Re: [LARTC] SIP, NAT, and load balancing problems

From: "François Delawarde" <fdelawarde@wirelessmundi.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] SIP, NAT, and load balancing problems
Date: Wed, 13 Dec 2006 10:12:19 +0000	[thread overview]
Message-ID: <457FD203.9010402@wirelessmundi.com> (raw)
In-Reply-To: <457EC047.7090404@wirelessmundi.com>

Thank you for suggestions, below are my comments:

Grant Taylor wrote:
>> The redirection is working, but the source port is changed by the 
>> MASQUERADE, and this doesn't work with SIP/RTP, which contain reply 
>> information (ip/port) inside its packets.
>
> If Asterisk is running directly on the firewall box, why are you even 
> MASQUERADEing or SNATing the packets?  Why not have Asterisk bind 
> directly to the external IP?  This way MASQUERADE will not get in your 
> way as far as changing the ports on you.
It's actually the first thing i tried, but as I need to offer service to 
both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It 
only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback 
i got, they don't intend to implement that any time soon). I could 
probably run multiple instances or implement this myself, but I don't 
have that much talent and time to do those complicated things. :-)

>> Below you can find my network configuration (rules, routes and 
>> addresses). Anyone has an idea of how i could resolve this problem?
>
> I'm looking, but for some reason I can not find it.  ;)
>
> Some things to consider:
>  - Set up a routing table just for Asterisk.
>  - Identify Asterisk traffic via MARKed packets.
>  - MARK the packets based on the OWNER match extension.  To do this 
> Asterisk would need to run as it's own user, which should not be a 
> problem.
I tried the owner match thing, maybe I did it wrong, but I end up with 
the same type of problems. When Asterisk needs to send traffic to WAN, 
it seem to bind to one of the two WAN IPs at random, and I end up with 
the same NATing problems when it chooses the wrong interface/IP. I also 
tried to inverse that: MARK all packets that are not Asterisk, put a 
special rule/table for that traffic and configure "default" (from all) 
routing table to only one WAN interface. I'm not 100% sure if i did it 
correctly, but do you think it's worth trying again?

Maybe this could be the type of solution I'm looking for if only i knew 
a little more about that. Do you know how a process chooses an IP when 
binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I 
could cheat in that case, and make Asterisk or the kernel or whichever 
does the binding think that there is only one WAN interface.

Also do you think that I could use some help from the netfilter SIP 
helper? I didn't try but I think it would probably do the same.

> Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

Thanks a lot for your time,
François....
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc