This post summarizes what has been done for the reference of others. The initial goal was to load balance SIP traffic flowing from a single box to two different internet connections on two different interfaces. The traffic generated from asterisk version 1.4 (debian lenny).
The attempted solution was as follows: 1. create two trunks for SIP calls 2. split peers between these two trunks 3. bind each trunk to a different interface 4. register asterisk on both trunks AFAIK, 1, 2 and 3 were successful, but 4 failed because of SIP NAT problems and asterisk limitations (to my best knowledge). Steps 1 and 2 were done in the asterisk configuration. Step 3 was done with shorewall. A standard configuration was used as the base: a. interfaces listed in the providers file; b. traffic shaping in tcrules. Additionally, an extension script was used to bind each SIP trunk to a different interface, using iptables -m string extensions. I ended using the 'started' shorewall entry-point with the following configuration: run_iptables -t mangle -A OUTPUT -d 200.219.209.250 -p udp --dport 5060 -m string --string "<sip:[email protected]>" --algo bm -j MARK --set-mark 0x100 run_iptables -t mangle -A OUTPUT -d 200.219.209.250 -p udp --dport 5060 -m string --string "<sip:[email protected]>" --algo bm -j MARK --set-mark 0x200 run_iptables -t mangle -A OUTPUT -d 200.219.209.250 -p udp --dport 5060 -j CONNMARK --save-mark I call this 'one ugly hack', but it worked :-P Traffic was correctly assigned to the determined interface. Shorewall rocks :-) Step 4 failed, it seems, because asterisk binds to all interfaces but always uses the address of the first interface in the Via header, or the configured unique external ip. Without a configured external ip, traffic bound to the second interface contains a Via header with the address of the first interface, and is not replied to. With a configured extenal ip, the Via header always uses this address, which is appropriate for one of the interfaces but not the other. I believe this could be made to work by patching asterisk to allow for different external ip for each trunk. Comments and suggestions are welcome. Pedro ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
