From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Fran=E7ois_Delawarde?= Date: Wed, 13 Dec 2006 10:33:30 +0000 Subject: Re: [LARTC] SIP, NAT, and load balancing problems Message-Id: <457FD6FA.7090709@wirelessmundi.com> List-Id: References: <457EC047.7090404@wirelessmundi.com> In-Reply-To: <457EC047.7090404@wirelessmundi.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Andrew McGill wrote: > On Tuesday Dec 12, 2006 around 3:44pm, Fran=E7ois Delawarde wrote, > >> Hello all, >> >> I have a linux machine with a SIP server (Asterisk) and 2 WAN=20 >> interfaces (NATed) configured to do load balancing. I experienced=20 >> problems with the SIP/RTP protocols and load balancing, because when=20 >> initiating a call to an external SIP Host, a new RTP flow starts from=20 >> the server to the Host, that sometimes uses another default route=20 >> (due to the nexthop configuration). As i have two different public=20 >> IPs, the external host gets confused while receiving flows from=20 >> different IPs, and doesn't work (or sometimes we only have one-way=20 >> communication). > > There is a similar problem with openvpn which the --multihome patch in=20 > 2.1_rc* solves (SOL_IP / IP_PKTINFO option on the socket). Unless the=20 > application (asterisk in your case) chooses to bind a UDP socket to a=20 > particular IP address, the routing subsystem will assign the IP=20 > address. Since UDP is connectionless, there is no reason to use the=20 > same IP address as the incoming 'connection'. (ip_conntrack doesn't=20 > count.) I cannot bind Asterisk to a particular IP address, as I need to use it=20 for both LAN and WAN, but if the routing subsystem assigns the IP, does=20 it take into account netfilter MARK and special rules, or do you know a=20 way to "force" this routing subsystem into assigning an IP address? I'm trying to understand when and how this IP address is chosen, and see=20 if I can act at that level (doing NAT and ROUTE things doesn't seem to=20 work a lot, and it's probably too "late" to work the problem. > > *You* may be able to solve the problem with some creative use of the=20 > CONNMARK target (I didn't succeed). The best solution, in the absence=20 > of a kernel hack to treat UDP as a connection-oriented protocol, is to=20 > fix asterisk (IMHO, IANAKH). > > &:-) I was thinking of trying that along with the netfilter SIP helper, but I=20 don't even understand how helpers work yet. If you have an idea of how i=20 could use those things, it would also be worth trying. Thank you very much, Fran=E7ois. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc