[Firehol-support] one-way only sip, responses going back through the wrong interface

Spike spike at drba.org
Mon Mar 6 17:03:17 GMT 2017 

ok, came back this morning and it's working... my only explanation, which I
didn't think of last night, is that I had cached routes some place. I
should have probably issued an ip route flush cache and maybe that'd made
it work.

thanks,

Spike

On Sun, Mar 5, 2017 at 10:31 PM Spike <spike at drba.org> wrote:

actually, bear with me, maybe i'm mistaken but there really seems to be a
problem as I'm seeing traffic with sourceip of iface7, 172.30.7.2, going
out of interface 20. So it really seems to me I'm doing something wrong
where traffic is sent out the wrong interface/the ip of the other. Even if
the ITSP has an established connection through iface20 I'm thinking the
routing etc should enforce the traffic to go back iface7. Is that not how
it works?

thanks,

Spike

On Sun, Mar 5, 2017 at 9:52 PM Spike <spike at drba.org> wrote:

upon second thoughts, this may just be a problem with sip trunking and
failover on the ITSP part. My PBX had already a connection open to the ITSP
on iface20 (selected randomly by weight when asterisk started up) when I
observed this problem, but because of a configuration on the ITSP side the
call was coming in iface7. At that point i'm guessing that despite the
connection having come in through 7, was sent out over 20 because of the
existing connection to the ITSP. Therefore the problem is not really with
the fw, but with the connections to the ITSP. I guess I could add some
rules to prefer one route over the other and configure both ends to use
that route unless it fails at which point both would switch to the other.

would that be a policy routing rule to add to link-balancer.conf?

thanks,

Spike

On Sun, Mar 5, 2017 at 9:37 PM Spike <spike at drba.org> wrote:

Hi,

stuck here and was hoping someone on the list might have a suggestion for
how to debug this problem.

I had a working link-balancer/firehol configuration, but I think it worked
by accident... either that or tonight I broke something I can't figure out.

I have two uplinks and connections are working as far I can tell , internet
is up, I can browse fine, however when it comes to SIP something strange is
happening: the INVITE is coming through one uplink, but the answers are
going out of the other with the src ip of the internal iface they came in
through.

Setup is as follows:
gw7:172.30.7.1/24
gw20:172.30.20.1/24
fw:
 - iface7: 172.30.7.2/24
 - iface20: 172.30.20.2/24

firehol.conf has connmark 0x7 iface7 and connmark 0x20 iface20
linkbalancer.conf has a policy section with connmark 0x7 table t7 and
connmark 0x20 table t20

those should have been all the necessary steps, but clearly I'm doing
something wrong. Any thoughts?

thanks,

Spike

More information about the Firehol-support mailing list