Some other weird stuff that happens if I remove the fix_nated_register call: Sometimes everything will work fine, audio is fine, etc.. However, sometimes I'll call a phone, and the phone will immediately place a call back out to the number I'm dialing from! (very strange).
-- James On Mon, Dec 13, 2010 at 5:28 PM, James Lamanna <[email protected]> wrote: > Hi, > I'm having some issues getting a correct NAT configuration going. > The problem I'm having is > I get a "479 We don't forward to private IP addresses" back when > receiving a call to a phone from Asterisk, presumably because the > location table has private IPs in it for some reason. > > This seems to be related to my failed attempt to use fix_nated_register(). > Removing the call to fix_nated_register and just using > fix_nated_contact allows calls to go through, but then I get no audio > on either side... > > Config follows. > > Thanks. > > -- James > > > debug=3 # debug level (cmd line: -dddddddddd) > fork=yes > log_stderror=no # (cmd line: -E) > log_facility=LOG_LOCAL0 > tos=0x60 > > # Uncomment these lines to enter debugging mode > #fork=no > #log_stderror=yes > #debug=6 > > check_via=no # (cmd. line: -v) > dns=no # (cmd. line: -r) > rev_dns=no # (cmd. line: -R) > port=5060 > children=4 > > listen=udp:208.xxx.xxx.6:5060 > listen=udp:208.xxx.xxx.6:5061 > # ------------------ module loading ---------------------------------- > > #set module path > #mpath="/usr/local/lib/opensips/modules/" > mpath="/usr/local/lib64/opensips/modules/" > > # Uncomment this if you want to use SQL database > loadmodule "db_mysql.so" > > loadmodule "sl.so" > loadmodule "maxfwd.so" > loadmodule "textops.so" > loadmodule "avpops.so" > loadmodule "tm.so" > loadmodule "rr.so" > loadmodule "dialog.so" > loadmodule "signaling.so" > loadmodule "options.so" > loadmodule "localcache.so" > > loadmodule "usrloc.so" > > loadmodule "presence.so" > loadmodule "presence_xml.so" > loadmodule "presence_dialoginfo.so" > loadmodule "pua.so" > loadmodule "pua_dialoginfo.so" > #loadmodule "pua_bla.so" > loadmodule "pua_usrloc.so" > > loadmodule "registrar.so" > loadmodule "mi_fifo.so" > #loadmodule "xlog.so" > > # Uncomment this if you want digest authentication > # db_mysql.so must be loaded ! > loadmodule "auth.so" > loadmodule "auth_db.so" > > # !! Nathelper > loadmodule "nathelper.so" > > > # ----------------- setting module-specific parameters --------------- > > # -- mi_fifo params -- > modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo") > > modparam("usrloc", "db_mode", 2) > modparam("usrloc|dialog|dispatcher|presence|presence_xml|pua|avpops", > "db_url", "mysql://opensips:xxxxxxxxxx...@localhost/opensips") > > > modparam("avpops","avp_table","usr_preferences") > > #modparam("dispatcher", "force_dst", 1) > # Only use username > #modparam("dispatcher", "flags", 1) > > # Store passwords for 1 hour in cache > > modparam("auth","username_spec","$avp(i:54)") > modparam("auth","password_spec","$avp(i:55)") > modparam("auth","calculate_ha1",1) > > modparam("auth_db", "db_url", > "mysql://opensipsro:xxxxx...@localhost/opensips") > modparam("auth_db", "calculate_ha1", yes) > modparam("auth_db", "password_column", "password") > modparam("auth_db", "load_credentials", "$avp(i:55)=password") > > modparam("rr", "enable_full_lr", 1) > > modparam("dialog", "dlg_flag", 4) > modparam("dialog", "profiles_with_value", "caller") > > modparam("usrloc","nat_bflag",6) > modparam("nathelper","sipping_bflag",8) > #modparam("nathelper", "natping_interval", 30) > modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT > #modparam("nathelper", "natping_interval", 30) > modparam("nathelper", "sipping_from", "sip:[email protected]") > modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy/rtpproxy.sock") > modparam("nathelper", "received_avp", "$avp(i:42)") > modparam("registrar", "received_avp", "$avp(i:42)") > > modparam("presence", "server_address", "sip:[email protected]:5060") > modparam("presence", "expires_offset", 10) > modparam("presence", "mix_dialog_presence", 1) > #modparam("presence", "fallback2db", 1) > modparam("presence_xml", "force_active", 1) > > modparam("presence_dialoginfo", "force_single_dialog", 1) > modparam("pua_dialoginfo", "presence_server", "sip:[email protected]:5060") > modparam("pua_dialoginfo", "include_callid", 1) > modparam("pua_dialoginfo", "include_tags", 1) > modparam("pua_dialoginfo", "caller_confirmed", 1) > > modparam("pua_usrloc", "default_domain", "208.xxx.xxx.6") > modparam("pua_usrloc", "presence_server", "sip:[email protected]:5060") > > #modparam("stun","primary_ip","208.xxx.xxx.6") > #modparam("stun","alternate_ip","208.90.184.10") > #modparam("stun","primary_port","5060") > #modparam("stun","alternate_port","3479") > > # ------------------------- request routing logic ------------------- > > # main routing logic > > route{ > > if (!is_method("NOTIFY")) > xlog("L_INFO", "New request - Request/failure/branch routes: > M=$rm > RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n"); > > # max_forwards==0, or excessively long requests > if (!mf_process_maxfwd_header("10")) { > sl_send_reply("483","Too Many Hops"); > exit; > }; > if (msg:len >= 2048 ) { > sl_send_reply("513", "Message too big"); > exit; > }; > > # !! Nathelper > # Special handling for NATed clients; first, NAT test is > # executed: it looks for via!=received and RFC1918 addresses > # in Contact (may fail if line-folding is used); also, > # the received test should, if completed, should check all > # vias for rpesence of received > if (nat_uac_test("19")) { > # Allow RR-ed requests, as these may indicate that > # a NAT-enabled proxy takes care of it; unless it is > # a REGISTER > > if (is_method("REGISTER") || !is_present_hf("Record-Route")) { > #xlog("L_INFO", "LOG:Someone trying to register from > private IP, > rewriting\n"); > #xlog("L_INFO", "$rb\n"); > # This will work only for user agents that support > symmetric > # communication. We tested quite many of them and > majority is > # smart enough to be symmetric. In some phones it > takes a > # configuration option. With Cisco 7960, it is called > # NAT_Enable=Yes, with kphone it is called "symmetric > media" and > # "symmetric signalling". > > # Rewrite contact with source IP of signalling > if (is_method("REGISTER")) { > fix_nated_register(); > } else { > fix_nated_contact(); > }; > > if ( is_method("INVITE") ) { > #xlog("L_INFO", "NAT: FIXING SDP"); > fix_nated_sdp("1"); # Add direction=active to > SDP > }; > force_rport(); # Add rport parameter to topmost Via > setbflag(6); # Mark as NATed > > # if you want sip nat pinging > # setbflag(8); > }; > }; > > # subsequent messages withing a dialog should take the > # path determined by record-routing > if (loose_route()) { > # mark routing logic in request > append_hf("P-hint: rr-enforced\r\n"); > route(1); > exit; > }; > > # we record-route all messages -- to make sure that > # subsequent messages will go through our proxy; that's > # particularly good if upstream and downstream entities > # use different transport protocol > if (!is_method("REGISTER")) > record_route(); > > if (method == "INVITE") { > setflag(4); > } > > if (!uri==myself) { > # mark routing logic in request > append_hf("P-hint: outbound\r\n"); > route(1); > exit; > }; > > # if the request is for other domain use UsrLoc > # (in case, it does not work, use the following command > # with proper names and addresses in it) > if (uri==myself) { > if (is_method("OPTIONS") && (! uri=~"sip:....@]+.*")) { > options_reply(); > exit; > } > > # if (is_method("INVITE|ACK")) { > # unforce_rtp_proxy(); > # } > > > > if (is_method("REGISTER")) { > #xlog("L_INFO", "trying to register $au $ad\n"); > > if(cache_fetch("local","passwd_$tu",$avp(i:55))) { > $avp(i:54) = $tU; > xlog("SCRIPT: stored password is > $avp(i:55)\n"); > # perform auth from variables > # $avp(i:54) contains the username > # $avp(i:55) contains the password > if (!pv_www_authorize("asterisk")) { > # authentication failed -> do challenge > www_challenge("asterisk", "0"); > exit; > }; > } else { > # perform DB authentication -> > # password will be loaded from DB automatically > if (!www_authorize("asterisk", "subscriber")) { > # authentication failed -> do challenge > www_challenge("asterisk", "0"); > exit; > }; > # after DB authentication, the password is > available > # in $avp(i:55) because of the > "load_credentials" > # module parameter. > xlog("SCRIPT: storing password > <$avp(i:55)>\n"); > # use a 20 minutes lifetime for the password; > # after that, it will erased from cache and we > do > # db authentication again (refresh the passwd > from DB) > > cache_store("local","passwd_$tu","$avp(i:55)",3600); > } > > # Uncomment this if you want to use digest > authentication > #if (!www_authorize("asterisk", "subscriber")) { > # www_challenge("asterisk", "0"); > # return; > #}; > > #bla_set_flag(); > > save("location"); > pua_set_publish(); > exit; > }; > > lookup("aliases"); > if (!uri==myself) { > append_hf("P-hint: outbound alias\r\n"); > route(1); > exit; > }; > > #xlog("L_INFO", "TESTING FOR $hdr(Event)\n"); > if (is_method("NOTIFY") && $hdr(Event) == "message-summary") { > #xlog("L_INFO", "MWI Notification $rb\n"); > if (!lookup("location")) { > sl_send_reply("404", "Not Found"); > exit; > } > } else if (is_method("SUBSCRIBE") && (uri =~ > "sip:[7-9][[email protected]" || > $hdr(Event) == 'message-summary')) { > xlog("L_INFO", "SUBSCRIBE FOR PAGE/VM \n"); > if(!cache_fetch("local","ast_$fU",$avp(i:200))) > avp_db_load("$fu/username","$avp(i:200)"); > if ($avp(i:200) == NULL || $avp(i:200) == '') { > xlog("INVALID DIALPLAN SERVER URL\n"); > sl_send_reply("404", "Not Found"); > exit; > } else { > > cache_store("local","ast_$fU","$avp(i:200)",3600); > } > #rewritehostport("$avp(i:200)"); > $rd = $(avp(i:200){s.select,0,:}); > $rp = $(avp(i:200){s.select,1,:}); > } else if (is_method("PUBLISH|SUBSCRIBE|NOTIFY")) { > route(2); > > # Asterisk signaling comes in on 5061 > } else if (dst_port==5061) { > if (!lookup("location")) { > sl_send_reply("404", "Not Found"); > exit; > } > > if (is_method("INVITE")) { > dialoginfo_set(); > } > > > xlog("L_INFO", "request from asterisk $ru $tu\n"); > if (to_uri =~ ".*intercom=true") { > xlog("INTERCOM REQUEST\n"); > $var(checkuser) = $tU; > > > get_profile_size("caller","$var(checkuser)","$var(rcalls)"); > if ($var(rcalls) > 0) { > xlog("DENY INTERCOM\n"); > sl_send_reply("486", "Busy Here"); > exit; > } > } > > if (!isflagset(31)) { > > #get_profile_size("caller","$avp(s:caller_uuid)","$var(calls)"); > create_dialog(); > > #set_dlg_profile("caller","$avp(s:caller_uuid)"); > set_dlg_profile("caller","$tU"); > setflag(31); > get_profile_size("caller","$tU","$var(calls)"); > xlog("NUM CALLS $tU $ru $mf $var(calls) \n"); > } > } else if (is_method("INVITE")) { > #if (!proxy_authorize("asterisk", "subscriber")) { > # proxy_challenge("asterisk", "1"); # Realm > will be autogenerated > # exit; > #}; > > if(!cache_fetch("local","ast_$fU",$avp(i:200))) > avp_db_load("$fu/username","$avp(i:200)"); > if ($avp(i:200) == NULL || $avp(i:200) == '') { > xlog("INVALID DIALPLAN SERVER URL\n"); > sl_send_reply("404", "Not Found"); > exit; > } else { > > cache_store("local","ast_$fU","$avp(i:200)",3600); > } > #rewritehostport("$avp(i:200)"); > $rd = $(avp(i:200){s.select,0,:}); > $rp = $(avp(i:200){s.select,1,:}); > > if (!isflagset(31)) { > > #get_profile_size("caller","$avp(s:caller_uuid)","$var(calls)"); > create_dialog(); > > #set_dlg_profile("caller","$avp(s:caller_uuid)"); > set_dlg_profile("caller","$fU"); > setflag(31); > get_profile_size("caller","$fU","$var(calls)"); > xlog("NUM CALLS $fU $ru $mf $var(calls) \n"); > } > dialoginfo_set(); > } > }; > append_hf("P-hint: usrloc applied\r\n"); > > route(1); > } > > route[1] > { > # !! Nathelper > if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && > !search("^Route:")){ > sl_send_reply("479", "We don't forward to private IP > addresses"); > exit; > }; > > # if client or server know to be behind a NAT, enable relay > if (isbflagset(6)) { > force_rtp_proxy(); > }; > > # NAT processing of replies; apply to all transactions (for example, > # re-INVITEs from public to private UA are hard to identify as > # NATed at the moment of request processing); look at replies > t_on_reply("1"); > > # send it out now; use stateful forwarding as it works reliably > # even for UDP2TCP > if (!t_relay()) { > sl_reply_error(); > }; > } > > # !! Nathelper > onreply_route[1] { > # NATed transaction ? > if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") { > fix_nated_contact(); > force_rtp_proxy(); > # otherwise, is it a transaction behind a NAT and we did not > # know at time of request processing ? (RFC1918 contacts) > } else if (nat_uac_test("1")) { > fix_nated_contact(); > } else if (status =~ "407") { > xlog("AUTH unset profile $tu $fu\n"); > unset_dlg_profile("caller","$fU"); > } > } > > route[2] { > xlog("L_INFO", "NOTIFY SUBSCRIBE PUBLISH route\n"); > if (!t_newtran()) { > sl_reply_error(); > exit; > }; > > if(is_method("PUBLISH")) { > if ($hdr(Sender) != NULL) > handle_publish("$hdr(Sender)"); > else > handle_publish(); > } > else if( is_method("SUBSCRIBE")) { > xlog("L_INFO", "Handle Subscribe\n"); > handle_subscribe(); > } > else if (is_method("NOTIFY")) { > if ($hdr(Event) != "keep-alive") { > # bla_handle_notify(); > pua_update_contact(); > } > t_reply("200", "OK"); > } > > exit; > } > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
