I'm running a bunch of Asterisk servers that make outbound calls to the same ISP with multiple billing accounts and therefore need some SIP+RTP proxy.
https://wiki.asterisk.org/wiki/display/AST/PJSIP+with+Proxies In this guide they are referring to a proxy, but from my understanding Kamailio is SIP only. What would be the best way to set up a proxy like in the guide?
Background
My set up is:
ISP XYZ __ billing account 1 ___ my asterisk server 10.0.0.3
\_ billing account 2 __/
Since the ISP authenticates by IP (and they are not going to change it), I've no way to tell that some calls are on billing 1 and some are on billing 2.
Therefore I was tyring to come up with the right proxy I can use outbound_proxy
ISP XYZ __ billing account 1 __ SIP/RTP proxy on IP 10.0.0.1 ___ my asterisk server 10.0.0.3
\_ billing account 2 __ SIP/RTP proxy on IP 10.0.0.2 __/
Maybe you don't need 2 sip proxy, only 2 ip address for asterisk.
You can define 2 pjsip transport, one for each IP address.
[transport-account-1]
type = transport
protocol = udp
bind = 10.0.0.1
[transport-account-2]
type = transport
protocol = udp
bind = 10.0.0.2
then you can define 2 trunks for outbound calls, one with
transport = transport-account-1
and the other with
transport = transport-account-2
You can use rtpproxy proxy or mediaproxy with kamailio.
You can use simple NAT and port forward and your asterisks.
Anyway, I not see how it related to asterisk and this is NOT programming question.
Related
As far as i know what we get from a dns query is a ip address. So in the end of the day if thats true we are still using ip addresses to connect the server and domains are pretty names for them.
So how does a server know which domain i used to query that ip address?
How does vhosts work an understand that if the domain data is lost during dns query?
The Internet works in layers. Each layer uses different kind of parameters to do its work.
Layer 3 is typically IP aka Internet Protocol. To work it uses IP addresses, each computer has at least one to be able to discuss with another one. And there are two families in fact: version 4 and version 6.
Since multiple services can be on any given computer at some point, you need a layer on top of that, layer 4, that deals with transport. The "predominant" one is TCP aka Transport Control Protocol, but there is also UDP. TCP and UDP uses ports: a 2 bytes integer that encodes for a specific protocol.
For example, HTTP was given port number 80 (completely arbitrary), and HTTPS port 443.
The DNS, which itself uses UDP and TCP (on port 53), allows, among other things, to map a given hostname to a given IP address or multiple IP addresses. This is the typical A and AAAA records. There is also a CNAME record that maps one domain name to another. There also exists a SRV record that maps a service (which is a protocol name + a transport) to a given hostname and port number.
When one computer connects to another, its first step for all the above is to find out which IP address to use to connect to. It can use the DNS for that. Typically it will get only the IP address, but, depending on the protocol (layer above 4), may also get a port (if using SRV records).
The HTTP world does not use SRV records. So a browser just uses the hardcoded 80 or 443 ports, or the port number appearing in the URL.
Then we are at the transport level, let us say TCP.
The connection is done (since now the remote IP address and port are known) and the protocol above TCP, like HTTP, is free to convey any kind of extra data, such as the hostname that the client initially used (as taken from the URL) to find out the IP address.
This is done through the HTTP host header, see RFC 2616
Note that if you do things through TLS (which conceptually sits between TCP and HTTP) there is even something else happening: SNI or Server Name Indication.
When doing the TLS handshake, so before any kind of HTTP headers or content, the client will send the final hostname desired in some specific TLS message. Why? So that the server can find which specific certificate it should answer which as otherwhise it would not be able to know which hostname is requested as this sits in some HTTP header which do not exist until the TLS handshake is finished.
A webserver will be able to see both the SNI content to find out which certificate to send back and then the host header to find out which VirtualHost (in Apache) section is relevant to the query being processed.
If you are not in HTTP world, then it all depends on the protocol used. Older protocols, like FTP, did not plan for "multihoming" at the beginning, a given IP address meant only one hostname and service for example.
I have this network configuration:
SIP Provider -> Mikrotik CCR as my network Gateway (NAT) -> Asterisk PBX -> Mikrotik RB as CPE device (NAT) -> SIP Devices behind the RB.
How I have to configure the NAT on asterisk and on Customer devices?
Actually I have some problems of one-way-audio but not on all calls.
Thank you in advice for the help
Asterisk can both act as a SIP client and a SIP server. Asterisk as a SIP client is configured with type=peer (or type=friend) in one or more client sections of sip.conf and, optionally, one or more register=> lines in the [general] section of sip.conf. Asterisk as a SIP server connects clients (SIP Phones) configured by specifying their own username, secret, etc. (and either type=peer or type=friend) in client sections of sip.conf.
Asterisk SIP channels in a NATed network can be generalized like this:
Asterisk as a SIP client behind nat, connecting to outside SIP Proxies
Asterisk as a SIP client behind nat, connecting to inside SIP proxies
Asterisk as a SIP server behind nat, clients on the outside connecting to Asterisk
Asterisk as a SIP server behind nat, clients on the outside behind a second NAT connecting to Asterisk
Asterisk as a SIP server behind nat, clients on the inside connecting to Asterisk
Asterisk as a SIP client outside nat, connecting to outside SIP proxies
Asterisk as a SIP client outside nat, connecting to inside SIP proxies
Asterisk as a SIP server outside nat, clients on the outside connecting to Asterisk
Asterisk as a SIP server outside nat, clients on the inside connecting to Asterisk
Every setup works somewhere, but it depends on the client, the NAT, the server and many other factors. In most cases, 1 and 3 is broken. SIP is a peer-to-peer protocol and a NAT can be generalized and simplified as a solution that allows clients on the inside to connect to servers on the outside and _not_ allow clients on the outside to connect to any server on the inside.
#1 works with a NAT-supporting proxy as SIP Express router as the outside proxy. (Get an account at IPtel.org and try!). Fails with Free World Dialup.
#2 Works- no NAT in between
#3 Works with port forwarding and some header mangling magic tips
#4 Works with port forwarding, STUN on the remote and some fine tuning of RTP port allocation
#5 Works - no NAT in between
#6 is no problem. No NAT in the middle
#7 is a problem if no port forwarding is done, similar to 3 above.
#8 is no problem. No NAT in the middle
#9 is solved with nat=yes and qualify=xxx in sip.conf for the client in most cases. Some clients (X-lite) assist themselves by using STUN and sending UDP keep-alive packets. Qualify sends keep-alive packets from Asterisk to the client on the inside.
http://www.voip-info.org/wiki/view/Asterisk+SIP+NAT+solutions
I'm setting up 4 servers that each have RESTful APIs that go over HTTPS. Because we're in the early stages of a startup, I'm going to host these in my closet.
I have business-class Comcast service, so I can get a static IP address or a series of them. The IP addresses are $10/ea per month, so I can save about $30 if I get just one. I realize this sounds like I'm being super cheap, but we're pinching pennies until we get some customers.
We will probably use one server as a "tools" server that will allow us to reach the other servers via SSH; the other 3 servers will need to have HTTPS open to the internet on the LAN.
I'm considering getting one static IP address, and then using my router to forward HTTPS traffic to the various servers. The port forwarding would look something like:
WAN Port LAN Port Server
22 22 Tools
1443 443 Server 1 (API via SSL)
2443 443 Server 2 (API via SSL)
3443 443 Server 3 (API via SSL)
I would then set up A NAME records in my DNS that would be:
tools.mydomain.com -> <static IP address>:22
server1.mydomain.com -> <static IP address>:1443
server2.mydomain.com -> <static IP address>:2443
server3.mydomain.com -> <static IP address>:3443
Is this a reasonable approach? Will it work?
You cannot direct traffic to a specific TCP port with DNS records. You can only point at an IP-address. The client by default uses tcp port 80 for HTTP and port 443 for HTTPS (unless you explicitly name the port to use in the URL).
Furthermore you cannot have multiple HTTPS-based hosts using the same IP address unless they also use the same SSL certificate. That is because the SSL handshake takes place before the client reveals to the server which hostname it was trying to reach, so the server can only give out an SSL certificate based on the IP address (and port) that was connected to.
In this particular instance, if you have four servers that actually have the same domain, you can get a wildcard SSL certificate (i.e. it covers *.mydomain.com) and then you can actually get away with one single public IP address for all four servers. Just point all DNS records to the same IP address and then you have the server give out your wildcard certificate which is valid regardless of which hostname the client is using. After the SSL handshake is thus completed, the server can look at the Host: -header in the client request to determine which server the request was actually intended for, i.e. you have one server acting as the HTTPS-endpoint where all HTTPS-requests are received and then internally forwarding to unencrypted request to the correct server (or handle all servernames virtually by one physical server).
If you are using Apache HTTP server I suggest you read about name-based virtual hosts and proxy forwarding:
http://httpd.apache.org/docs/current/vhosts/name-based.html
http://httpd.apache.org/docs/current/rewrite/vhosts.html
http://httpd.apache.org/docs/current/rewrite/proxy.html
I have asterisk in a server having public ip. I am trying to asterisk from outside network from a sip phone(zoipar). I have opened the port 5060 on my router which is the default udp port for asterisk sip connection and i have also opened the 10000-20000 port for rtp defined in rtp.conf in asterisk.
When i m trying to connect my softphone to asterisk server from outside my network, it says Registration timeout and when i check if i got any hit on my port 5060, its doesnt show anything.
on my server 5060 is running
netstat -nlp | grep 5060
udp 0 0 0.0.0.0:5060 0.0.0.0:* 21768/asterisk
BTW I'm able to connect from local network without any problem .
You need to forward incoming traffic on your router from SIP and RTP to your asterisk server, it's not enough to open those ports, you need to explain your router where to send incoming traffic ton those ports
You need setup NAT.
This article will help you in your situation.
http://www.voip-info.org/wiki/view/Asterisk+sip+nat
You need to login to your router and forward the ports to your asterisk server internal IP.
You will also need to make sure your firewall on your server is setup correctly to allow the ports to go in and out of your server.
You can read more on iptables here: http://www.cyberciti.biz/tips/linux-iptables-examples.html
I am trying to achieve double NAT working with UPNP. My PC connection is as follows:
Internet -> Router 1 -> Router 2-> PC
I have successfully done port forwarding on the Router 2, but not able to do on router 1. Due to which packets from the server(which is on Internet) are not able to reach PC.
Gone through few document how to tackle but mostly found manual way like bridge the network or put the lan wire.
I am rather looking for the some recursive solution using UPNP protocol to do the port forward on both routers. I guess torrent, skype does the same.
How to get the network interface related to router 1 and then port forward on that Network ?
Any help would be highly appreciated.
Thanks,
Pawan
There is an IGD-PCP IWF specification that tries to solve similar problem, although it assumes PCP support on your "Router 1", not UPnP. So let's try to approach this issue from a pure theoretical point of view with two plain UPnP routers/NAT devices.
There are several distinct steps of UPnP communication as per UPnP Device Architecture version 2.0:
addressing
discovery
description
control
eventing
presentation
Addressing is of little interest for us, let's assume proper DHCP everywhere and be done with it. Eventing and presentation are also almost useless in our case. So the main things to be concerned about are discovery, description and control.
Discovery works via SSDP message exchange. SSDP uses UDP for its transport with port number 1900 (by default) and well-known multicast address.
Description starts with URL provided by the device at discovery phase, the control point (that is PC in our case) needs to issue an HTTP GET request on this URL and that means it uses TCP as a transport protocol with devices IP address (unicast).
Control starts with URL provided by the device in its description, and it uses SOAP on top of HTTP on top of TCP which in turn also means unicast IP for us.
So, what all of that means for double NAT is that in description and control steps of UPnP interaction we have zero problems communicating from PC to Router 1 as all of that is just standard TCP with unicast IP addresses. But to get to the description step we need to have a URL of Router 1, so let's take a closer look at how this URL is acquired the normal way.
There are two main mechanisms for discovery — advertising (when the device periodically multicasts some information about it) and search (when the control point sends multicast search message and the device answers to that with unicast response). Obviously, by default our PC behind the Router 2 can't get multicast advertisements from Router 1 and the Router 1 can't get multicast search messages from PC, so we have a problem here and the question now is whether there is a possibility for communication without multicast.
Luckily, the same architecture document says:
In addition, a control point is allowed to unicast a discovery message to a specific IP address on port 1900 or on the port specified by the optional SEARCHPORT.UPNP.ORG header field (which supersedes port 1900 for this use), searching for a UPnP device or service at that specific IP address.
...
All devices shall listen to incoming unicast search messages on port 1900 or, if provided, the port number specified in the SEARCHPORT.UPNP.ORG header field and shall respond if any of their root devices, embedded devices or services matches the search criteria in the discovery message.
And this means that if you know the Router 1 IP address (from Router 2 side, of course), you can (and most importantly, allowed by specification to) communicate with it with unicast UDP messages and that is also NAT-friendly, so not an issue to be done from PC behind the Router 2.
The only thing left is getting Router 1 IP address. Unfortunately, there is no easy standard way to do that, but you have at least two options: tracerouting (in whatever fashion you want) and brute force IP scanning (most probably, the potential set of IPs for Router 1 is limited).
Now you can communicate with the Router 1, but there is still one minor thing you should always remember while communicating with it — in any internal UPnP messages you should use Router 2 IP address (as seen from Router 1 side) and its ports. Like in NewInternalClient parameter of AddPortMapping action on Router 1 you should use Router 2 IP. This, BTW, raises a question of Router 2 IP, but you can get that via Router 2 UPnP ExternalIPAddress variable of WANIPConnection service (this service is required for IGDs to implement).
So, to summarize:
this technically can be done, although I doubt that any standard library would do that for you
two things you need are:
Router 2 "external" IP and you get that via ExternalIPAddress variable of WANIPConnection UPnP service
Router 1 "internal" IP (from Router 2 side), that requires tracerouting or scanning
given Router 1 IP you just need to use unicast messaging at discovery step instead of multicast
everything else should just work, with only caveat of using Router 2 "external" IP instead of PCs IP in the UPnP messages
With the upnpc cli tool I've been able to get Double NAT port forwarding working.
For my example, let's say I want port 6667 to be forwarded to my machine, 192.168.50.123, behind a double NAT. The first layer of NAT has the IP range 192.168.1.1-255, and then 2nd layer has IP range 192.168.50.1-255.
On a machine inside the 2nd layer of NAT, just setup port forwarding with upnpc like normal.
$ upnpc -a 192.168.50.123 6667 6667 tcp
...
$ upnpc -l # this will confirm the rule is in place
...
Now for the slightly tricky part. I now issue UPNP requests to the outer layer NAT. Since the usual SSDP discovery won't work, I have to specify the XML root description URL manually. It's often something standard like http://192.168.1.1:5000/rootDesc.xml, though on some hardware the port number is randomized. I find just port scanning the gateway address will eventually reveal it.
Now that I have the rootDesc url, http://192.168.1.1:5000/rootDesc.xml, I then issue UPNP command to the outer layer NAT:
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -a 192.168.1.XX 6667 6667 tcp
...
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -l # this will confirm the rule is in place
...
With the -u option instead of discoverying the rootDesc, it just uses the URL provided.
The address 192.168.1.XX should be the 2nd layer network's IP address on as seen by the 1st network. When running the first set of UPNP commands this will be shown since it's the "external" address from that NAT's perspective.
With that now setup, traffic will go like this:
<INTERNET> --> MY_PUBLIC_IP -> 192.168.1.XX -> 192.168.50.123