Re: [LARTC] SIP, NAT, and load balancing problems

["Taylor, Grant" <gtaylor@riverviewtech.net>]

François Delawarde wrote:
> Thank you for suggestions, below are my comments:

You are welcome.

> It's actually the first thing i tried, but as I need to offer service to 
> both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It 
> only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback 
> i got, they don't intend to implement that any time soon). I could 
> probably run multiple instances or implement this myself, but I don't 
> have that much talent and time to do those complicated things. :-)

Um, I'm going to have to disagree with you.  I have run Asterisk in the 
past (in production) where it would bind to multiple IPs.  The only 
caveat that I can think of is that it may only bind to one IP in a 
subnet, or some other strangeness with this.  ....  I just logged in to 
a colleague's system that is running Asterisk for about 4 different 
subnets on one system.  Asterisk is bound to 0.0.0.0 so that it can 
serve any and all subnets.  If you would like help configuring Asterisk 
bind to multiple subnets let me know (via direct email) and I'll be glad 
to try to help.

> I tried the owner match thing, maybe I did it wrong, but I end up with 
> the same type of problems. When Asterisk needs to send traffic to WAN, 
> it seem to bind to one of the two WAN IPs at random, and I end up with 
> the same NATing problems when it chooses the wrong interface/IP. I also 
> tried to inverse that: MARK all packets that are not Asterisk, put a 
> special rule/table for that traffic and configure "default" (from all) 
> routing table to only one WAN interface. I'm not 100% sure if i did it 
> correctly, but do you think it's worth trying again?

If Asterisk is only listening to one IP and you are routing to get to 
your other network, you could end up with some really weird issues that 
will be very difficult to over come, probably MUCH harder than resolving 
the issue with Asterisk only binding to one interface.

> Maybe this could be the type of solution I'm looking for if only i knew 
> a little more about that. Do you know how a process chooses an IP when 
> binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I 
> could cheat in that case, and make Asterisk or the kernel or whichever 
> does the binding think that there is only one WAN interface.

As I understand it, when processes let the system choose the proper IP 
to use, the system will chose the IP that is associate with the closest 
route to the destination.  In short, if the target is on Subnet A, then 
the IP for Subnet A will be used.  If the target is on Subnet B, then 
the IP for Subnet B will be used.

> Also do you think that I could use some help from the netfilter SIP 
> helper? I didn't try but I think it would probably do the same.

I'm not familiar with the SIP connection tracking helper.  However, I do 
believe it would be worth your time to investigate it to see if it will 
help you.  If you do continue to SNAT / MASQUERADE your outbound SIP 
traffic, there is a good chance that the SIP helper will indeed help. 
This is of course presuming that the SIP helper is meant to help the 
SNAT / MASQUERADE module correctly choose the information that gets put 
in to packets.  Think about how the FTP connection tracking helper works 
when dealing with active / passive data streams and ports.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc