Hi Damon,
Well, the answer is simple - download the opensips virtual machine
(http://www.voice-system.ro/shortcuts::opensips_livedvd) were you have
a ready to run opensips platform with NAT traversal support - you can
see in the script form the VM how the NAT traversal is done (for
signalling and media).
If you have questions on that, please come back here.
Regards,
Bogdan
Damon Miller wrote:
All,
I've seen many requests for an example working config that shows a working
RTPproxy configuration with NATed clients, but I haven't seen many responses.
I recently spent an absurd amount of time getting a working configuration in
place so I thought I would post it here in case it's helpful to anyone.
Three quick points:
1. I have only tested this with clients behind a NAT firewall, i.e. I haven't
tested with clients that have a public IP.
2. My OpenSIPS server is behind a NAT firewall itself. To deal with this, I added the
two "advertised" options, as follows:
advertised_address="xx.xx.xx.xx"
alias="xx.xx.xx.xx:5060
(Replace the "xx.xx.xx.xx" with the NAT firewall's public IP.)
I also had to use a modified version of RTPproxy that presents the firewall's
public IP even though it binds to a private IP. Here's a post which summarizes
that version of RTPproxy:
http://opensips-open-sip-server.1449251.n2.nabble.com/Rtpproxy-behind-the-NAT-td5008041.html
I run RTPproxy like this:
rtpproxy -A xx.xx.xx.xx -l 192.168.20.154 -s udp:127.0.0.1:12221 -m 25000 -M
65000 -F -d DBUG:LOCAL1
3. I had to "tell" OpenSIPS that my firewall's public IP was one of its local
domains. I'm using MySQL as you'll see in the config file so all I had to do was insert
a value into the 'domain' table. That was pretty obvious, i.e.:
mysql> insert into domain (domain) values ("xx.xx.xx.xx");
(Replace 'xx.xx.xx.xx' with your public IP.)
Here's my 'opensips.cfg' file:
--
# ----------- global configuration parameters ------------------------
debug=3
fork=yes
log_facility=LOG_LOCAL0
log_stderror=no
children=4
port=5060
dns=no
rev_dns=no
advertised_address="xx.xx.xx.xx"
alias="xx.xx.xx.xx:5060"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib64/opensips/modules/"
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri.so"
loadmodule "nathelper.so"
loadmodule "domain.so"
# ----------------- setting module-specific parameters ---------------
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("usrloc", "db_url", "mysql://opensipsrw:opensip...@localhost/opensips")
modparam("usrloc", "db_mode", 2)
modparam("rr", "enable_full_lr", 1)
modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:12221")
modparam("nathelper", "nortpproxy_str", "")
modparam("domain", "db_url", "mysql://opensipsrw:opensip...@localhost/opensips")
################## NAT ######################
modparam("usrloc", "nat_bflag", 6)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "sipping_bflag", 8)
modparam("nathelper", "received_avp", "$avp(i:801)")
################## NAT ######################
# main routing logic
route {
# initial sanity checks
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
################## NAT ######################
if (nat_uac_test("3")) {
if (is_method("REGISTER") && !is_present_hf("Record-Route")) {
# Rewrite contact with source IP of signalling
fix_nated_contact();
force_rport();
setbflag(6); # Mark as NATed
# if you want SIP NAT pinging
setbflag(8);
};
};
################## NAT ######################
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
if (uri==myself) {
if (method=="REGISTER") {
save("location");
exit;
};
}
if (is_method("BYE"))
unforce_rtp_proxy();
if (!lookup("location","m")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_on_failure("1");
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}
};
route(1);
}
route[1] {
################## NAT ######################
if (uri=~"[@:](192\.168\.10\.172\.(1[6-9]2[0-9]3[0-1])\.)" &&
!search("^Route:")) {
sl_send_reply("479", "We don't forward to private IP addresses");
exit;
};
# if client or server know to be behind a NAT, enable relay
if (isbflagset(6)) {
if (has_body("application/sdp")) {
rtpproxy_offer("o");
};
};
t_on_reply("1");
################## NAT ######################
# send it out now; use stateful forwarding as it works
# reliably even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
onreply_route[1] {
################## NAT ######################
if (isbflagset(6) && status =~ "(183)|2[0-9][0-9]") {
fix_nated_contact();
if (has_body("application/sdp")) {
rtpproxy_answer("o");
};
# Is this a transaction behind a NAT and we did not
# know at time of request processing?
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
################## NAT ######################
}
failure_route[1] {
unforce_rtp_proxy();
}
--
I hope this saves someone some time.
Damon
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Bogdan-Andrei Iancu
OpenSIPS Event - expo, conf, social, bootcamp
2 - 4 February 2011, ITExpo, Miami, USA
www.voice-system.ro
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
