search

irontec / ivozprovider

IVOZ Provider - Multitenant solution for VoIP telephony providers
https://ivoz.irontec.com/
GNU General Public License v3.0
192 stars 79 forks source link

Improve Far End NAT management #1162

Open dsmaldone opened 4 years ago

dsmaldone commented 4 years ago

Hi guys, I discovered in some situations like this

<IvoZ public IP>---INTERNET---<PPoE router with public IP>---<Internal router private IP>---<ATA private IP>

it is better to change test from 18 to 26 in this part of /etc/kamailio/proxyusers/kamailio.cfg

route[RTPENGINE] {
 ...
    if (nat_uac_test("18") && !$var(is_from_inside)) {
        xinfo("[$dlg_var(cidhash)] RTPENGINE: NAT detected, do not trust SDP addresses\n");
        $var(symmetry) = 'SIP-source-address';
...

with

 ...
    #fixes NAT when in SDP there is Private Address - vlad
    if (nat_uac_test("26") && !$var(is_from_inside)) {
        xinfo("[$dlg_var(cidhash)] RTPENGINE: NAT detected, do not trust SDP addresses\n");
        $var(symmetry) = 'SIP-source-address';
...

so in the header of the related file I would also add 

# FTL_NATS: Tags the transaction as behind NAT. It uses nat_uac_test(18) as NAT-detection mechanism
# 18: 2 + 16
# 2 - the "received" test is used: address in the "Via" header is compared against source IP address of signaling
# 8 - SDP is searched for occurrence of RFC1918 addresses
# 16 - Test if the source port is different from the port in the "Via" header

Would like to know your thoughts about

cruzccl commented 4 years ago

Hi @dsmaldone,

We have clients that use routed private networks (with no NAT) pointing to KamUsers. This means that SIP requests containing RFC1918 arrive to KamUsers on no-NAT scenario.

Adding '8' flag to nat_uac_test would detect NAT on these scenarios, that's why we just use 2+16 (source IP:PORT vs Via IP:PORT).

In your scenario current implementation should detect NAT too, doesn't it?

Regards,

dsmaldone commented 4 years ago

HI @cruzccl, It works for the SIP protocol, but it's not working for the RTP stream. Without this edit, RTP stream is sent to ATA private IP. Anyway, my suggestion here is to add a toggle or/switch for enabling it in the GUI. This feature will help people not able to dig into the code to solve this kind of issue

Regards

dgarcia0986 commented 3 years ago

Hi @cruzccl I am testing on an AWS VM. It has a local IP and through NAT it has a public IP. SIPs communicate perfectly but RTP does not. The call has no audio. The RTP packets from the client go out with the destination IP which is the local one of the server. Do you have a possible solution? Thanks