[Firehol-support] one-way only sip, responses going back through the wrong interface

Spike spike at drba.org
Mon Mar 6 05:52:38 GMT 2017


upon second thoughts, this may just be a problem with sip trunking and
failover on the ITSP part. My PBX had already a connection open to the ITSP
on iface20 (selected randomly by weight when asterisk started up) when I
observed this problem, but because of a configuration on the ITSP side the
call was coming in iface7. At that point i'm guessing that despite the
connection having come in through 7, was sent out over 20 because of the
existing connection to the ITSP. Therefore the problem is not really with
the fw, but with the connections to the ITSP. I guess I could add some
rules to prefer one route over the other and configure both ends to use
that route unless it fails at which point both would switch to the other.

would that be a policy routing rule to add to link-balancer.conf?

thanks,

Spike

On Sun, Mar 5, 2017 at 9:37 PM Spike <spike at drba.org> wrote:

> Hi,
>
> stuck here and was hoping someone on the list might have a suggestion for
> how to debug this problem.
>
> I had a working link-balancer/firehol configuration, but I think it worked
> by accident... either that or tonight I broke something I can't figure out.
>
> I have two uplinks and connections are working as far I can tell ,
> internet is up, I can browse fine, however when it comes to SIP something
> strange is happening: the INVITE is coming through one uplink, but the
> answers are going out of the other with the src ip of the internal iface
> they came in through.
>
> Setup is as follows:
> gw7:172.30.7.1/24
> gw20:172.30.20.1/24
> fw:
>  - iface7: 172.30.7.2/24
>  - iface20: 172.30.20.2/24
>
> firehol.conf has connmark 0x7 iface7 and connmark 0x20 iface20
> linkbalancer.conf has a policy section with connmark 0x7 table t7 and
> connmark 0x20 table t20
>
> those should have been all the necessary steps, but clearly I'm doing
> something wrong. Any thoughts?
>
> thanks,
>
> Spike
>


More information about the Firehol-support mailing list