> IP:PORT and add same firewall rules also. >> All RPC commands work via local interface only. >> PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio >> (PUBLIC) ==> Carrier >> >> >> On 16 August 2018 at 12:57, Kevin Olbrich wrote: >> >>> Hi! >>> >>> I am working successfully with Kamailio in my lab setup where Kamailio >>> is the SBC for Asterisk. >>> The network layout is looking like this: >>> >>> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk >>> <== PUBLIC NET ==> Carrier >>> >>> Each public network is reachable from the internet and has a local >>> firewall with IP whitelists. >>> The internal SIP transactions are UDP-only but for external phones I >>> would like to also listen for TCP/TLS. >>> >>> For this layout to work with rtpproxy (before we move on to RTPengine), >>> we have to enable mhomed in Kamailio. >>> We also have some routing issues with packets leaving with the wrong IP >>> via rtpproxy (when call between carrier and external phone needs to be >>> bridged). >>> >>> Most examples show that Asterisk is deployed on the same network as the >>> external interface of Kamailio (-> Asterisk exposed to the public network). >>> In our tests, this works much better but I have great security concerns >>> because this Asterisk instance itself does not need to be reachable from >>> external. >>> >>> How do other users deploy Kamailio in front of Asterisk or similar as >>> SBC to secure internals? >>> There is lot of docs for Kamailio's config but IMHO less for the setup >>> as DMZ (SBC) proxy. >>> >>> Thank you very much. >>> >>> Kind regards >>> Kevin >>> >>> ___ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >> >> >> -- >> Savolainen Dmitri >> ___ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the typical network setup for kamailio?
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier On 16 August 2018 at 12:57, Kevin Olbrich wrote: > Hi! > > I am working successfully with Kamailio in my lab setup where Kamailio is > the SBC for Asterisk. > The network layout is looking like this: > > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk > <== PUBLIC NET ==> Carrier > > Each public network is reachable from the internet and has a local > firewall with IP whitelists. > The internal SIP transactions are UDP-only but for external phones I would > like to also listen for TCP/TLS. > > For this layout to work with rtpproxy (before we move on to RTPengine), we > have to enable mhomed in Kamailio. > We also have some routing issues with packets leaving with the wrong IP > via rtpproxy (when call between carrier and external phone needs to be > bridged). > > Most examples show that Asterisk is deployed on the same network as the > external interface of Kamailio (-> Asterisk exposed to the public network). > In our tests, this works much better but I have great security concerns > because this Asterisk instance itself does not need to be reachable from > external. > > How do other users deploy Kamailio in front of Asterisk or similar as SBC > to secure internals? > There is lot of docs for Kamailio's config but IMHO less for the setup as > DMZ (SBC) proxy. > > Thank you very much. > > Kind regards > Kevin > > ___ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- Savolainen Dmitri ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users