From: "François Delawarde" <fdelawarde@wirelessmundi.com>
To: lartc@vger.kernel.org
Subject: [LARTC] SIP, NAT, and load balancing problems
Date: Tue, 12 Dec 2006 14:44:23 +0000 [thread overview]
Message-ID: <457EC047.7090404@wirelessmundi.com> (raw)
Hello all,
I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces
(NATed) configured to do load balancing. I experienced problems with the
SIP/RTP protocols and load balancing, because when initiating a call to
an external SIP Host, a new RTP flow starts from the server to the Host,
that sometimes uses another default route (due to the nexthop
configuration). As i have two different public IPs, the external host
gets confused while receiving flows from different IPs, and doesn't work
(or sometimes we only have one-way communication).
__________
| |-eth1---|Router ISP 1|---WAN 1
LAN---eth0-|SIP Server|
|__________|-eth2---|Router ISP 2|---WAN 2
What I basicly want is to force all traffic from my SIP server to pass
by a unique WAN interface (eth2), or to find a solution that would force
multiple sessions from the same IP to use the same WAN interface.
Reading various forums and mailing lists, I decided to try to do "output
re-routing" to all traffic sent to the wrong interface:
(5060 is SIP port and 10000-20000 are the possible RTP ports)
1. using FWMARK and iproute2:
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 5060 -j MARK
--set-mark 0x101
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 10000:20000 -j MARK
--set-mark 0x101
ip rule add prio 101 fwmark 0x101 table 101
ip route add default via 192.168.2.1 dev eth2 src 192.168.2.2 table 101
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
The redirection is working, but the source port is changed by the
MASQUERADE, and this doesn't work with SIP/RTP, which contain reply
information (ip/port) inside its packets.
2. iptables ROUTE target:
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 5060 -j ROUTE --oif
eth2 --gw 192.168.2.1 --continue
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 10000:20000 -j ROUTE
--oif eth2 --gw 192.168.2.1 --continue
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
Even with SNAT or MASQUERADE rules, the source IP of the packet is not
changed when using these ROUTE targets, the router connected to eth2
then drops the packets.
Below you can find my network configuration (rules, routes and
addresses). Anyone has an idea of how i could resolve this problem?
Thanks,
François.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next reply other threads:[~2006-12-12 14:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-12 14:44 François Delawarde [this message]
2006-12-12 19:54 ` [LARTC] SIP, NAT, and load balancing problems Andrew McGill
2006-12-13 6:40 ` Grant Taylor
2006-12-13 10:12 ` François Delawarde
2006-12-13 10:33 ` François Delawarde
2006-12-13 15:30 ` Taylor, Grant
2006-12-13 20:48 ` Grant Taylor
2006-12-13 21:57 ` Grant Taylor
2006-12-13 22:44 ` Grant Taylor
2006-12-13 22:57 ` Patrick McHardy
2006-12-14 11:44 ` François Delawarde
2006-12-14 11:59 ` François Delawarde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=457EC047.7090404@wirelessmundi.com \
--to=fdelawarde@wirelessmundi.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.