Thank you for suggestions, below are my comments:
Grant Taylor wrote:
The redirection is working, but the source port is changed by the
MASQUERADE, and this doesn't work with SIP/RTP, which contain reply
information (ip/port) inside its packets.
If Asterisk is running directly on the firewall box, why are you even
MASQUERADEing or SNATing the packets? Why not have Asterisk bind
directly to the external IP? This way MASQUERADE will not get in your
way as far as changing the ports on you.
It's actually the first thing i tried, but as I need to offer service to
both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It
only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback
i got, they don't intend to implement that any time soon). I could
probably run multiple instances or implement this myself, but I don't
have that much talent and time to do those complicated things. :-)
Below you can find my network configuration (rules, routes and
addresses). Anyone has an idea of how i could resolve this problem?
I'm looking, but for some reason I can not find it. ;)
Some things to consider:
- Set up a routing table just for Asterisk.
- Identify Asterisk traffic via MARKed packets.
- MARK the packets based on the OWNER match extension. To do this
Asterisk would need to run as it's own user, which should not be a
problem.
I tried the owner match thing, maybe I did it wrong, but I end up with
the same type of problems. When Asterisk needs to send traffic to WAN,
it seem to bind to one of the two WAN IPs at random, and I end up with
the same NATing problems when it chooses the wrong interface/IP. I also
tried to inverse that: MARK all packets that are not Asterisk, put a
special rule/table for that traffic and configure "default" (from all)
routing table to only one WAN interface. I'm not 100% sure if i did it
correctly, but do you think it's worth trying again?
Maybe this could be the type of solution I'm looking for if only i knew
a little more about that. Do you know how a process chooses an IP when
binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I
could cheat in that case, and make Asterisk or the kernel or whichever
does the binding think that there is only one WAN interface.
Also do you think that I could use some help from the netfilter SIP
helper? I didn't try but I think it would probably do the same.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Thanks a lot for your time,
François....
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
