From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Wed, 13 Dec 2006 06:40:00 +0000 Subject: Re: [LARTC] SIP, NAT, and load balancing problems Message-Id: <457FA040.4050807@riverviewtech.net> List-Id: References: <457EC047.7090404@wirelessmundi.com> In-Reply-To: <457EC047.7090404@wirelessmundi.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On 12/12/06 08:44, Fran=E7ois Delawarde wrote: > I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces = > (NATed) configured to do load balancing. I experienced problems with the = > SIP/RTP protocols and load balancing, because when initiating a call to=20 > an external SIP Host, a new RTP flow starts from the server to the Host, = > that sometimes uses another default route (due to the nexthop=20 > configuration). As i have two different public IPs, the external host=20 > gets confused while receiving flows from different IPs, and doesn't work = > (or sometimes we only have one-way communication). IMHO this is what I would expect SIP VoIP traffic to do in this scenario. > What I basicly want is to force all traffic from my SIP server to pass=20 > by a unique WAN interface (eth2), or to find a solution that would force = > multiple sessions from the same IP to use the same WAN interface.=20 > Reading various forums and mailing lists, I decided to try to do "output = > re-routing" to all traffic sent to the wrong interface: >=20 > (5060 is SIP port and 10000-20000 are the possible RTP ports) > The redirection is working, but the source port is changed by the=20 > MASQUERADE, and this doesn't work with SIP/RTP, which contain reply=20 > information (ip/port) inside its packets. If Asterisk is running directly on the firewall box, why are you even=20 MASQUERADEing or SNATing the packets? Why not have Asterisk bind=20 directly to the external IP? This way MASQUERADE will not get in your=20 way as far as changing the ports on you. > Even with SNAT or MASQUERADE rules, the source IP of the packet is not=20 > changed when using these ROUTE targets, the router connected to eth2=20 > then drops the packets. Sorry, I have not worked with the ROUTE target so I can not help. > Below you can find my network configuration (rules, routes and=20 > addresses). Anyone has an idea of how i could resolve this problem? I'm looking, but for some reason I can not find it. ;) Some things to consider: - Set up a routing table just for Asterisk. - Identify Asterisk traffic via MARKed packets. - MARK the packets based on the OWNER match extension. To do this=20 Asterisk would need to run as it's own user, which should not be a problem. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc