[Freeswitch-users] [DOC] NAT Info (was: Re: Strange Reg)
Dave
lists+freeswitch at bigfatdave.com
Thu May 24 23:19:08 PDT 2007
I'd like to apologize in advance for posting this here instead of on
the Wiki; I'm not really a "Wiki guy." I'd be very thankful if somebody
could take this post and work it into the Wiki somehow.
Problem:
ATA(10.1.0.5)<->(10.1.0.1)NAT(1.2.3.4)<->Internet<->(4.3.2.1)FreeSWITCH
Analysis:
This is a fairly common scenario in the real world, where the FreeSWITCH
server is out on the public Internet, while your ATA is behind a home or
corporate NAT system. Now, a call comes in to your FreeSWITCH server,
and it somehow has to get in touch with your ATA, but the address your
ATA gave the VOIP server (10.1.0.5) is all wrong, since it's not aware of
the public IP address of the NAT system (1.2.3.4), which the VOIP server
would have to contact in order to (potentially) get through to the ATA
(assuming the NAT lets the connection through).
Loophole:
All three solutions proposed below capitalize on the knowledge that when
you send a packet out (from an ATA, in our case) through a NAT system and
out to the public Internet, the packet exits the NAT on a particular IP
and port, and the NAT will generally remember that combination (let's
call it "Combo A"), and forward packets that come "back" to "Combo A"
on to whatever system in the local network the original packet came from
(in our case, the ATA). Needless to say, all three of our solutions
will attempt to alert the FreeSWITCH server that contacting our ATA
should be done by contacting the NAT system at "Combo A," and the NAT
will take it from there.
Solution 1:
One way of dealing with this problem is to configure the ATA to use STUN,
which allows it to figure out how to bypass the NAT system in a rather
user-transparent way. If your phone supports this, it's almost certainly
the simplest solution.
Solution 2:
If the public side of your NAT has a static IP address and you can get
a port forwarded from it to your ATA, then you can tell FreeSWITCH to
automatically override the contact info advertised by the ATA with static
contact info. [1]
[1]
Here's an example configuration section (goes in directory.xml):
<domain name="$${sip_profile}">
<user id="myuser">
<params>
<param name="password" value="mypass"/>
</params>
<variables>
<variable name="force-contact" value="sip:myuser@<public-ip-address>:<forwarded-port>"/>
</variables>
</user>
</domain>
Note that this trick will only work if you define said user in directory.xml.
Solution 3:
If you'd like to take the easy way out and just emulate Asterisk (which simply
looks at the TCP/IP address info, which in many cases will have been stamped
on its way out of the NAT with "Combo A"), set the force-contact variable to
"nat-connectile-dysfunction" to tell FreeSWITCH to emulate Asterisk. [2]
[2]
Here's an example configuration section (goes in directory.xml):
<domain name="$${sip_profile}">
<user id="myuser">
<params>
<param name="password" value="mypass"/>
</params>
<variables>
<variable name="force-contact" value="nat-connectile-dysfunction"/>
</variables>
</user>
</domain>
Note that like solution 2, this trick will only work if you define
said user in directory.xml. In particular, it won't work with blind
registration.
Thanks,
- Dave
On Mon, May 21, 2007 at 05:17:30PM -0700, Anthony Minessale wrote:
> You need to make sure you setup the user directory correctly.
>
> http://wiki.freeswitch.org/wiki/FreeSwitch_XML_User_Directory_Guide
>
>
> My earlier email provided a precise example and warnings about making sure the tags etc match up.
>
> When you setup the <domain> tag in the directory
> you must make sure there is a domain tag that has the same name as the host portion of the to: header in the register.
>
> Using forensics from your traces here is the exact domain tag to use
> in directory.xml with 1 caveat:
>
> -----------------------------------------------------------------------
> **replace the string 1234 with the password you specified in the ata**
> -----------------------------------------------------------------------
>
> *NOTE*
> normally $${domain} would be ok here as the name
> assuming that the domain variable is set in freeswitch.xml
> but I put the exact domain name to avoid confusion.
>
> *ALSO NOTE*
> You can comment the password param if you want it to
> accept any password for this user.
>
> <domain name="freeswitch1.asnetinc.net">
> <user id="homebase">
> <params>
> <param name="password" value="1234"/>
> </params>
> <variables>
> <variable name="force-contact" value="nat-connectile-dysfunction"/>
> </variables>
> </user>
> </domain>
>
> I ask that if you get this working you please document this on our wiki in exchange for this exhaustive description of what you need to do.
>
>
> Anthony Minessale II
>
> FreeSWITCH http://www.freeswitch.org/
> ClueCon http://www.cluecon.com/
>
> AIM: anthm
> MSN:anthony_minessale at hotmail.com
> JABBER:anthony.minessale at gmail.com
> IRC: irc.freenode.net #freeswitch
>
> FreeSWITCH Developer Conference
> sip:888 at conference.freeswitch.org
> iax:guest at conference.freeswitch.org/888
> googletalk:conf+888 at conference.freeswitch.org
> pstn:213-799-1400
>
>
> ----- Original Message ----
> From: Dave <lists+freeswitch at bigfatdave.com>
> To: freeswitch-users at lists.freeswitch.org
> Sent: Monday, May 21, 2007 6:49:00 PM
> Subject: Re: [Freeswitch-users] Strange Reg
>
> Okay, I tried:
>
> recv 434 bytes from udp/[67.80.171.57]:48406 at 23:41:21.754015:
> ------------------------------------------------------------------------
> REGISTER sip:freeswitch1.asnetinc.net SIP/2.0
> From: <sip:homebase at freeswitch1.asnetinc.net>;tag=a010033-13c4-108-40e02-46ec
> To: <sip:homebase at freeswitch1.asnetinc.net>
> Call-ID: a010033-13c4-108-40dfd-133e
> CSeq: 1 REGISTER
> Via: SIP/2.0/UDP 10.0.0.221:48406;branch=z9hG4bK-108-40e02-4ab5
> Max-Forwards: 70
> Supported: replaces
> User-Agent: FXSO_GW
> Contact: <sip:homebase at 10.0.0.221:48406>;q=0.5
> Expires: 60
> Content-Length: 0
>
> ------------------------------------------------------------------------
> 2007-05-21 23:41:21 [DEBUG] sofia_reg.c:387 sofia_reg_handle_register() Requesti
> ng Registration from: [homebase at freeswitch1.asnetinc.net]
>
> ...and it responds with:
>
> send 640 bytes to udp/[67.80.171.57]:48406 at 23:41:21.840657:
> ------------------------------------------------------------------------
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 10.0.0.221:48406;branch=z9hG4bK-108-40e02-4ab5;received=67.8
> 0.171.57
> From: <sip:homebase at freeswitch1.asnetinc.net>;tag=a010033-13c4-108-40e02-46ec
> To: <sip:homebase at freeswitch1.asnetinc.net>;tag=e1arjB5HrFcHF
> Call-ID: a010033-13c4-108-40dfd-133e
> CSeq: 1 REGISTER
> User-Agent: FreeSWITCH(mod_sofia)
> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, PRACK, MESSAGE, SUBSCRIBE, NOTIFY,
> REFER, UPDATE, REGISTER, INFO
> Supported: 100rel, precondition
> WWW-Authenticate: Digest realm="freeswitch1.asnetinc.net", nonce="119b66e2-04
> 43-49a9-980f-d5b150274ff6", algorithm=MD5, qop="auth"
> Content-Length: 0
>
> ------------------------------------------------------------------------
>
> Any ideas as to what's wrong here?
>
> Thanks,
> - Dave
>
>
> On Mon, May 21, 2007 at 12:17:12PM -0700, Anthony Minessale wrote:
> > ok how about this:
> >
> > try rev 5207 and do everything I described before only in the
> > force-contact set it to nat-connectile-dysfunction
> >
> > <variable name="force-contact" value="nat-connectile-dysfunction"/>
> >
> > This will rewrite the host and ip of the contact to use the
> > ip and port the req was received from. To benefit from this feature, you will probably need to set the ata to constantly register to maintain this dynamic reverse mapping created by the nat routers. Most of them will destroy any mappings with inactivity after a certain period of time so you must make your reg freq more often that that time period whatever it may be.
> >
> >
> >
> > Anthony Minessale II
> >
> > FreeSWITCH http://www.freeswitch.org/
> > ClueCon http://www.cluecon.com/
> >
> > AIM: anthm
> > MSN:anthony_minessale at hotmail.com
> > JABBER:anthony.minessale at gmail.com
> > IRC: irc.freenode.net #freeswitch
> >
> > FreeSWITCH Developer Conference
> > sip:888 at conference.freeswitch.org
> > iax:guest at conference.freeswitch.org/888
> > googletalk:conf+888 at conference.freeswitch.org
> > pstn:213-799-1400
> >
> >
> > ----- Original Message ----
> > From: Dave <lists+freeswitch at bigfatdave.com>
> > To: freeswitch-users at lists.freeswitch.org
> > Sent: Monday, May 21, 2007 11:24:55 AM
> > Subject: Re: [Freeswitch-users] Strange Reg
> >
> > Hi Anthony,
> >
> > I assume that means we can change the topolgy to something like this:
> > ATA<->NAT<->Internet<->FS1
> >
> > Basically, what we're doing here is telling FS1 how to find ATA.
> > There are only two problems:
> > 1) NAT is on DHCP. (I assume this can be worked around by using DynDNS
> > instead of an IP.)
> > 2) As I discovered while looking for the mystery 10.0.0.221 IP, NAT is
> > actually two NATs, one behind the other, and I only have access to one
> > of them.
> >
> > While you're at it, why don't you just make an option (<variable
> > name='my-ata-sucks' value='true'/>) to totally break RFCs and mimic
> > Asterisk's treatment? :-)
> >
> > Thanks a bunch for all your help,
> > - Dave
> >
> >
> > On Mon, May 21, 2007 at 07:25:01AM -0700, Anthony Minessale wrote:
> > > Hi,
> > >
> > > You sound like a good candidate for my new experimental force contact feature.
> > >
> > > For this to work you need to use the directory for auth instead of the blind reg mode.
> > >
> > > *) Edit sofia.conf.xml and comment the blind reg option.
> > > *) Edit directory.xml and add a <user> tag to the <domain name="$${domain}">
> > > section making sure $${domain} is also the name of the domain portion of
> > > the sip's client registration.
> > >
> > > edit the file to look something like this and put in a absolute contact to use when this user registers regardless of what he advertises. This means that if you are using nat you should setup a permenant port forwarding for whatver uri you mention.
> > >
> > > e.g.
> > >
> > > Assuming your public ip is 66.2.2.2 and your phone is 10.0.0.2
> > >
> > > add a rule to always port forward udp port 5555 of 66.2.2.2 to 10.0.0.2 5060
> > > then edit the following so the contact uri is user at 66.2.2.2:5555
> > >
> > > Whenever the phone registers with this user the specified contact will be added to the database instead of the real one this should make it possible for your phone to receive sip traffic even if it does not support STUN.
> > >
> > > <domain name="$${domain}">
> > > <user id="myuser">
> > > <params>
> > > <param name="password" value="mypass"/>
> > > </params>
> > > <variables>
> > > <variable name="force-contact" value="[TESTING] sip:myuser at 66.2.2.2:5555"/>
> > > </variables>
> > > </user>
> > > </domain>
> > >
> > > Anthony Minessale II
> > >
> > > FreeSWITCH http://www.freeswitch.org/
> > > ClueCon http://www.cluecon.com/
> > >
> > > AIM: anthm
> > > MSN:anthony_minessale at hotmail.com
> > > JABBER:anthony.minessale at gmail.com
> > > IRC: irc.freenode.net #freeswitch
> > >
> > > FreeSWITCH Developer Conference
> > > sip:888 at conference.freeswitch.org
> > > iax:guest at conference.freeswitch.org/888
> > > googletalk:conf+888 at conference.freeswitch.org
> > > pstn:213-799-1400
> > >
> > >
> > > ----- Original Message ----
> > > From: Dave <lists+freeswitch at bigfatdave.com>
> > > To: FSwtch Usrs <freeswitch-users at lists.freeswitch.org>
> > > Sent: Monday, May 21, 2007 2:20:53 AM
> > > Subject: [Freeswitch-users] Strange Reg
> > >
> > > Hi guys,
> > >
> > > I've got a rather interesting situation, here. I've got an ATA
> > > registering to a FreeSWITCH(TM) (FS2), both behind NAT. So far, so good.
> > > Now, the FreeSWITCH(TM) registers to another FreeSWITCH(TM) outside the
> > > NAT (FS2), and that's where the problems start. Here's the configuration:
> > >
> > > ATA<->FS2<->NAT<->Internet<->FS1
> > >
> > > ATA: 10.1.0.51 (behind NAT)
> > > FS2: 10.1.0.30 (behind NAT)
> > > FS1: freeswitch1.asnetinc.net (64.118.94.19)
> > >
> > > Now, here's where it gets very interesting. This is what FS1 gets when
> > > FS2 registers:
> > > > From: [R352928 at freeswitch1.asnetinc.net]
> > > > Contact: ["user" <sip:R352928 at 10.0.0.221:39260>]
> > > > Expires: [3600]
> > > > nta_agent: tport: Bad message
> > >
> > > Now, where on Earth did 10.0.0.221 come from??? (I've actually hardcoded
> > > both external_rtp_ip and server_name to the public IP of the NAT in the
> > > FS2 config, but for some strange reason, FS2 apparently claims to be at
> > > 10.0.0.221, which isn't even its local IP.)
> > >
> > > As if that's not interesting enough, I get this from FS1, too, when it
> > > tries to connect to another SIP server on the public Internet:
> > > > outbound(0xb4e1e1a0): detected NAT: freeswitch1.asnetinc.net != 64.118.94.19
> > >
> > > Now, since a forward DNS resolution claims that the inequality is false, I
> > > assume it attempted a reverse DNS lookup, which would fail (since my ISP
> > > takes forever to update PTR records).
> > >
> > > As usual, any hints, tips, tricks, ideas, suggestions, flames, questions,
> > > or (ideally) answers are greatly appreciated :-)
> > >
> > > Thank you,
> > > - Dave
> > >
> > > _______________________________________________
> > > Freeswitch-users mailing list
> > > Freeswitch-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ____________________________________________________________________________________Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out.
> > > http://answers.yahoo.com/dir/?link=list&sid=396545433
> > > _______________________________________________
> > > Freeswitch-users mailing list
> > > Freeswitch-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> >
> >
> > _______________________________________________
> > Freeswitch-users mailing list
> > Freeswitch-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ____________________________________________________________________________________
> > Need Mail bonding?
> > Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
> > http://answers.yahoo.com/dir/?link=list&sid=396546091
> > _______________________________________________
> > Freeswitch-users mailing list
> > Freeswitch-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
>
>
>
> ____________________________________________________________________________________
> No need to miss a message. Get email on-the-go
> with Yahoo! Mail for Mobile. Get started.
> http://mobile.yahoo.com/mail
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list