FOOD FOR THOUGHT OpenSBC - A silver bullet for NAT issues?

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

I've finally taken the time to have a look at OpenSBC, which provides a number of functions, including RTP Proxy, upper registration, and Session Border controller.

For those who are doing commercial PBX installations, and regularly run into the issues of NAT, and one way audio, particularly where both ends are behind NAT, OpenSBC could be the answer.

Ideally OpenSBC should be placed on an external IP address for best results, but this is not necessarily required, from what I have read.

1. OpenSBC will do Upper Registration, that is to say that you point your phone at the OpenSBC server, and it will forward your registration onto the asterisk server. This means that those issues of delivering the right IP to the PBX go away. As far as asterisk is concerned, the IP address of the phone is the IP of the SBC.

2. OpenSBC will proxy the media - doing NAT traversal when only one end is behind NAT is an order of magnitude easier than doing NAT traversal when both ends are behind NAT.

3. One SBC can handle registrations and proxying RTP to multiple Asterisk servers by means of simple rules, but some forethought has to be given to planning this.

4. Greater security. Registrations can be set to only come from the SBC IP address on your IP-PBX, although some attention has to be given to security on OpenSBC, it does not run so many services as the average PBX, and should therefore be easier to lock down.

The interface is nasty, but functional, and once set up, you don't have to touch it again until you need to add another PBX to the mix.

Whether it is a silver bullet remains to be seen, but we should know after some testing, my testing today allows me to register two SIP phones behind the same NAT device, and allow two way audio. That was not possible before.

To those professionals out there who need a solution to one way audio, and NAT/SIP problems, if there is an interest in documenting the build of this, and some default configs, reply to this thread.

Yours

Joe
 

kevinfvc

Member
Joined
Apr 11, 2008
Messages
132
Reaction score
2
Joe - I think SBCs are the way to address the remote phone user to access the PBX. While many have had success making remote phones work, too many others have struggled. SBCs are used often in the service provider space to manage far end NAT traversal (without opening ports on the firewall in front of the PBX/softswitch).

There is a write-up on OpenSBC and Vyatta (router/firewall) that might be useful in configuring such a set up. http://sipx-wiki.calivia.com/images/3/38/InstallOpenSBConVyattaFirewall.pdf
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

That's the guide I used, and so far, with a few minor adjustments, everything seems tickety boo.

Joe

Even my Nokia E61 Sip client is working over Wireless, and 3G. It's never done that before ;-)
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We'd be happy to feature a good writeup on Nerd Vittles. :biggrin5:
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
819
Reaction score
218
Joe,

You installed oSBC on a PIAF box?? I would like to use it; it's a semi-production box and do not want to shoot myself... any hints appreciated.

Gerry
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi Gerry

I've not done an install on PiaF, but the installation on the systems I have installed it on have been OK and fairly none intrusive.

What problem are you trying to solve so that we have an idea of whether it works or not.

Joe
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

On answering this post - http://pbxinaflash.com/community/threads/system-unresponsive-after-wan-failure.6575/#post-39859 I wonder if OpenSBC will easily fix the problem of SIP phones de-registering on loss of internet.

Below is the installation script. i'm copying and pasting it, so you read it before using it, and you are happy what it is doing to your system.

The instructions for use are contained within the script. Basically, point your phones at port 5061, with the same username and password as configured in Asterisk.

In terms of security, the web interface for this is on port 9999, which is blocked on Piaf boxes by IP tables.

Don't run the script twice.

Joe


Code:
#/bin/sh
#Install OpenSBC - CentOS edition
#Copyright (C) 2010 Star2Billing S.L.
#Author Jonathan Roper [email protected]

#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.

#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.

#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

#==================================================================================================
#This script will install OpenSBC on an existing asterisk server, and will be available on port 5061
#It will provide upwards registration, and RTP proxy services.
#No configuration in Asterisk is required.
#Simply point your phone at <<IPADDR>>:5061
#If this is installed behind NAT, forward UDP 5061 and 10,000 > 20,000
#==================================================================================================

yum -y install expat expat-devel flex bison cvs

cd /usr/src

echo "================================================================================"
echo "When prompted for a CVS password, just press enter"
echo "================================================================================"


cvs -d:pserver:[email protected]:/cvsroot/opensipstack login
cvs -z3 -d:pserver:[email protected]:/cvsroot/opensipstack co -P opensipstack
cvs -z3 -d:pserver:[email protected]:/cvsroot/opensipstack co -P opensbc

cd /usr/src/opensipstack/
chmod +x ./configure
./configure
make bothnoshared
cd ../opensbc
chmod +x ./configure
./configure
make bothnoshared
make distrib


cp /usr/src/opensbc/distrib/* /usr/local/bin/
echo "./opensbc -d -p /var/run/opensbc.pid -H 65536 -C 1024000" > /usr/local/bin/startup.sh
echo "./opensbc -k -p /var/run/opensbc.pid" > /usr/local/bin/shutdown.sh

echo "/usr/local/bin/opensbc -u root -d -p /var/run/opensbc.pid -H 65536 -C 1024000"  >> /etc/rc.d/rc.local

mkdir /root/OpenSIPStack
mkdir /root/OpenSIPStack/OpenSBC_data


echo "
[OpenSBC-General-Parameters]
SIP-Log-Level=1
PTRACE-Log-Level=1
Log-File-Prefix=b2bua
SBC-Application-Mode=B2BUpperReg Mode
Enable-Trunk-Port=True
Enable-Calea-Port=True
RTP-Min-Port=10000
RTP-Max-Port=20000
NAT-Keep-Alive-Interval=15
Send-OPTIONS-NAT-Keep-Alive=True
Send-Responses-Using-New-Socket=False
Enable-Local-Refer=False
Disable-Refer-Optimization=True
Max-Forwards=70
Encryption-Mode=XOR
Encryption-Key=GS
Alerting-Timeout=30000
Seize-Timeout=60000
SIP-Timer-B=Default
SIP-Timer-H=Default
Session-Keep-Alive=1800
Session-Max-Life-Span=10800
Max-Concurrent-Session=100
Max-Call-Rate-Per-Second=10

[SIP-Transports]
Main-Interface-Address Array Size=1
Main-Interface-Address 1=sip:*:5061
Backdoor-Interface-Address=sip:*:5062
Trunk-Interface-Address=sip:*:5064
Media-Server-Interface-Address=sip:*:5066
CALEA-Interface-Address=sip:*:5068
Auxiliary-Interface-Address=sip:*:5070
Interface-Route-List Array Size=0

[RTP-Proxy]
Proxy-On-Private-Contact=True
Proxy-On-via-received-vs-signaling-address=True
Proxy-On-Private-Via=True
Proxy-On-Different-RPORT=True
Proxy-All-Media=False

[Trusted-Domains]
Accept-All-Calls=True
Trusted-Domain-List Array Size=0
X-Remote-Info-List Array Size=0

[Host-Access-List]
Trust-All-Hosts=True
Trusted-Host-List Array Size=0
Enable-Selective-Banning=True
Banned-Host-List Array Size=0

[Upper-Registration]
All-Reg-As-Upper-Reg=True
Enable-Stateful-Reg=False
Rewrite-TO-Domain=True
Rewrite-FROM-Domain=True
Route-List Array Size=1
Route-List 1=[sip:*] sip:127.0.0.1:5060

[B2BUA-Routes]
Route-List Array Size=1
Route-List 1=[sip:*] sip:127.0.0.1:5060
Insert-Route-Header=True
Rewrite-TO-URI=True
Prepend-ISUP-OLI=False
Route-By-Request-URI=False
Route-By-To-URI=False
Drop-Routes-On-Ping-Timeout=False
Use-External-XML=False
External-XML-File=b2bua-route.xml

" > /root/OpenSIPStack/OpenSBC_data/OpenSBC.ini


echo "================================================================================"
echo "The web interface for this is on <<ipaddress>:9999"
echo "By default it has no password on it"
echo "After reboot, please go to the website and configure a username and password"
echo "================================================================================"
echo "Please reboot the Asterisk Switch"
echo "================================================================================"
 
Last edited by a moderator:

blakekrone

Guru
Joined
Aug 27, 2008
Messages
59
Reaction score
0
This looks interesting, I've been plagued with NAT issues from the start. My PBX sits behind a firewall with ports forwarded to it. I've got a couple of remote phones that work off and on.

I ran the script with no problems to install OpenSBC but it doesn't seem to be working. My remote phones still show as coming from their perspective hosts instead of the OpenSBC running locally to the PIAF box.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

Did you repoint your phones to port 5061?

Have you opened port 5061 in your external firewall?

you can tail the opensbc logs which are located in the root directory to see what is happening, and increase verbosity in the logging by increasing
SIP-Log-Level=1 to 5

This solution will work best on a public IP, and will route to multiple PBX systems behind NAT.

Yours

Joe
 

blakekrone

Guru
Joined
Aug 27, 2008
Messages
59
Reaction score
0
Yeap, repointed to 5061. When I did that the phones just went straight to Asterisk and ignored OpenSBC. When I changed the port to 9000 they started to hit the OpenSBC, well two of them did. My Grandstream GXV-3000's won't. I'll probably change the setup and put this on my ClearOS firewall which has a public IP. Then forward into my PIAF box and try that.

The two shown below are external and both are behind NAT. They don't hit the OpenSBC, they just register to Asterisk as port 9000.
Code:
voip*CLI> sip show peers
Name/username              Host            Dyn Nat ACL Port     Status                         
1070/1070                  70.60.84.x     D   N   A  9000     OK (51 ms)           
1060/1060                  209.98.248.x    D   N   A  9000     OK (78 ms)
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

Why port 9000?

Mine looks like this with the same script

Code:
247/x-reg-id-sip%3A247%40  127.0.0.1        D   N   A  5061     OK (1 ms)


Jpe
 

blakekrone

Guru
Joined
Aug 27, 2008
Messages
59
Reaction score
0
For some reason mine wouldn't work with it being on port 5061. I set my Grandstream GXV-3000 to use port 5061 and it just goes straight to Asterisk. So I tried changing it to 9000 after some Google results mentioned they had the same problem with port 5061. But changing it to 9000 didn't fix it either.
 

tlanghals

New Member
Joined
Mar 19, 2010
Messages
9
Reaction score
0
Joe, Got this up and running but having issues with no audio for extension to extension calls. Couple of questions.

What did you set the nat settings to for the extensions in asterisk?

Did you enable Stun/ICE on your endpoints so they show up in OpenSBC as their public address? If I do not enable Stun I'm guessing there would be issues if I have duplicate private addresses from different users.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

I set NAT = no.

As far as Asterisk is concerned, all phones are on 127.0.0.1, or the address of the SBC.

As can be seen for the config file, OpenSBC has a number of options for recognising the remote IP address.

Joe
 

tlanghals

New Member
Joined
Mar 19, 2010
Messages
9
Reaction score
0
Setup is as follows:
Extension A, B, C <-> NAT Router <-> Internet <-> OpenSBC/Asterisk <-> SIP Trunk to PSTN

I've identified an audio issue if I try to call A to B, A to C, etc when those extensions are using STUN. If I call out or in to the PSTN everything works correctly. The devices show registered in asterisk with a 127.0.0.1 address.

Also cannot register from my Android phone on 3g to OpenSBC. It reports: SIP/2.0 401 Unauthorized Method(REGISTER)
No issues if I register directly to asterisk.

Finally I wan't able to download from cvs due to the following error. Tried this from 3 different machines on different networks all with the same result. I'm currently running 1.1.5-108 from the tar on source forge, but it appears 1.1.6-X is the current version?

root@el1:~/cvs-get $ cvs -d:pserver:[email protected]:/cvsroot/opensipstack login
Logging in to :pserver:[email protected]:2401/cvsroot/opensipstack
CVS password:
cvs [login aborted]: connect to [opensipstack.cvs.sourceforge.net]:2401 failed: Connection refused
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

I don't think OpenSBC is under active development and I've not been able to install it on any OS past Ubuntu 10.04, so probably not.

Having said this, routers, endpoints and Asterisk have all got a lot better at dealing with NAT, so it's not as much as an issue as it used to be.

Joe
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top