Re: [LARTC] SIP, NAT, and load balancing problems

["François Delawarde" <fdelawarde@wirelessmundi.com>]

I unfortunately think that I can't use that solution (if I understood it 
well).

My box actually has two functions, it's an Asterisk box and a load 
balancing router.

For LAN clients, as this box represents their default gateway, there 
would be no problem in implementing a pure routing solution. I could 
create a new subnet on a dummy interface, and reconfigure all LAN SIP 
phones to point to that IP, the box itself would route packets to its 
dummy interface.

For WAN clients, what I need is to have a unique interface (a unique 
public IP) accepting SIP connections, and outgoing traffic always 
passing by this interface. My current issue is with outgoing SIP/RTP 
traffic that sometimes gets load-balanced and uses the other public IP, 
which i have to force to the other interface, with lots of 
NATing/Re-Routing problems, as a single call can have multiple UDP flows 
(SIP and RTPs).

My main problem with the DummyNet solution on the WAN side is that I 
cannot access to the internet routers behind this box, so I can't add 
routes to reach a new subnet. This means that I'm back with the same 
type of problem trying to NAT, but this time not only the box's outgoing 
traffic, but also the clients incoming traffic, for them to reach the 
dummy0 interface.

Tell me if i'm wrong, but that solutions appears to me as more 
complicated in my particular case. Aouch, that's much harder than I 
thought it would be. :-(

François.


Grant Taylor wrote:
> François Delawarde wrote:
>> What i meant is that people (in #asterisk on freenode) told me that 
>> Asterisk could be bound to a unique IP, or to all IPs (binding it to 
>> 0.0.0.0). But if you know a way to bind it to only some IPs, then 
>> yeah! I need your help :-) I guess we need to put something in the 
>> bindaddr parameter of sip.conf. Right now I have:
>>
>> [general]
>> bindaddr=0.0.0.0
>>
>> I have 3 IPs in 3 interfaces:
>> eth0 (LAN): 192.168.10.1
>> eth1 (WAN): 192.168.1.2 (gw 192.168.1.1)
>> eth2 (WAN): 192.168.2.2 (gw 192.168.2.1)
>>
>> How can I bind Asterisk SIP to 192.168.10.1 and 192.168.2.2 only, to 
>> work around my load balancing problem?
>
> I'll email you off the mailing list as this does not pertain to LARTC.
>
>>> If Asterisk is only listening to one IP and you are routing to get 
>>> to your other network, you could end up with some really weird 
>>> issues that will be very difficult to over come, probably MUCH 
>>> harder than resolving the issue with Asterisk only binding to one 
>>> interface.
>>
>> I don't really understand what you mean, but that's right, i have 
>> really weird issues.
>
> What I was saying is that if Asterisk is only bound to one IP address,
> be it loopback, eth0, eth1, or even a dummy0 interface, you will have to
> route traffic to that address.
>
> If you can indeed only bind Asterisk to only one IP address or all IP
> addresses on the system, I would recommend that you use DummyNet to bind
> Asterisk to.  However this may be a problem down when NATing comes in to
> play.  (More on this later.)
>
> Supposing that you bind Asterisk to the dummy0 interface, either all
> equipment will need to its self know how, or the default router for the
> equipment will need to know how to reach the subnet on the dummy0
> interface.  This usually means that you will have to have the default
> gateway for all client systems / phones know how to reach the subnet on
> the dummy0 interface.  I.e. the default gateway will have to have a
> route to the subnet on the dummy0 interface via the interface on the
> Asterisk box facing the router(s).
>
> Consider:
>                    +----------------------+
>                    |     Asterisk Box     |
>                    |         [A.B.C.D/NM]-|---(INet)
> (192.168.0.0/24)---|-[192.168.0.254/24]   |
>                    |   [192.2.0.254/24]   |
>                    |          |           |
>                    +----------------------+
>                               |
>                            [dummy0]
>
> In this case, 192.168.0.254/24 is the LAN, the internet is it's own 
> IP, and 192.2.0.254/24 is assigned to the dummy0 interface.  If you 
> bind Asterisk to the 192.2.0.254 IP on the dummy0 interface, you will 
> have to route all traffic that is to or from Asterisk in to and out of 
> the dummy0 network.
>
> Now that you can easily see that you would have to route traffic in to 
> and out of the dummy0 interface, I can probably better explain the 
> weird routing issue that you have.  You are binding Asterisk to an IP 
> on your system.  No matter what IP you bind Asterisk to, traffic from 
> any other subnet will have to be routed to that subnet to reach Asterisk.
>
> With this in mind, now consider if you bind Asterisk to one WAN 
> interface, traffic to / from your LAN or the other WAN interface will 
> have to be routed to be able to reach Asterisk.  If you bind Asterisk 
> to the LAN interface, traffic to / from either WAN will have to be 
> routed to be able to reach Asterisk.
>
> Usually routing traffic is not an issue.  However, as you have pointed 
> out, when you MASQUERADE traffic as it leaves either of your WAN 
> interfaces, the port numbers are changed and thus breaking your SIP 
> connection.
>
> So, you need to be able to not alter the SIP packet stream.  So, what 
> you need to really do is only alter traffic that is not originating / 
> terminating on your firewall.  You could do this a few different ways. 
> Probably the easiest way would be to not MASQUERADE any traffic, save 
> for traffic that originates on your LAN, not the firewall / Asterisk 
> box it's self.
>
> You will probably also need to do something to make sure that your SIP 
> traffic is not subject to load balancing.  If you set up some sort of 
> identifier for your SIP traffic, say locally originated / terminated, 
> you could use a custom routing table to not load balance the traffic 
> via multiple next hops.
>
> One advantage of having Asterisk bind to a completely different IP, 
> i.e. on the dummy0 interface is that you could set up a rule that 
> looked for source or target IPs in the subnet on dummy0 as a VERY easy 
> and clear identifier as the traffic would belong to Asterisk.
>
>> What happens in my case, where default subnet (0.0.0.0/0 subnet) has 
>> two IPs (2 WAN with load balancing)? And do you know at what moment 
>> this IP is chosen? Do you think I can trick the routing subsystem (or 
>> whoever decides the IP) to force the decision?
>
> Sorry, I don't know what moment the decision is made.  Nor do I think 
> you could ""Trick the routing sub system once it has made a decision. 
> Sure, you can do some things to over ride which interface is used to 
> carry out the decision that was made.  I think what would be better 
> would be to influence / control the possibilities that the routing sub 
> system has to choose from.
>
>> I'll try to check on that, if i can't resolve the issue with Asterisk 
>> bindings.
>
> *nod*
>
>
>
> Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc