Wednesday, August 21, 2013

RTPproxy Revisited [Kamailio 4.0]

Time and again I see people getting stuck on RTPproxy integration with Kamailio. I recently got another opportunity to put RTPproxy in between the User Phones and Kamailio setup as depicted in the following diagram.



That is similar to what I've posted earlier on this topic. In this post I will try be more verbose and write each and every step I did to have RTPs flowing.

I assume you've a Kamailio installed and working and configurations file from Asipto Knowledge Base by Daniel and that there are TWO NICs configured with Public IP and Private IP as shown in the diagram above.

The important thing which I'm looking for from the configuration is the WITH_NAT tag. follow the code and see how the NAT is handled. route[NATMANAGE] is called at almost all important routes.

The overall idea is;

1- Install RTPproxy
2- Start RTPproxy in Bridged mode
3- Make Kamailio aware of multiple NICs
4- Add Private IP asterisks in dispatcher
5- Create a new route RTPPROXY to engage RTP-proxy whenever needed
6- Call in the RTPPROXY route in the NATMANAGE route.
7- Important Things to take care of.

So lets start following the steps.

1- Installing RTPproxy

root@Kamailio:~# cd /usr/src/
root@Kamailio:~# wget http://b2bua.org/chrome/site/rtpproxy-1.2.1.tar.gz
root@Kamailio:~# tar zxvf rtpproxy-1.2.1.tar.gz
root@Kamailio:~# cd rtpproxy-1.2.1/
root@Kamailio:~# ./configure
root@Kamailio:~# make
root@Kamailio:~# make install

Setup LSB script for RTP-proxy
root@Kamailio:~# cp debian/rtpproxy-default.ex /etc/default/rtpproxy
edit the default file and put in the parameters.
root@Kamailio:~# vim /etc/default/rtpproxy

2- Start RTPproxy in Bridged mode


DAEMON_OPTS="-F -s udp:127.0.0.1:7722 -l 77.66.55.44/192.168.1.244 -d DBUG:LOG_LOCAL0 -u root"

Save and Exit

root@Kamailio:~# cp debian/rtpproxy.init /etc/init.d/rtpproxy
root@Kamailio:~# chmod a+x /etc/init.d/rtpproxy

Open up the file

root@Kamailio:~# vim /etc/init.d/rtpproxy

see that the DAEMON field points to the file in /usr/bin/rtpproxy

DAEMON=/usr/bin/rtpproxy

Lets copy the RTPproxy binary to that location.

root@Kamailio:~# cp rtpproxy /usr/bin/rtpproxy

Start up RTPproxy

root@Kamailio:~# /etc/init.d/rtpproxy start

verify that rtpproxy is running and listening on the specified 7722 

root@Kamailio:~# netstat -pln | grep rtpp
udp        0      0 127.0.0.1:7722          0.0.0.0:*                           6554/rtpproxy
Thats all.

3- Making Kamailio aware of multiple NICs


Lets move on to step 3 involving Kamailio configurations.

root@Kamailio:~# vim /usr/local/etc/kamailio/kamailio.cfg

Insert the following line in global parameters section, just under where we define "listen=" or "port=" 

mhomed=1

That will ensure that Kamailio uses its Private IP to communicate with Asterisks on Private subnet. Don't forget this.

We also need to put this line on the top definitions of kamailio.cfg file so kamailio use the NAT functions.

#!define WITH_NAT

4- Adding Asterisks to dispatcher


Now Add Private IP asterisks in dispatcher: Follow my post on adding dispatcher to the plain configurations from here: http://saevolgo.blogspot.com/2011/11/how-to-increasing-voip-services.html

5- Writing some Kamailio routing logic for RTPPROXY

That was easy, now the real thing the addition of RTPPROXY route which I modified a little bit from the last link mentioned.

To have the code working I have used the SQLOPS module configured to query kamailio.dispatcher table as the AVPOPS module was already busy.

NOTE: Using the DB query is a costly operation BUT it allows me to detect if Kamailio is sending call to Dispatcher listed IPs or not. I have a mix of Asterisks on Private Subnet and on Public Subnet and if the Asterisk dispatcher has chosen or the call is coming from is a Private IP then engage RTPproxy. This detection is handled by IPOPS module and its function is_ip_rfc1918()

loadmodule "ipops.so"
loadmodule "sqlops.so"
modparam("sqlops","sqlcon","ca=>mysql://openser:openserrw@localhost/kamailio")

Then declare the route:

# RTPProxy control
route[RTPPROXY] {
        if (is_method("INVITE")){
                sql_query("ca", "select destination from dispatcher where destination like '%$dd%'","ra");
                if($dbr(ra=>rows)>0){
                        $avp(duip)=$(du{s.select,-2,:});
                        if (is_ip_rfc1918("$avp(duip)")) {
                                xlog("L_INFO", "Call is going to private IPv4 Media Server Engage RTPProxy Now\n");
                                #rtpproxy_manage("crwie","192.168.1.244");
                                rtpproxy_manage("rwie");
                        }

                }
                else if(ds_is_from_list()){
                        if (is_ip_rfc1918("$si")) {
                                xlog("L_INFO", " Call is coming from a private IPv4 Media Server Engage RTPProxy Now\n");
                                #rtpproxy_manage("crwei","77.66.55.44");
                                rtpproxy_manage("rwei");

                        }
                }else if(!ds_is_from_list()){
                          rtpproxy_manage("rwie");

                }
      }
}

6- Using RTPPROXY route

Add the RTPPROXY route just where the FLT_NATS and FLB_NATB flags are tested.

        if (!(isflagset(FLT_NATS) || isbflagset(FLB_NATB))){
                return;
        }
                route(RTPPROXY);


Now Save and Exit the kamailio.cfg file.

Restart Kamailio.

root@Kamailio:~# /etc/init.d/kamailio stop
root@Kamailio:~# /etc/init.d/kamailio start

7- Helpful Things to know

Asterisk needs to have the peer declared for kamailio using its Private IP.

[Kamailio]
type=friend
host=192.168.1.244
port=5060
disallow=all
allow=gsm
allow=g729
allow=alaw
allow=ulaw
context=SBC-Incoming
canreinvite=no
insecure=port,invite
nat=force_rport,comedia
qualify=yes
directrtpsetup=no

See that I've used "directrtpsetup=no" so that Asterisk don't decide to go direct with the End caller.

Use xlog lines in kamailio.cfg file to follow the call.

The way I always setup my whole environment is that Kamailio handles the REGISTRATIONs and only INVITES are load-balanced to Asterisks or FreeSWITCHes where they receive the call from Kamailio peer and execute dialplan applications and IF call needs to dial out they dial the destination back to kamailio.
Kamailio needs to detect the call coming FROM the Media-Servers (ds_is_from_list() function)

So I know when a user calls in and when the call comes in from the media-servers.

Always try to first have an echo test working for calls. I use Asterisk application Echo() and when I dial in from user I get my own audio echoed back and I know that atleast my audio path is complete. This never tells you that your setup is 100% perfect but it is a good way to know if you're headed right direction.


Wireshark is a great Friend. Use it to examine everything in depth. No matter what I do I always need Wireshark to visually see what is going on with the SIP packets, that gives me everything I need to know to make things right.

root@Kamailio200:~# tcpdump -i any -s 0 -w rtp-calls.pcap -vvv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
1666 packets captured
Download this "rtp-calls.pcap" file and open it up in Wireshark. Click "Telephony"  from the menu bar and select "VoIP Calls"


Hit the Flow button and you'll see beautiful arrows showing the direction of SIP and RTP packets.


On the very Left Hand side is my Soft Phone's Public IP address, then 77.66.55.44 is kamailio's WAN side, and suddenly we see 192.168.1.244 which is Private IP of Kamailio communicating with an Asterisk on 192.168.1.36
The Bold arrows labeled RTP are flowing in both direction means all Perfect.

Thats all for one day. Hope to have some comments and questions on this soon.

Sunday, July 28, 2013

Linux IPSec VPN-2: Amazon Cloud Sever & Linksys Router

This is a post in response to a comment made earlier on my previous blog post on Linux IPSec Setup asking for assistance. So here's what I could possibly do to help the needy.

This is a setup which I assisted one of my friend in creating a VPN between a Static IP Linksys Router and an Amazon cloud based server. Since we all know that Amazon cloud servers don't actually have a static public IP assigned to them instead they've a One-to-One NAT mechanism at the best so this becomes a bit trickier for anyone new to the OpenSWAN or IPSec in Linuxes.

Regardless of the Operating System the openswan package needs to be installed on the server properly. Please refer to other blogs or Google in order to install ipsec service. See this references in this link:

The topology we'll be working on is defined in the diagram below.


Now get to the configurations.

The ipsec.conf file contains these:

config setup
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=all
        protostack=netkey
        nat_traversal=yes
conn Linksys
        type=tunnel
        left=10.2.147.164
        leftnexthop=%defaultroute
        leftsubnet=10.2.147.164/26
        right=120.121.122.123
        rightnexthop=%defaultroute
        rightsubnet=192.168.4.0/24
        auth=esp
        keyexchange=ike
        authby=secret
        pfs=yes
        auto=start

And ipsec.secrets contains this:

10.2.147.164 120.121.122.123 : PSK  "y0ur_S3cret_PSK_k3y"

Lets quickly get to the Linksys router and adjust the router according to the following settings.

Move to the VPN tab after logging in to the Linksys router.




Save the settings and restart vpn on both ends. Your VPN should start rocking by now. Ping from the 192.168.4.0/24 LAN to the Amazon IPSec Server's Private IP and it should be replying.

Please always read logs on both the router and the linux server very carefully and figure out what they are trying to communicate. Without any logs I probably would never had created this VPN.

I hope it be of some help to someone. Have a great day.

Wednesday, July 24, 2013

NIC Bonding in CentOS 6.4,Ubuntu 12.04, and Vyatta 6.6

Its late night here and unexpectedly I'm high on motivation to do something except working hence just shifting my procrastination energy into writing this blog.

I've previously blogged a post on setting up an Active/Passive HA setup for Linux servers, so this on is one step further into one server. By one step further into the server I mean to have some form of High Availability on Network Interfaces.

Link Aggregation, NIC Bonding, NIC teaming, Interface Bonding are various names it is known as. Read some basics on it visit this wikipedia link.

My basic motivation for creating NIC Bonding on my servers was to create a self healing topology in which a single cable or interface failure do not impact any service at all. Since I've redundant powers, servers, switches, and routers setup from my very own hands so I know how this will add up in my setup. Removing one cable from the server keeps the server accessible and hence all services working perfectly fine.

The additional benefit which I can benefit from NIC bonding is link "Aggregation". The two 1Gbps interface will and can combine to give me an aggregated speed of 2Gbps. That is something I still need to test and probably post my findings on its reality sometime by transferring huge chunks of data.

WARNING: I had to reboot one of my server as I had an interface already configured so a service restart didn't work properly and the same IP remained configured on eth0 and bond0 and hence caused temporary access issue. Just to be sure have a KVM/ILOM remote access ready while doing this setup.

Lets move forward.

Creating NIC Bond interface on CentOS 6.4

[root@ASTERISK-A ~]# vim /etc/sysconfig/network-scripts/ifcfg-bond0

and insert the following fairly simple to understand lines.

DEVICE=bond0
IPADDR=192.168.15.10
NETMASK=255.255.255.0
GATEWAY=192.168.15.45
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
DNS1=192.168.15.45

Now remember, we need to have atleast two NIC present on the server to be part of the bond. This could be three Gig Interfaces if you've them available in order to achieve a 3Gbps link.

Edit the Interfaces going to be part of this bond.

[root@ASTERISK-A ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

[root@ASTERISK-A ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes

Now its time to setup some parameters for the 007-Bond Interface.

[root@ASTERISK-A ~]# vim /etc/modprobe.d/bonding.conf

Write the lines below in the file,save and exit.
alias bond0 bonding
options bond0 mode=1 miimon=100 arp_interval=100 arp_ip_target=192.168.15.45,192.168.15.5,192.168.15.20


The above configuration is used by the "bonding" Linux kernel module. The options are important here:

mode=1 : Set the bonding method to Active backup
miimon=100 : Set the MII link monitoring frequency to 100 milliseconds. This determines how often the link state of each slave is inspected for link failures.
arp_interval=100 : Set the ARP link monitoring frequency to 100 milliseconds (You can setup any keeping your network equipment in mind). This is important to be there.
arp_ip_target=192.168.15.45, 192.168.15.5 : Use the 192.168.15.5 (router ip) and 192.168.15.45 IP addresses to use as ARP monitoring peers when arp_interval is > 0. This is used determine the health of the link to the targets. Multiple IP addresses must be separated by a comma. At least one IP address must be given (usually I set it to router IP) for ARP monitoring to function. The maximum number of targets that can be specified is 16.

Thats all. Just restart the networking service and if you've any ethernet interface configured then you might need to shutdown that interface and start the network service again.

[root@ASTERISK-A ~]# /etc/init.d/network restart

Creating NIC Bond interface on Ubuntu 12.04

On Ubuntu Server the steps for configuring are 90% the same except that we need to install the package which gets the bonding kernel module.

root@OpenSIPS-A:~# apt-get install ifenslave

We just need to edit one file here.

root@OpenSIPS-A:~# vim /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual
        bond-master bond0

auto eth1
iface eth1 inet manual
        bond-master bond0

auto bond0
iface bond0 inet static
mtu 9000
        address 192.168.15.30
        netmask 255.255.255.0
        network 192.168.15.0
        broadcast 192.168.15.255
        gateway 192.168.15.45
        dns-nameservers 192.168.15.45
        bond-miimon 100
        bond-downdelay 200
        bond-updelay 200
        bond-mode active-backup
        bond-slaves none

To make sure that the bonding kernel module is loaded on reboots edit the file /etc/modules
add the word "bonding" at the end save, and exit. To Load bonding module right away execute the following command:

root@OpenSIPS-A:~# modprobe bonding

Now restart the networking service and bond0 interface should be up and ready. 

root@OpenSIPS-A:~# /etc/init.d/networking restart

             Creating NIC Bond interface on Vyatta 6.6

Vyatta is one of my favorite subject, huge thanks to Mr. Asim Ansari who introduced me to it back in 2010 and I've been using it and loving it ever since. There are other cool stuff Vyatta is doing for me which I'll cover later on. Lets see how to create a Bond Interface on Vyatta.

vyatta@FW-A:~$ configure
vyatta@FW-A# set interfaces bonding bond0 address 192.168.15.45/24
vyatta@FW-A# set interfaces bonding bond0 arp-monitor interval 100
vyatta@FW-A# set interfaces bonding bond0 mode adaptive-load-balance
vyatta@FW-A# set interfaces bonding bond0 mtu 9000
vyatta@FW-A# set interfaces ethernet eth0 bond-group bond0
vyatta@FW-A# set interfaces ethernet eth1 bond-group bond0
vyatta@FW-A# commit
vyatta@FW-A# save


WARNING: Once again ensure that the eth0 and eth1 are not assigned with IP address already, if so please delete them before assigning that ethX interface to bond-group. 

Thats all for tonight, I'm sleepy now and should take rest while you guys enjoy having good time with your servers and setups.

Recommended Articles: