I'm struggling with Kamailio as a simple dispatcher for FreeSwitch. This is my configuration so far: http://pastebin.com/nBPSpe6S
Connecting an iPhone and an Android makes the calls between them timeout.
Connecting one of the phones and my laptops makes calls between them produce the error "Too many hops".
With all of them I'm able to call in to the Freeswitch, for listening to voicemail, hold music etc.
So I guess it's still NAT problems or similar?
Can anyone spot the error, missing thing or something else that is wrong with the config?
P.S. Adding phones, laptops etc. directly to FreeSwitch, without Kamailio, makes everything works.
"Too many hops" is just that - too many hops. A SIP messages is being routed around in a bad way. In many cases in Kamailio, this is because DNS and Kamailio doesn't have the same view of the world. Kamailio doesn't know which domains it's authoritative for (the alias= configuration parameter) and forwards using DNS. DNS points back to the same Kamailio.
Your configuration lacks both alias= and IP addresses kamailio should listen to. Now, your configuration doesn't really use the alias, so I don't see that problem here. Since you are not showing the dispatcher table it's hard to figure out. I suggest you add a couple of calls to xlog() to see what's going on and figure out why a message is looping around. Good luck!
Related
I was developping an app, and running a server from home on a private IP on port 8080 (This is the only port coming from my IP that is exposed to the internet). Its just a simple java IO socket.
But I constantly have random people trying to connect from random IPs coming from the virgin islands etc.
Not sure if this is normal?
I did register at no-ip...because I have a dynamic IP, not sure if that might be exposing my home IP to some bots scanning things?
If anyone can shed some more light on this, that would be great.
I am running the socket server in sandboxie so that might mitigate attacks somewhat..I just hope its not anything like that. I also implemented some basic authentication now, and it will drop connections if they fail to authenticate..but before that, those random IPs would stay connected for many hours...its so weird.
As pointed out in the comments. These are indeed people scanning the internet.
Many of the observed IPs can be found in lists like this: http://global-threat.rmjconsulting.net/?op=prv_idstableLimit&limit=5000
I guess that proves again how important network security is and making sure no vulnerable apps are facing the internet.
Was kind of suprised by the frequency that this happens..
I've got a very large JS app built in Wakanda that I'm working on, and suddenly hit a strange issue.
Our Solution has four main projects in it:
Consumers
Merchants
Funders
Promoters
These projects all have their own functions, and up until recently have had them operating on the same server via different port addresses - 8100, 8101, 8102, 8103. This has worked without a problem, with the localhost as the host in the Settings.waSettings file, and the respective ports set there.
Now, moving to production, we need to have these routing through to the site from subdomains. Because of the way A-records are and not being able to define a port address, we have our .consumer, .merchant etc subdomains all going to the same elastic IP address, and using the Settings.waSettings files in Wakanda to handle the routing of traffic to each project.
We have set all the incoming ports as 80, with it listening for the subdomain name to handle which project to route the user to. This worked yesterday without a hitch for around an hour on the server, before it suddenly stacked itself. For a time, the Wakanda server just stopped each time you attempted to access one of the subdomains. After a while longer it's not crashing each time, but just simply resolving to a '409 Conflict' screen.
My question is, can Wakanda reliably use it's project Settings file to handle requests like this? Or is there a better way to handle this? I know there used to be a thread in the forums on this discussion.
Thanks, let me know if you need any more information.
I'm looking for the name of a protocol and example code that permits handing off IP/port connections to establish unmediated P2P after introduction through a server.
Simple example:
You and I both start chat programs that connect to chatintroduce.com (fictional server). I send you a "Hi! Wanna chat?" message. It doesn't get sent. Instead my chat program tells chatintroduce to send your chat program a request for connection. You respond to a prompt and your chat program tells chatintroduce to broker the connection. Chatintroduce establishes an initial two-way connection between us. Now, this final step is important, chatintroduce releases control and our two chat programs now talk directly to each other without any traffic through chatintroduce.
In other words, I construct packets which have your IP address and you receive them without interference from firewalls, NATs or any other technologies. In other words, true peer-to-peer connection independent of intermediate server.
I need to know what search terms to use to find appropriate technology. An RFC name would suffice. I've been searching for days without success.
I think what you are looking for is TCP/UDP hole punching which typically coordinates the P2P connection using a STUN server to determine the "capabilities" of the firewalls (e.g. is it a full cone nat? symmetric?).
https://en.wikipedia.org/wiki/Hole_punching_(networking)
We employed this at a company I worked for to create a kind of BitTorrent that could circumvent firewalls for streaming video between two peers.
Note that sometimes it is NOT possible to establish a connection without the intermediary.
What you are looking for is ICE protocol. RFC 5245. This protocol is used for connecting two peers through NAT traversal. There are some open source libraries and also some proprietary libraries for this. You can search google with ICE implementation.
You will also need to read about some additional protocols. These are used with ICE protocol. They are STUN and TURN.
For some cases you can't make P2P call 100% time. You will have to use a relay server. Like if the NAT combination of two peers are Symmetric vs Symmetric/PRC. That relay server is called TURN server.
Some technique like Port forwarding and TCP/UDP hole punching will help you to increase P2P rates.
See this answer for more information about which combination of NAT will require a relay server and which don't.
Thank you. I will be looking further into ICE, STUN, TURN, and hole-punching.
I also found n2n which looks like almost exactly what I wanted.
https://github.com/meyerd/n2n
http://xmodulo.com/configure-peer-to-peer-vpn-linux.html
With n2n, one makes a VPN with a super node that all other edge nodes know.
But once the introductions are made, the super node can be absent.
This was exactly what I wanted. I hope it works across platforms (linux, MacOS, Windows).
Again, I am still researching before implementation, so your advice was very important to me.
Thank you.
Use PJNATH. Its open source.
http://www.pjsip.org/pjnath/docs/html/
There is not much open source on NAT Traversal. As far as I know PJNATH is good.
For server you can use Google's Open source STUN and TURN server.
The server consists of several services with which a user interacts: profiles, game logics, physics.
I heard that it's a bad practice to have multiple client connections to the same server.
I'm not sure whether I will use UDP or TCP.
The services are realtime, they should reply as fast as possible so I don't want to include any additional rerouting if there are no really important reasons. So are there any reasons to rerote traffic through one external endpoint service to specific internal services in my case?
This seems to be multiple questions in one package. I will try to answer the ones I can identify as separate...
UDP vs TCP: You're saying "real-time", this usually means UDP is the right choice. However, that means having to deal with lost packets and possible re-ordering of packets. But, using UDP leaves a couple of possible delay-decreasing tricks open.
Multiple connections from a single client to a single server: This consumes resources (end-points, as it were) on both the client (probably ignorable) and on the server (possibly a problem, possibly ignorable). The advantage of using separate connections for separate concerns (profiles, physics, ...) is that when you need to separate these onto separate servers (or server farms), you don't need to update the clients, they just need to connect to other end-points, using code that's already tested.
"Re-router" (or "load balancer") needed: Probably not going to be an issue initially. However, it will probably become an issue later. Depending on your overall design and server OS, using UDP may actually become an asset here. UDP packet arrives at the load balancer, dispatched to the right backend and that could then in theory send back a reply with the source IP of the load balancer.
An alternative would be to have a "session broker". The client makes an initial connection to a well-known endpoint, says "I am a client, tell me where my profile, physics, what-have0-you servers are", the broker considers the current load, possibly the location of the client and other things that may make sense and the client then connects to the relevant backends on its own. The downside of this is that it's harder (not impossible, but harder) to silently migrate an ongoing session to a new backend, when there's a load-balancer in the way, this can be done essentially-transparently.
I am still learning about SIP and all its protocols, specifically trying to integrate PJSIP into an iPhone application to make p2p calls.
I have a question about a peer 2 peer connection using PJSUA. I am able to
make calls perfectly to other clients on my local network by calling directly using the URI:
sip:192...*:5060
I am curious if this will work for
making direct calls to other SIP URIs that are not on the local
network without using server configuration - if not this way, is there another way of making p2p calls without server configuration?
thanks in advance,
You can make calls without server configuration, as a general principle, but something needs configuring. As mattjgalloway points out in the comments below your question, the most robust solution is a can of worms involving ICE which provides a kind of "umbrella" protocol for things like STUN.
Last time I touched this issue, I had the requirement that I couldn't use internet-based SIP servers to help. I came up with the idea of a registry of sorts: your client can define a bunch of "address spaces" with particular routing requirements. For SIP URIs in your LAN, you define no routing; for URIs in your company's VPN-accessed network, you define a route passing through your VPN connection; for everything else you define a route through your internet router.
By "define a route", I mean that when you place a call to a URI in some particular address space, you store what IP will go into a Contact header, what Route headers you might need, and so on.
Thus, the process of making a call becomes:
Look up in the set of address spaces for a match.
Ask that address space for the suitable bits needed to make a workable INVITE (appropriate Contact header details, Route headers, etc.)
Construct a normal INVITE, mutating as necessary for the previous step.
Send the INVITE as normal.
This essentially reproduces half of what ICE would give you, in a manually administrated form. "Half", because this ensures that one SIP agent can make calls such that the SIP routing all works. The missing half is you still need some kind of registrar somewhere, and each agent in your contact list needs to have the necessary setup to receive incoming calls. (If an agent's behind a NATting internet router, the router would need to either run a SIP proxy, or forward ports 5060, 5061 to a particular machine (which might be an agent, or a proxy serving the LAN's agents).
It is, indeed, a large can of worms.
The basic issue is to solve the problem of getting transport ports anywhere on the internet for multimedia traffic.
Many companies/experts have tried to solve this situation. A possible way out of is to buy a domain and setup a basic registrar using YATE or Asterisk on an address accessible from the internet and configure it to also use ICE as needed. Your iphone application at both ends could register automatically to it upon start. Then make P2P calls.