Up to Discussions in OpenSBC

This Question is Answered

1 "correct" answer available (4 pts) 1 "helpful" answer available (2 pts)
14 Replies Last post: Sep 3, 2008 11:21 AM by rags  
Click to view rags's profile  
rags
12 posts since
Jul 14, 2008

Aug 12, 2008 10:17 AM

Does OpenSBC rewrite source-ip at the IP layer?


We have an OpenSBC instance sitting in a DMZ, to proxy SIP (and media) received on one network through to the other network. I can see in the OpenSBC logs that the entire SIP message received on network A is rewritten correctly using the IP address of the second network interface and sent out to network B. But the tcpdump trace shows that the source ip address on the IP layer of the packet going out on the server's interface on network B shows the address of the server's interface on network A. This then fails to pass the firewall on network B because it is from the wrong source IP - the firewall is set up to pass SIP messages received from the IP address of the server's interface on network B.

Is there a setting on OpenSBC to change the source ip and set it to the IP address of the network interface it uses to send messages out?

Thanks,
Rags

Tags: opensbc, source-ip, proxy
Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
1. Aug 12, 2008 8:03 PM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
If OpenSBC is able to rewrite the address (Via Host and Port ) of the outbound SIP Message correctly, it would be safe to assume that OpenSBC properly identified the interface to use. Are you using a CVS copy of OpenSBC? If not please try it first with CVS head. Configuring OpenSIPStack with `./configure --enable-gpllibs` will enable iproute interface selection which is a more reliable mechanism.

Joegen

rags wrote:

We have an OpenSBC instance sitting in a DMZ, to proxy SIP (and media) received on one network through to the other network. I can see in the OpenSBC logs that the entire SIP message received on network A is rewritten correctly using the IP address of the second network interface and sent out to network B. But the tcpdump trace shows that the source ip address on the IP layer of the packet going out on the server's interface on network B shows the address of the server's interface on network A. This then fails to pass the firewall on network B because it is from the wrong source IP - the firewall is set up to pass SIP messages received from the IP address of the server's interface on network B.

Is there a setting on OpenSBC to change the source ip and set it to the IP address of the network interface it uses to send messages out?

Thanks,
Rags

Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
2. Aug 13, 2008 10:22 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

I tried this out, but it seems to have taken a step back. According to the OpenSBC logs, it is now trying to use the wrong interface to send out the packet to network B. I have checked the routing tables on the box and they seem fine to me.

rags

Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
3. Aug 14, 2008 10:45 AM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?

Hi,

After playing around with ip and routing tables, I now have SIP successfully proxying between two endpoints (using the older version of OpenSBC, I am still having issues with the new version). However, the firewalls on both networks are configured to only allow a specific range of ports for media. Is there any way to specify a port range for RTP in the configuration?

Thanks

Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
4. Aug 18, 2008 10:54 PM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
I apologize for the late response.

First, let me clarify that OpenSBC does not rewrite packet headers in the IP Layer. It only does it by intelligently choosing what the best interface to use to obtain a route path to the destination.

Second, if you are saying that after compiling with --enable-gpllibs, the problem got worse, it only goes to show that the problem is somewhere else in your routing configuration. OpenSBC uses IPRoute2 library if the --enable-gpllibs flag is set which is logically similar to obtaining the route using the IPRoute2 command line. Try the following in the OpenSBC box:

  1. ip route get $(dest_ip)
    • where $(dest_ip) is the destination IP address.

You should get something like this

#$(dest_ip) dev eth0 src $(src_ip) realms domain.org
#cache mtu 1500 rtt 300
    • where (src_ip) should be the interface address used to route to the $(dest_ip)

Joegen

rags wrote:

Hi,

After playing around with ip and routing tables, I now have SIP successfully proxying between two endpoints (using the older version of OpenSBC, I am still having issues with the new version). However, the firewalls on both networks are configured to only allow a specific range of ports for media. Is there any way to specify a port range for RTP in the configuration?

Thanks

Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
5. Aug 19, 2008 1:31 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?
I have added RTP-Min-Port and RTP-Min-Port parameters in OpenSBC-General-Parameters to let you specify a custom port range. The default is 30000-35000. Please checkout the latest in CVS.

Enjoy.

Joegen

joegen wrote:
I apologize for the late response.

First, let me clarify that OpenSBC does not rewrite packet headers in the IP Layer. It only does it by intelligently choosing what the best interface to use to obtain a route path to the destination.

Second, if you are saying that after compiling with --enable-gpllibs, the problem got worse, it only goes to show that the problem is somewhere else in your routing configuration. OpenSBC uses IPRoute2 library if the --enable-gpllibs flag is set which is logically similar to obtaining the route using the IPRoute2 command line. Try the following in the OpenSBC box:

  1. ip route get $(dest_ip)
    • where $(dest_ip) is the destination IP address.

You should get something like this

#$(dest_ip) dev eth0 src $(src_ip) realms domain.org
#cache mtu 1500 rtt 300
    • where (src_ip) should be the interface address used to route to the $(dest_ip)

Joegen

rags wrote:

Hi,

After playing around with ip and routing tables, I now have SIP successfully proxying between two endpoints (using the older version of OpenSBC, I am still having issues with the new version). However, the firewalls on both networks are configured to only allow a specific range of ports for media. Is there any way to specify a port range for RTP in the configuration?

Thanks

Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
6. Aug 20, 2008 10:56 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

Hi,

Checking out a clean build, running configure with --enable-gpllibs and building seemed to do the trick. The only issue is that the opensbc build is now failing on my machine. Any ideas?

Thanks,

Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
7. Aug 21, 2008 1:08 AM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
rags wrote:

Hi,
Checking out a clean build, running configure with --enable-gpllibs and building seemed to do the trick.
The only issue is that the opensbc build is now failing on my machine. Any ideas?

I've tried compiling using Ubuntu a while a go and the build process went just fine with GPL Libs enabled. Can you give more insight what actually the failure is?
Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
8. Aug 21, 2008 7:46 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

Here's the error I am getting with the latest from cvs:

g++ -DP_USE_PRAGMA -D_REENTRANT -DP_USE_PRAGMA -D_REENTRANT
-Wall -I/home/rameshr5/opensipstack/include -DPTRACING
-I/home/rameshr5/opensipstack/gnu/IPRoute2Wrapper
-I/home/rameshr5/opensipstack/include -I ./ -fpermissive -Os -c
SBCCallHandler.cxx -o obj_linux_x86_r/SBCCallHandler.o
SBCCallHandler.cxx: In member function `BOOL
SBCCallHandler::DumpCATLog(B2BUA::B2BUAConnection&,
int)':
SBCCallHandler.cxx:769: error: `GetRingDuration' undeclared
(first use this function)
SBCCallHandler.cxx:769: error: (Each undeclared identifier is
reported only once for each function it appears in.)
SBCCallHandler.cxx:770: error: `GetCallDuration' undeclared
(first use this function)
SBCCallHandler.cxx: In member function `BOOL
SBCCallHandler::OpenCATLog()':
SBCCallHandler.cxx:778: error: 'class Tools::OSSApplication'
has no member named 'GetApplicationDirectory'

make[1]: *** http://obj_linux_x86_r/SBCCallHandler.o Error
1
Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
9. Aug 21, 2008 9:14 AM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
I am almost 100% sure that you do not have the latest copy of OpenSIPStack library. Please make sure that you have the latest copy of the library as well.

rags wrote:

Here's the error I am getting with the latest from cvs:

g++ -DP_USE_PRAGMA -D_REENTRANT -DP_USE_PRAGMA -D_REENTRANT
-Wall -I/home/rameshr5/opensipstack/include -DPTRACING
-I/home/rameshr5/opensipstack/gnu/IPRoute2Wrapper
-I/home/rameshr5/opensipstack/include -I ./ -fpermissive -Os -c
SBCCallHandler.cxx -o obj_linux_x86_r/SBCCallHandler.o
SBCCallHandler.cxx: In member function `BOOL
SBCCallHandler::DumpCATLog(B2BUA::B2BUAConnection&,
int)':
SBCCallHandler.cxx:769: error: `GetRingDuration' undeclared
(first use this function)
SBCCallHandler.cxx:769: error: (Each undeclared identifier is
reported only once for each function it appears in.)
SBCCallHandler.cxx:770: error: `GetCallDuration' undeclared
(first use this function)
SBCCallHandler.cxx: In member function `BOOL
SBCCallHandler::OpenCATLog()':
SBCCallHandler.cxx:778: error: 'class Tools::OSSApplication'
has no member named 'GetApplicationDirectory'

make[1]: *** http://obj_linux_x86_r/SBCCallHandler.o Error
1
Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
10. Aug 21, 2008 10:42 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

When I updated my trunk for both projects, I now get the following error while building opensbc:

./obj_linux_x86_r/SBCTrunk.o(.gnu.linkonce.r._ZTV15SBCTrunkProcess+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
./obj_linux_x86_r/SolegyDebit.o(.text+0x10d7): In function `SolegyDebit::OnReceived_AUTH(Tools::OString const&)':
: undefined reference to `SolegyPromptManager::SolegyPromptManagerin-charge(SolegySession*)'
./obj_linux_x86_r/SolegyDebit.o(.text+0x10fd): In function `SolegyDebit::OnReceived_AUTH(Tools::OString const&)':
: undefined reference to `SolegyPromptManager::InitFromAUTH(Tools::OString const&)'
/home/rameshr5/opensipstack/lib/libopensipstack_linux_x86_r_s.a(OSSApplication.o)(.gnu.linkonce.r._ZTVN5Tools14OSSApplicationE+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
/home/rameshr5/opensipstack/lib/libpt_linux_x86_r_s.a(svcproc.o)(.gnu.linkonce.r._ZTV15PServiceProcess+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
collect2: ld returned 1 exit status
make[1]: *** obj_linux_x86_r/opensbc Error 1

Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
11. Aug 21, 2008 11:45 AM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
This time, I am almost 100% sure that you did not perform a `make clean` and a fresh `./configure` on your build. Make sure you clean and reconfigure your build after updating from CVS.

rags wrote:

When I updated my trunk for both projects, I now get the following error while building opensbc:

./obj_linux_x86_r/SBCTrunk.o(.gnu.linkonce.r._ZTV15SBCTrunkProcess+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
./obj_linux_x86_r/SolegyDebit.o(.text+0x10d7): In function `SolegyDebit::OnReceived_AUTH(Tools::OString const&)':
: undefined reference to `SolegyPromptManager::SolegyPromptManagerin-charge(SolegySession*)'
./obj_linux_x86_r/SolegyDebit.o(.text+0x10fd): In function `SolegyDebit::OnReceived_AUTH(Tools::OString const&)':
: undefined reference to `SolegyPromptManager::InitFromAUTH(Tools::OString const&)'
/home/rameshr5/opensipstack/lib/libopensipstack_linux_x86_r_s.a(OSSApplication.o)(.gnu.linkonce.r._ZTVN5Tools14OSSApplicationE+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
/home/rameshr5/opensipstack/lib/libpt_linux_x86_r_s.a(svcproc.o)(.gnu.linkonce.r._ZTV15PServiceProcess+0x80): undefined reference to `PProcess::OnGetTailFile(PFilePath&)'
collect2: ld returned 1 exit status
make[1]: *** obj_linux_x86_r/opensbc Error 1

Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
12. Aug 22, 2008 8:06 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

Thanks - I had done a make clean and a make but not a fresh configure. That did the trick as far as the build goes.

Now, I have the following issue: I have a SIP Application Server sending a blank INVITE (no SDP) through OpenSBC to a SIP client. The offer SDP comes back from the SIP Client and the ACK from the SIP A/S contains the negotiated media. What I am currently seeing in the OpenSBC logs is:

  • The INVITE is proxied from the SIP A/S to the SIP client with no issues.
  • The OK response is proxied but the media connection information (ip and port) are NOT being translated to the ip and port of the OpenSBC box ie. the original ip address and port of the SIP client are being passed through to the SIP A/S.
  • The ACK to the SIP client is being auto-generated by OpenSBC with no media. It is NOT allowing the SIP A/S to generate its own ACK with media and then proxying that ACK across.

Is the behaviour of OpenSBC on the OK and ACK messages expected?

Thanks,

Rags

Click to view joegen's profile  
joegen
136 posts since
Apr 28, 2007
13. Aug 23, 2008 10:07 PM in response to: rags
Re: Does OpenSBC rewrite source-ip at the IP layer?
rags wrote:

Thanks - I had done a make clean and a make but not a fresh configure. That did the trick as far as the build goes.

Now, I have the following issue: I have a SIP Application Server sending a blank INVITE (no SDP) through OpenSBC to a SIP client. The offer SDP comes back from the SIP Client and the ACK from the SIP A/S contains the negotiated media. What I am currently seeing in the OpenSBC logs is:

  • The INVITE is proxied from the SIP A/S to the SIP client with no issues.
  • The OK response is proxied but the media connection information (ip and port) are NOT being translated to the ip and port of the OpenSBC box ie. the original ip address and port of the SIP client are being passed through to the SIP A/S.
  • The ACK to the SIP client is being auto-generated by OpenSBC with no media. It is NOT allowing the SIP A/S to generate its own ACK with media and then proxying that ACK across.

Is the behaviour of OpenSBC on the OK and ACK messages expected?

Thanks,

Rags


Hi Rags,

Yeah it's kinda expected. OpenSBC is not wired to handle INVITE without media. If you can make your UA send an INVITE with a black hole address C=IN IP4 0.0.0.0 instead, it will be handled properly by OpenSBC.
Click to view rags's profile  
rags
12 posts since
Jul 14, 2008
14. Sep 3, 2008 11:21 AM in response to: joegen
Re: Does OpenSBC rewrite source-ip at the IP layer?

Thanks for the detailed explanations. Unfortunately, we cannot change this behavior (sending INVITE without media) at the moment - I will get back to you if this changes in the future.

Rags

Actions

More Like This