[Partysip-dev] PartySIP and NAT (of course)

[CJ Kucera]

Hello, I've got some questions about running PartySIP 2.2.3 behind a
NAT.  I'm sure this brings nothing but joy.

My situation is that I've got a real SIP address available for me
to use (which is hooked into a real phone line).  Let's call it
address@hidden  I'd like to be able to use that address, but my
home network lives behind a NAT.  Let's say I'm on a 192.168.0.0/24
network internally, with my linux-based (iptables) firewall/router
at 192.168.0.1 (A), a fileserver-type linux box at 192.168.0.2 (B), and
a desktop at 192.168.0.3 (C).

Here's how I was under the impression I could make this work:
  * Box A would run the uPNP.sh script to listen for incoming connections
    to keep track of the proper iptables states
  * Box B would run PartySIP and listen for connections inside the
    NAT, talking to uPNP.sh on Box A to poke holes in the firewall as-
    needed.
  * On Box C, I'd set up (for instance) kphone, with my *real* SIP address
    (address@hidden) and 192.168.0.2 as the SIP Proxy address.

Box C appears to be talking to Box B without problems, because when
I try and make a call, I can watch INVITE packets go out through the
firewall from box B (heading towards w.x.y.z).  The problem is that
the INVITE packets always advertise an IP of 192.168.0.2, so I never
get anything back from the real SIP server.  (presumably it's either
trying to contact an IP in the private net, or hopefully just discarding
the packets entirely.)  Also, PartySIP never actually contacts the
firewall to alter the firewall states (I've spent a lot of time in
tcpdump / ethereal watching this stuff; there's not even an aborted
SYN/ACK or anything).  I *do* have port 5060 (UDP and TCP, though it
seems that I only need UDP) forwarded through to Box B.

On the outgoing INVITE packets that I've captured, the "Message Header"
section seems to be mostly correct.  Here's what that looks like:

> INVITE sip:address@hidden SIP/2.0
> Via: SIP/2.0/UDP (externalIP):5060;branch=foobarbaz
> Via: SIP/2.0/UDP 192.168.0.3;branch=foobarbaz
> From: "CJ Kucera" <sip:address@hidden>;tag=foobar
> To: <sip:address@hidden>
> Call-ID: address@hidden
> CSeq: 3751 INVITE
> Contact: "CJ Kucera" <sip:address@hidden;transport=udp>
> Subject: sip:address@hidden
> User-agent: kphone/4.1.0
> Content-Type: application/sdp
> Content-Length: 181

In the Message Body section of the packet is where the internal NATted
IPs are most prevalent.  In the Owner/Creator section, ethereal tells
me that the "Owner Address" is 192.168.0.3, and 192.168.0.3 is also in
the Connection Information section, under Connection Address.

I think most of the problem is that I'm probably just not configuring
PartySIP properly.  I've been digging around the source a bit and
searching around the web, but haven't had much luck finding anything.

Here's things I've tried in various combinations, if anyone would let
me know which ones merit some further twiddling, or some guidance in
general, that'd be great.

 * I've tried dynamic_ip in both 'on' and 'off'
 * I've tried setting serverip to both the private NATted address, and
   the external IP of the firewall
 * For servername I've tried both the internal hostname and the external
   DNS name which resolves to the firewall's external IP.
 * Is remote_natip used only for the "static" NAT config, and not when
   the various dynamic NAT options are present?  I've tried leaving
   this blank, and setting it to the external IP.
 * I've tried masquerade_sdp both 'on' and 'off'
 * I've kept iptables_dynamic_natrule 'on' for the whole time, with
   _server and _port set to Box A's address.
 * I've had the external IP set in if_extip (and a 255.255.255.255 for
   if_extmask), and I've had the if_lanip and if_lanmask set to my
   internal network, too.
 * I've toyed around with various settings in the various plugins
   (ls_localdb, etc), but without much real idea what I should be
   changing.  After digging around in the source a bit I saw that
   the "static" plugin may be something that'd help, so I added this:
        <static>
        mode    statefull
        record-route    on
        forward 192.168.0.3     w.x.y.z
        reject  *               403
        </static>
    ... that didn't seem to actually do anything though.

I do get the following message on startup:

> DEBUG: [get_output_if] setsockopt(SOL_SOCKET, SO_BROADCAST: Bad file 
> descriptor
> Default Gateway Interface detection failed. Please define "serverip" in the 
> config file

Digging around the source (and after strace'ing the executable), it looks
like that's just failing out on ipv6 (which I don't have enabled), and the
ipv4 socket work is happening properly, so I'm not worried about that.
I've been running partysip with "-d 6" but I don't actually get any output
other than the initial info liness ("Server:" "Debug level:" etc), nor do
I get any output in the logfile that I specify with -l.

So, if anyone has any ideas, or knows that what I'm trying to do is
actually impossible or something, that'd be great.

Thanks!

-CJ

-- 
WOW: Kakistocracy           |   "Happiness isn't good enough for me!  I
address@hidden   |              demand euphoria!"
apocalyptech.com/music/     |                  - Calvin