<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="" dir="auto">Ok, so first step is to get Kamailio working as a proxy. TLS will come in time….<div class=""><br class=""></div><div class=""><ol class="MailOutline"><li class="">I’ve used this config file <a href="https://wiki.freeswitch.org/wiki/Kamailio_basic_setup_as_proxy_for_FreeSWITCH" class="">https://wiki.freeswitch.org/wiki/Kamailio_basic_setup_as_proxy_for_FreeSWITCH</a></li><li class="">Kamailio server and FS server both have public and private interfaces</li><li class="">Kamailio server is listening on its public IP</li><li class="">FS is listening (profile internal) on its private IP</li><li class="">Kamailio is set to rewrite to FS server’s private IP</li></ol><div class=""><br class=""></div></div><div class="">What I don’t quite get, having not used a proxy in this way before, is what happens next. If FS needs to advertise its public IPs for the RTP, how does this happen?</div><div class=""><br class=""></div><div class="">So far I’m not seeing anything at all in Syslog for the incoming registration.</div><div class=""><br class=""></div><div class="">Any help appreciated!</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 30 Jun 2016, at 14:39, Colin Morelli <<a href="mailto:colin.morelli@gmail.com" class="">colin.morelli@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Rick,<br class=""><br class="">(Sorry for the long email, hopefully it's helpful)<br class=""><br class="">It sounds like you're mostly concerned with FS initiating calls to handsets behind NAT, is that correct?<br class=""><br class="">If so, what you probably want is SIP outbound (RFC 5626). It's the best way to avoid NAT issues with clients. Under this model, clients keep a persistent connection open to the server. The server is responsible for using that connection to deliver INVITEs to the client, thus avoiding the need to ever open its own connection.<div class=""><br class=""></div><div class="">In my (relatively limited) experience with FS, it was able to act like a SIP outbound server, but it doesn't directly advertise it and supporting SIP outbound is really outside of the core scope of what FS does. So, in my setup, I use Kamailio to provide the SIP outbound support. A brief description of my setup (which seems to work fine with clients behind NAT)</div><div class=""><br class=""></div><div class="">Kamailio edge proxy cluster (provides SIP outbound support to clients, allows public SIP traffic)</div><div class="">Kamailio proxy + registrar (only allows SIP traffic from inside the local network, provides registration support)</div><div class="">Freeswitch (only allows SIP traffic from inside the local network, has a public IP address and open firewall for RTP traffic).</div><div class=""><br class=""></div><div class="">So, a registration from a client hits the Kamailio edge proxy, which parks the socket connection and sends it on to the second Kamailio proxy/registrar. When FS needs to make outbound calls to clients, it hits the Kamailio proxy/registrar, which forwards it to the edge proxy that has an existing connection the client and uses it to deliver the invite (this is all handled by Kamailio with it's outbound, path, registrar, and usrloc modules).</div><div class=""><br class=""></div><div class="">Note your setup might not require the use of two layers of proxies before FS. In my case, I keep registrations off of FS so it's only handling calls. If you have registrations in FS, you can likely just have a Kamailio edge proxy for advertising SIP outbound support, and have it proxy all traffic into FS.</div><div class=""><br class=""></div><div class="">With this setup, FS will receive SIP traffic from Kamailio, and advertise (in the SDP) its public IP address for RTP media (which needs to be allowed through the firewall). Freeswitch will then open what it refers to as an auto-adjust window for the RTP media. In other words, FS will assume that the first address/port to send RTP media to the RTP port configured for a call is the remote client for that call. As a result, FS is able to cope with clients behind NAT on the media side as well. I believe this feature is enabled by default, but you may have to enable it - you'd have to check the docs on this one.</div><div class=""><br class=""></div><div class="">With those two pieces combined you should be able to get past any NAT issues without the need for STUN/TURN. Unless you bypass media on FS, in which case you're going to need those.</div><div class=""><br class=""></div><div class="">Hopefully that helps you out a bit.</div><div class=""><br class=""></div><div class="">Best,</div><div class="">Colin</div><div class=""><div class=""><div class=""><br class=""><div class="gmail_quote"><div dir="ltr" class="">On Thu, Jun 30, 2016 at 8:52 AM Rick Jarvis <<a href="mailto:rick.jarvis@magicmail.mooo.com" target="_blank" class="">rick.jarvis@magicmail.mooo.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I’d be interested to hear what different people use to provide some level of security for remote end-users such as homeworkers, and to get round NAT issues.<br class="">
<br class="">
We currently use OpenVPN, as this is built into the firmware of Yealink handsets (it’s a great feature, I’m not sure why more handset manufacturers don’t do this?!). The pros are that not only is it secure, but it also removes any problems with NAT for the RTP streams.<br class="">
<br class="">
The downsides are that it is complicated (and downright frustrating sometimes) to set up, and there are additional things to consider such as the server configuration and overheads.<br class="">
<br class="">
TLS/SSL with SRTP is another option, but my understanding of this is that it can cause NAT problems, with FreeSWITCH trying to initiate control channels back to the phone for inbound calls. In fact, I’ve always had problems with getting phones to work when behind NAT anyway, even without SSL/TLS. STUN can be used to ascertain the IP, but how do you handle situations where multiple handsets are behind NAT - you can’t open all RTP ports to all handsets at once?!!<br class="">
<br class="">
Would be very interested to hear thoughts and methods on these points.<br class="">
<br class="">
Thanks<br class="">
R<br class="">
_________________________________________________________________________<br class="">
Professional FreeSWITCH Consulting Services:<br class="">
<a href="mailto:consulting@freeswitch.org" target="_blank" class="">consulting@freeswitch.org</a><br class="">
<a href="http://www.freeswitchsolutions.com/" rel="noreferrer" target="_blank" class="">http://www.freeswitchsolutions.com</a><br class="">
<br class="">
Official FreeSWITCH Sites<br class="">
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank" class="">http://www.freeswitch.org</a><br class="">
<a href="http://confluence.freeswitch.org/" rel="noreferrer" target="_blank" class="">http://confluence.freeswitch.org</a><br class="">
<a href="http://www.cluecon.com/" rel="noreferrer" target="_blank" class="">http://www.cluecon.com</a><br class="">
<br class="">
FreeSWITCH-users mailing list<br class="">
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" class="">FreeSWITCH-users@lists.freeswitch.org</a><br class="">
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="">
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank" class="">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class="">
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank" class="">http://www.freeswitch.org</a></blockquote></div></div></div></div></div>
_________________________________________________________________________<br class="">Professional FreeSWITCH Consulting Services: <br class=""><a href="mailto:consulting@freeswitch.org" class="">consulting@freeswitch.org</a><br class="">http://www.freeswitchsolutions.com<br class=""><br class="">Official FreeSWITCH Sites<br class="">http://www.freeswitch.org<br class="">http://confluence.freeswitch.org<br class="">http://www.cluecon.com<br class=""><br class="">FreeSWITCH-users mailing list<br class="">FreeSWITCH-users@lists.freeswitch.org<br class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br class="">UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br class="">http://www.freeswitch.org</div></blockquote></div><br class=""></div></body></html>