From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Taylor, Grant" Date: Wed, 13 Dec 2006 15:30:20 +0000 Subject: Re: [LARTC] SIP, NAT, and load balancing problems Message-Id: <45801C8C.5040804@riverviewtech.net> List-Id: References: <457EC047.7090404@wirelessmundi.com> In-Reply-To: <457EC047.7090404@wirelessmundi.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Fran=E7ois Delawarde wrote: > Thank you for suggestions, below are my comments: You are welcome. > It's actually the first thing i tried, but as I need to offer service to = > both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It=20 > only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback=20 > i got, they don't intend to implement that any time soon). I could=20 > probably run multiple instances or implement this myself, but I don't=20 > have that much talent and time to do those complicated things. :-) Um, I'm going to have to disagree with you. I have run Asterisk in the=20 past (in production) where it would bind to multiple IPs. The only=20 caveat that I can think of is that it may only bind to one IP in a=20 subnet, or some other strangeness with this. .... I just logged in to=20 a colleague's system that is running Asterisk for about 4 different=20 subnets on one system. Asterisk is bound to 0.0.0.0 so that it can=20 serve any and all subnets. If you would like help configuring Asterisk=20 bind to multiple subnets let me know (via direct email) and I'll be glad=20 to try to help. > I tried the owner match thing, maybe I did it wrong, but I end up with=20 > the same type of problems. When Asterisk needs to send traffic to WAN,=20 > it seem to bind to one of the two WAN IPs at random, and I end up with=20 > the same NATing problems when it chooses the wrong interface/IP. I also=20 > tried to inverse that: MARK all packets that are not Asterisk, put a=20 > special rule/table for that traffic and configure "default" (from all)=20 > routing table to only one WAN interface. I'm not 100% sure if i did it=20 > correctly, but do you think it's worth trying again? If Asterisk is only listening to one IP and you are routing to get to=20 your other network, you could end up with some really weird issues that=20 will be very difficult to over come, probably MUCH harder than resolving=20 the issue with Asterisk only binding to one interface. > Maybe this could be the type of solution I'm looking for if only i knew=20 > a little more about that. Do you know how a process chooses an IP when=20 > binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I=20 > could cheat in that case, and make Asterisk or the kernel or whichever=20 > does the binding think that there is only one WAN interface. As I understand it, when processes let the system choose the proper IP=20 to use, the system will chose the IP that is associate with the closest=20 route to the destination. In short, if the target is on Subnet A, then=20 the IP for Subnet A will be used. If the target is on Subnet B, then=20 the IP for Subnet B will be used. > Also do you think that I could use some help from the netfilter SIP=20 > helper? I didn't try but I think it would probably do the same. I'm not familiar with the SIP connection tracking helper. However, I do=20 believe it would be worth your time to investigate it to see if it will=20 help you. If you do continue to SNAT / MASQUERADE your outbound SIP=20 traffic, there is a good chance that the SIP helper will indeed help.=20 This is of course presuming that the SIP helper is meant to help the=20 SNAT / MASQUERADE module correctly choose the information that gets put=20 in to packets. Think about how the FTP connection tracking helper works=20 when dealing with active / passive data streams and ports. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc