Re: [LARTC] SIP, NAT, and load balancing problems

From: Grant Taylor <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] SIP, NAT, and load balancing problems
Date: Wed, 13 Dec 2006 06:40:00 +0000	[thread overview]
Message-ID: <457FA040.4050807@riverviewtech.net> (raw)
In-Reply-To: <457EC047.7090404@wirelessmundi.com>

On 12/12/06 08:44, François Delawarde wrote:
> I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces 
> (NATed) configured to do load balancing. I experienced problems with the 
> SIP/RTP protocols and load balancing, because when initiating a call to 
> an external SIP Host, a new RTP flow starts from the server to the Host, 
> that sometimes uses another default route (due to the nexthop 
> configuration). As i have two different public IPs, the external host 
> gets confused while receiving flows from different IPs, and doesn't work 
> (or sometimes we only have one-way communication).

IMHO this is what I would expect SIP VoIP traffic to do in this scenario.

> What I basicly want is to force all traffic from my SIP server to pass 
> by a unique WAN interface (eth2), or to find a solution that would force 
> multiple sessions from the same IP to use the same WAN interface. 
> Reading various forums and mailing lists, I decided to try to do "output 
> re-routing" to all traffic sent to the wrong interface:
> 
> (5060 is SIP port and 10000-20000 are the possible RTP ports)

<snip>

> The redirection is working, but the source port is changed by the 
> MASQUERADE, and this doesn't work with SIP/RTP, which contain reply 
> information (ip/port) inside its packets.

If Asterisk is running directly on the firewall box, why are you even 
MASQUERADEing or SNATing the packets?  Why not have Asterisk bind 
directly to the external IP?  This way MASQUERADE will not get in your 
way as far as changing the ports on you.

> Even with SNAT or MASQUERADE rules, the source IP of the packet is not 
> changed when using these ROUTE targets, the router connected to eth2 
> then drops the packets.

Sorry, I have not worked with the ROUTE target so I can not help.

> Below you can find my network configuration (rules, routes and 
> addresses). Anyone has an idea of how i could resolve this problem?

I'm looking, but for some reason I can not find it.  ;)

Some things to consider:
  - Set up a routing table just for Asterisk.
  - Identify Asterisk traffic via MARKed packets.
  - MARK the packets based on the OWNER match extension.  To do this 
Asterisk would need to run as it's own user, which should not be a problem.

Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc