On Tuesday Dec 12, 2006 around 3:44pm, François Delawarde wrote,
Hello all,
I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces
(NATed) configured to do load balancing. I experienced problems with the
SIP/RTP protocols and load balancing, because when initiating a call to an
external SIP Host, a new RTP flow starts from the server to the Host, that
sometimes uses another default route (due to the nexthop configuration). As i
have two different public IPs, the external host gets confused while
receiving flows from different IPs, and doesn't work (or sometimes we only
have one-way communication).
There is a similar problem with openvpn which the --multihome
patch in 2.1_rc* solves (SOL_IP / IP_PKTINFO option on the
socket). Unless the application (asterisk in your case) chooses
to bind a UDP socket to a particular IP address, the routing
subsystem will assign the IP address. Since UDP is
connectionless, there is no reason to use the same IP address as
the incoming 'connection'. (ip_conntrack doesn't count.)
*You* may be able to solve the problem with some creative use of
the CONNMARK target (I didn't succeed). The best solution, in the
absence of a kernel hack to treat UDP as a connection-oriented
protocol, is to fix asterisk (IMHO, IANAKH).
&:-)
__________
| |-eth1---|Router ISP 1|---WAN 1
LAN---eth0-|SIP Server|
|__________|-eth2---|Router ISP 2|---WAN 2
What I basicly want is to force all traffic from my SIP server to pass by a
unique WAN interface (eth2), or to find a solution that would force multiple
sessions from the same IP to use the same WAN interface. Reading various
forums and mailing lists, I decided to try to do "output re-routing" to all
traffic sent to the wrong interface:
(5060 is SIP port and 10000-20000 are the possible RTP ports)
1. using FWMARK and iproute2:
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 5060 -j MARK --set-mark
0x101
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 10000:20000 -j MARK
--set-mark 0x101
ip rule add prio 101 fwmark 0x101 table 101
ip route add default via 192.168.2.1 dev eth2 src 192.168.2.2 table 101
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
The redirection is working, but the source port is changed by the MASQUERADE,
and this doesn't work with SIP/RTP, which contain reply information (ip/port)
inside its packets.
2. iptables ROUTE target:
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 5060 -j ROUTE --oif eth2
--gw 192.168.2.1 --continue
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 10000:20000 -j ROUTE
--oif eth2 --gw 192.168.2.1 --continue
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
Even with SNAT or MASQUERADE rules, the source IP of the packet is not
changed when using these ROUTE targets, the router connected to eth2 then
drops the packets.
Below you can find my network configuration (rules, routes and addresses).
Anyone has an idea of how i could resolve this problem?
Thanks,
François.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Disclaimer: our lawyers will sue us if you copy this disclaimer
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
