NAT - externip - realtime

Eulnono · February 2, 2022, 8:30am

Hey guys,

I’m looking for a way to implement these nat parameters to a sip peer using Realtime :
Usally, using this in account (sip.conf) :

nat = yes
externip = 200.201.202.203
localnet=192.168.2.0/255.255.255.0

I didn’t have theses fields in my mysql structure except NAT :

CREATE TABLE sippeers (
id int(11) NOT NULL,
id_user int(11) NOT NULL,
name varchar(40) NOT NULL,
ipaddr varchar(45) DEFAULT NULL,
port int(11) DEFAULT NULL,
regseconds int(11) DEFAULT NULL,
defaultuser varchar(40) NOT NULL,
fullcontact varchar(80) DEFAULT NULL,
regserver varchar(20) DEFAULT NULL,
useragent varchar(64) DEFAULT NULL,
lastms int(11) DEFAULT NULL,
host varchar(40) DEFAULT NULL,
type enum(‘friend’,‘user’,‘peer’) DEFAULT NULL,
context varchar(40) DEFAULT NULL,
permit varchar(95) DEFAULT NULL,
deny varchar(95) DEFAULT NULL,
secret varchar(40) DEFAULT NULL,
md5secret varchar(40) DEFAULT NULL,
remotesecret varchar(40) DEFAULT NULL,
transport enum(‘udp’,‘tcp’,‘tls’,‘ws’,‘wss’,‘udp,tcp’,‘tcp,udp’) DEFAULT NULL,
dtmfmode enum(‘rfc2833’,‘info’,‘shortinfo’,‘inband’,‘auto’) DEFAULT NULL,
directmedia enum(‘yes’,‘no’,‘nonat’,‘update’) NOT NULL DEFAULT ‘yes’,
nat varchar(29) DEFAULT NULL,
callgroup varchar(40) DEFAULT NULL,
pickupgroup varchar(40) DEFAULT NULL,
language varchar(40) DEFAULT NULL,
disallow varchar(200) DEFAULT NULL,
allow varchar(200) DEFAULT NULL,
insecure varchar(40) DEFAULT NULL,
trustrpid enum(‘yes’,‘no’) DEFAULT NULL,
progressinband enum(‘yes’,‘no’,‘never’) DEFAULT NULL,
promiscredir enum(‘yes’,‘no’) DEFAULT NULL,
useclientcode enum(‘yes’,‘no’) DEFAULT NULL,
accountcode varchar(40) NOT NULL,
setvar varchar(200) DEFAULT NULL,
callerid varchar(40) NOT NULL,
amaflags varchar(40) DEFAULT NULL,
callcounter enum(‘yes’,‘no’) DEFAULT NULL,
busylevel int(11) DEFAULT NULL,
allowoverlap enum(‘yes’,‘no’) DEFAULT NULL,
allowsubscribe enum(‘yes’,‘no’) DEFAULT NULL,
videosupport enum(‘yes’,‘no’) DEFAULT NULL,
maxcallbitrate int(11) DEFAULT NULL,
rfc2833compensate enum(‘yes’,‘no’) DEFAULT NULL,
mailbox varchar(40) DEFAULT NULL,
session-timers enum(‘accept’,‘refuse’,‘originate’) DEFAULT NULL,
session-expires int(11) DEFAULT NULL,
session-minse int(11) DEFAULT NULL,
session-refresher enum(‘uac’,‘uas’) DEFAULT NULL,
t38pt_usertpsource varchar(40) DEFAULT NULL,
regexten varchar(40) DEFAULT NULL,
fromdomain varchar(40) DEFAULT NULL,
fromuser varchar(40) DEFAULT NULL,
qualify varchar(40) DEFAULT NULL,
defaultip varchar(45) DEFAULT NULL,
rtptimeout int(11) DEFAULT NULL,
rtpholdtimeout int(11) DEFAULT NULL,
sendrpid enum(‘yes’,‘no’) DEFAULT NULL,
outboundproxy varchar(40) DEFAULT NULL,
callbackextension varchar(40) DEFAULT NULL,
timert1 int(11) DEFAULT NULL,
timerb int(11) DEFAULT NULL,
qualifyfreq int(11) DEFAULT NULL,
constantssrc enum(‘yes’,‘no’) DEFAULT NULL,
contactpermit varchar(95) DEFAULT NULL,
contactdeny varchar(95) DEFAULT NULL,
usereqphone enum(‘yes’,‘no’) DEFAULT NULL,
textsupport enum(‘yes’,‘no’) DEFAULT NULL,
faxdetect enum(‘yes’,‘no’) DEFAULT NULL,
buggymwi enum(‘yes’,‘no’) DEFAULT NULL,
auth varchar(40) DEFAULT NULL,
fullname varchar(40) DEFAULT NULL,
trunkname varchar(40) DEFAULT NULL,
cid_number varchar(40) DEFAULT NULL,
callingpres enum(‘allowed_not_screened’,‘allowed_passed_screen’,‘allowed_failed_screen’,‘allowed’,‘prohib_not_screened’,‘prohib_passed_screen’,‘prohib_failed_screen’,‘prohib’) DEFAULT NULL,
mohinterpret varchar(40) DEFAULT NULL,
mohsuggest varchar(40) DEFAULT NULL,
parkinglot varchar(40) DEFAULT NULL,
hasvoicemail enum(‘yes’,‘no’) DEFAULT NULL,
subscribemwi enum(‘yes’,‘no’) DEFAULT NULL,
vmexten varchar(40) DEFAULT NULL,
autoframing enum(‘yes’,‘no’) DEFAULT NULL,
rtpkeepalive int(11) DEFAULT NULL,
call-limit int(11) DEFAULT NULL,
g726nonstandard enum(‘yes’,‘no’) DEFAULT NULL,
ignoresdpversion enum(‘yes’,‘no’) DEFAULT NULL,
allowtransfer enum(‘yes’,‘no’) DEFAULT NULL,
dynamic enum(‘yes’,‘no’) DEFAULT ‘yes’,
path varchar(256) DEFAULT NULL,
supportpath enum(‘yes’,‘no’) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

Many thanks for your help !

jcolp · February 2, 2022, 10:27am

“externip” and “localnet” are not part of a SIP peer, they are set in the general section.

Eulnono · February 2, 2022, 10:43am

Hi !

So how can I define different externIP and LocalNat for differents SIP accounts ?

jcolp · February 2, 2022, 10:45am

Those settings are for the system itself. What its external IP address is, what its local networks are. You can’t/don’t set them per SIP account. The settings apply to all.

Eulnono · February 2, 2022, 11:25am

Humm… ok, didn’t understood like that.
What are the differents value for th field NAT ?

david551 · February 2, 2022, 11:26am

By using the supported SIP channel driver (chan_pjsip), rather than deprecated, and soon to be removed, one that you are currently using. That allows you to define multiple transports.

However, any situation that requires multiple external addresses is going well beyond how IP was designed to be used and should be considered very complex, and I cannot think of a valid reason why you would ever have different set of local addresses for different interfaces.

Also, are you really sure that you need nat=force_rport,comedia? (nat=yes is about a decade more deprecated than chan_sip.) These options are workarounds for when NAT is not properly handled by the other side and related to that system being behind NAT, whereas externip refers to your system being behind NAT. Both could occur together, but no sensible ITSP would create such a situation, and a VPN is a better solution for your private network.

david551 · February 2, 2022, 11:31am

If you need to ask, you probably should be leaving them at the default values, which use heuristics to choose whether to violate the SIP and SDP protocols. nat=force_rport causes Asterisk to pretend the other side included rport in their via header, even when they didn’t, which means it always ignores the details in the Via header when routing a response. nat=comedia causes Asterisk to ignore the media address (c=) and port (m=) in the SDP, and send back to the one that the other side is sending from, if it finds that it is actually receiving media from a different port from which it sent.

nat= is per peer because is is intended to work round deficiencies in specific peers.

If you are doing this because of what an ITSP told you, my experience, from looking at configurations reported here, is that ITSPs copy configurations from other ITSPs, probably through several levels. None of them are likely to have properly worked out the true requirement from first principles, and each one might have different real requirements. As a result, configurations tend to accumulate a lot of stuff that just causes protocol violations, reduces security, or simply over-complicates things.

system · March 4, 2022, 11:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.