From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Fran=E7ois_Delawarde?= Date: Wed, 13 Dec 2006 10:12:19 +0000 Subject: Re: [LARTC] SIP, NAT, and load balancing problems Message-Id: <457FD203.9010402@wirelessmundi.com> List-Id: References: <457EC047.7090404@wirelessmundi.com> In-Reply-To: <457EC047.7090404@wirelessmundi.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Thank you for suggestions, below are my comments: Grant Taylor wrote: >> The redirection is working, but the source port is changed by the=20 >> MASQUERADE, and this doesn't work with SIP/RTP, which contain reply=20 >> information (ip/port) inside its packets. > > If Asterisk is running directly on the firewall box, why are you even=20 > MASQUERADEing or SNATing the packets? Why not have Asterisk bind=20 > directly to the external IP? This way MASQUERADE will not get in your=20 > way as far as changing the ports on you. It's actually the first thing i tried, but as I need to offer service to=20 both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It=20 only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback=20 i got, they don't intend to implement that any time soon). I could=20 probably run multiple instances or implement this myself, but I don't=20 have that much talent and time to do those complicated things. :-) >> Below you can find my network configuration (rules, routes and=20 >> addresses). Anyone has an idea of how i could resolve this problem? > > I'm looking, but for some reason I can not find it. ;) > > Some things to consider: > - Set up a routing table just for Asterisk. > - Identify Asterisk traffic via MARKed packets. > - MARK the packets based on the OWNER match extension. To do this=20 > Asterisk would need to run as it's own user, which should not be a=20 > problem. I tried the owner match thing, maybe I did it wrong, but I end up with=20 the same type of problems. When Asterisk needs to send traffic to WAN,=20 it seem to bind to one of the two WAN IPs at random, and I end up with=20 the same NATing problems when it chooses the wrong interface/IP. I also=20 tried to inverse that: MARK all packets that are not Asterisk, put a=20 special rule/table for that traffic and configure "default" (from all)=20 routing table to only one WAN interface. I'm not 100% sure if i did it=20 correctly, but do you think it's worth trying again? Maybe this could be the type of solution I'm looking for if only i knew=20 a little more about that. Do you know how a process chooses an IP when=20 binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I=20 could cheat in that case, and make Asterisk or the kernel or whichever=20 does the binding think that there is only one WAN interface. Also do you think that I could use some help from the netfilter SIP=20 helper? I didn't try but I think it would probably do the same. > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Thanks a lot for your time, Fran=E7ois.... _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc