[Freeswitch-users] Help!!! -OPTIONS sent to the private IP for Natted registeration users

fieldpeak fieldpeak at gmail.com
Sat Nov 5 12:58:48 MSK 2011 

Hi friends,

my FS implemnt has only a public IP not behind NAT, and there are some
registed users behind NAT, below is configure for internal profile, to keep
the NAT mapping in remote router device, i open the keep live from FS to
remote users (<param name="all-reg-options-ping" value="true"/>), howerver,
i found the OPTIONS (from FS) sent to the private IP address of the remote
users, it should send to the public IP of users external IP (router public
IP), can we modify the configure to fix it?

additionaly, i make a test, change configuration to "<!-- <param
name="all-reg-options-ping" value="true"/> -->   <param
name="nat-options-ping" value="true"/>", that is enable OPTIONS only sent
to the NATted device,
    it did send the OPTIONS to the Natted device's public ip correctly that
FS dectected, however, some device was not dected  as a Natted device while
it is behind NAT like below status, both of them are behind NAT, below is
two registeration messages, the first one was detect as NAtted device, but
the second was not, what is the mechanism for FS detect if a remote user
behind NAT or not? Could anybody help to address this problem, thanks a lot!

    9065       Registered(UDP-NAT)(unknown) exp(2011-11-05 18:30:30)
expsecs(3611)
     1026       Registered(UDP)(unknown) exp(2011-11-05 17:33:33)
expsecs(194)


   ------------------------------------------------------------------------
recv 823 bytes from udp/[183.37.75.168]:9066 at 09:09:32.335911:
   ------------------------------------------------------------------------
   REGISTER sip:124.193.106.104 SIP/2.0
   Via: SIP/2.0/UDP 192.168.1.86:9066
;branch=z9hG4bK-d87543-ac6cfe2f736efb21-1--d87543-;rport
   Max-Forwards: 70
   Contact: <sip:13580358068 at 192.168.1.86:9066
;rinstance=730e3f0e44ed8142>;expires=0
   To: "13580358068"<sip:13580358068 at 124.193.106.104>
   From: "13580358068"<sip:13580358068 at 124.193.106.104>;tag=636eb146
   Call-ID: 3c29a86eff650823 at bXlwYw..
   CSeq: 4 REGISTER
   Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO
   Supported: eventlist
   User-Agent: eyeBeam release 3015c stamp 27107
   Authorization: Digest
username="13580358068",realm="124.193.106.104",nonce="a6eb2963-21fa-4875-aa62-11e67d956f64",uri="sip:124.193.106.104",response="5083e7fe5eb078ca091279d7b1b9389f",cnonce="8b9c85686cc356e7",nc=00000001,qop=auth,algorithm=MD5
   Content-Length: 0

   **************
   recv 638 bytes from udp/[124.193.106.98]:1026 at 09:12:43.891159:
   ------------------------------------------------------------------------
   REGISTER sip:124.193.106.104 SIP/2.0
   Via: SIP/2.0/UDP 192.168.2.4:8060
;rport;branch=z9hG4bK3089092136;xxx-nat-type=prcone
   Route: <sip:124.193.106.104:5060;lr>
   From: <sip:15130351737 at 124.193.106.104>;tag=181867095
   To: <sip:15130351737 at 124.193.106.104>
   Call-ID: 1197657332 at 192.168.2.4
   CSeq: 308 REGISTER
   Contact: <sip:15130351737 at 192.168.2.4:8060>
   Authorization: Digest username="15130351737", realm="124.193.106.104",
nonce="03d8e8b2-19b5-4aa5-910f-196951870bc3", uri="sip:124.193.106.104",
response="c30374736da747eb33dc719def41ed08", algorithm=MD5
   Max-Forwards: 70
   User-Agent: YT-2.11.926.8
   Expires: 200
   Content-Length: 0

   *******************


Profile internal content:

<!-- this profile serves local user -->

<profile name="internal">
  <aliases>
    <alias name="internal"/>
  </aliases>

  <gateways>
    <X-PRE-PROCESS cmd="include" data="internal/*.xml"/>
  </gateways>

  <domains>
    <domain name="all" alias="true" parse="false"/>
  </domains>

  <settings>

    <param name="context" value="default"/>

    <!-- SIP listen port for this profile -->
    <param name="sip-port" value="5060"/>

    <!-- local IP address for this profile -->
    <param name="rtp-ip" value="$${local_ip_v4}"/>
    <param name="sip-ip" value="$${local_ip_v4}"/>

    <!-- external IP address serving remote NATted users, usually it is
public IP adress for DMZ -->
    <!--
    <param name="ext-rtp-ip" value="auto-nat"/>
    <param name="ext-sip-ip" value="auto-nat"/> -->

    <param name="ext-rtp-ip" value="$${local_ip_v4}"/>
    <param name="ext-sip-ip" value="$${local_ip_v4}"/>

    <!-- the IP addresses or IP address segments of remote unauthorized SIP
UA, e.g. MS Mediation Server -->
    <param name="apply-inbound-acl" value="172.28.0.0/16"/>
    <!-- <param name="apply-inbound-acl" value="172.28.0.0/16"/> -->
    <!-- <param name="apply-inbound-acl" value="192.168.200.0/24"/> -->

    <!-- if RTP bypass SIP Server -->
    <!-- to use IP-PBX supplementary services, e.g. call pickup, transfer
etc. must set this to false -->
    <param name="inbound-bypass-media" value="false"/>

    <!-- if act as RTP transparent proxy without transcoding which allows
unknown VoIP coder -->
    <!-- to use IP-PBX supplementary services, e.g. call pickup, transfer
etc. must set this to false -->
    <param name="inbound-proxy-media" value="true"/>

    <!-- enable NAT traversal -->
    <param name="NDLB-received-in-nat-reg-contact" value="true"/>
    <param name="NDLB-force-rport" value="true"/>
    <!-- <param name="NDLB-connectile-dysfunction" value="true"/> -->


    <!-- in case VSwitch using pure public IP address(not DMZ), uncomment
this to resolve no voice for inter-extenions call  -->
    <!-- <param name="NDLB-sendrecv-in-session" value="true"/> -->

    <!-- no need set this for common case -->
    <!-- <param name="disable-rtp-auto-adjust" value="false"/> -->

    <!-- ***************************************************************
     -->
    <!-- do not change below parameters if not necessary -->
    <param name="user-agent-string" value="FreeSWITCH"/>
    <param name="debug" value="0"/>
    <param name="sip-trace" value="no"/>
    <param name="watchdog-enabled" value="no"/>
    <param name="watchdog-step-timeout" value="30000"/>
    <param name="watchdog-event-timeout" value="30000"/>

    <param name="log-auth-failures" value="true"/>
    <param name="forward-unsolicited-mwi-notify" value="false"/>

    <!-- DTMF type: info, rfc2833, none -->
    <!-- <param name="dtmf-type" value="rfc2833"/> -->
    <param name="rfc2833-pt" value="101"/>
    <param name="dtmf-duration" value="2000"/>

    <param name="dialplan" value="XML"/>

     <param name="inbound-codec-prefs" value="PCMA,PCMU,G722,GSM"/>
    <param name="outbound-codec-prefs" value="PCMA,PCMU,G722,GSM"/>

    <param name="rtp-timer-name" value="soft"/>

    <param name="hold-music" value="$${hold_music}"/>
    <param name="apply-nat-acl" value="nat.auto"/>

    <!--
    This defines your local network, by default we detect your local network
    and create this localnet.auto ACL for this.
    -->
    <param name="local-network-acl" value="localnet.auto"/>
    <!--<param name="apply-register-acl" value="domains"/>-->

    <param name="record-path" value="$${recordings_dir}"/>
    <param name="record-template"
value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>

    <!--enable to use presence -->
    <param name="manage-presence" value="false"/>

    <param name="inbound-codec-negotiation" value="generous"/>

    <!-- TLS: disabled by default, set to "true" to enable -->
    <param name="tls" value="$${internal_ssl_enable}"/>
    <!-- additional bind parameters for TLS -->
    <param name="tls-bind-params" value="transport=tls"/>
    <!-- Port to listen on for TLS requests. (5061 will be used if
unspecified) -->
    <param name="tls-sip-port" value="$${internal_tls_port}"/>
    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed
for TLS server) -->
    <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
work with TLSv1 -->
    <param name="tls-version" value="$${sip_tls_version}"/>

    <!--TTL for nonce in sip auth-->
    <param name="nonce-ttl" value="60"/>

    <param name="auth-calls" value="$${internal_auth_calls}"/>
    <!-- Force the user and auth-user to match. -->
    <param name="inbound-reg-force-matching-username" value="true"/>
    <!-- on authed calls, authenticate *all* the packets not just invite -->
    <param name="auth-all-packets" value="false"/>

    <!-- rtp inactivity timeout -->
    <param name="rtp-timeout-sec" value="300"/>
    <param name="rtp-hold-timeout-sec" value="1800"/>

    <!--all inbound reg will look in this domain for the users -->
    <param name="force-register-domain" value="$${domain}"/>
    <!--force the domain in subscriptions to this value -->
    <param name="force-subscription-domain" value="$${domain}"/>
    <!--all inbound reg will stored in the db using this domain -->
    <param name="force-register-db-domain" value="$${domain}"/>

    <param name="challenge-realm" value="auto_from"/>

    <param name="send-message-query-on-register" value="false"/>

    <param name="all-reg-options-ping" value="true"/>
    <!-- <param name="nat-options-ping" value="true"/> -->

  </settings>
</profile>



-- 
Regards,
Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111105/ce712b4f/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list