Asterisk, two subinterfaces, source IP

Hi there!
I have some kind of misunderstanding of the basics of Asterisk, but I can’t find a clear answer googling.
So what I have: Centos 6, Asterisk 1.8.5

  • Local network: 192.168.40.0/24, Asterisk’s ip address is 192.168.40.10, client’s ip phones also belong to this network;
  • SIP provider, who gave me an extra cable for telephony purposes only. They told me to set up my PBX system’s ip address 192.168.77.3 and to use 192.168.77.5 as a trunk without registration. This trunk will be used for all out-of-office incoming and outgoing calls. Directmedia will be set to no.

I’m going to create 2 subinteraces on my Centos eth0 interface - one with ip address 192.168.40.10 and the other 192.168.77.3. The default route will be 192.168.40.1 (towards my cisco router-on-a-stick). The source ip address of the packets, generated by asterisk will be set to one or another ip address depending on routing setup. But how will Asterisk guess what ip address should be set in SIP messages? For example SIP INVITE to local ip phones should contain 192.168.40.10 ip address, and SIP INVITE towards provider’s SIP trunk should have 192.168.77.3 as a source.

I might be wrong in terminology, but hope you can understand me.
Any help will be appreciated.

I am fairly sure that it will use the address on the first interface that it finds during the startup scan, on the assumption that the system is properly multi-homed.

A more careful Google will find several reports of people hitting this issue.

If there is no need to actually access public addresses, you may be able to set to treat the address (including NATting) as though it were public.

Thank you for your reply, david55.
Unfortunately when Googling I could only find topics related to configuring routing process or NAT.
As far as I understand, I’ll have to set the externip=192.168.77.3 and set nat=yes inside the provider’s trunk (as if my Asterisk server was behind NAT).
I’d appreciate it if anyone share some links or other info concerning the process of choosing the source ip address for SIP messaging by Asterisk in a system with several IP adresses configured.

Thanks.

extenrip cannot be set within a single peer section.

nat=yes is for when the remote side is inside NAT. It is often misused and the “yes” is a deprecated setting. When I say NATted, I mean with NAT type rules in iptables.

For other examples of this issue, Google for ‘site:forums.digium.com “multi-homed”’ and maybe add in david55, if that produces too much noise.

Sorry guys. I’m confused again. I’ve been reading all over the internet but still can’t understand clearly.
Let’s say I have two subinterfaces on my CentOS server:
eth0.40 - 192.168.40.10/24, same subnet for ip phones
eth0.70 - 192.168.77.3/24
Let’s say that I have no default gateway, only two directly connected networks.
I have a sip trunk with ip 192.168.77.5
I’ve just restarted networking and started Asterisk process.
How can I configure which source ip address will Asterisk use for SIP messaging?
How can I control it?
Sorry, I’m really stuck

You don’t need to control it. Asterisk does that for you.

For all requests to 192.168.77.0/24, Asterisk will use eth0.70, for all requests to 192.168.40.0/24 and internet, Asterisk will use eth0.40. Source IP’s will be used according to the interface through which the IP packet will be sent. Don’t ask me how Asterisk can do it - it just does. I just set up the routing table on the Linux level, Asterisk takes care of the rest. No NAT settings are required for this to work, only properly configured Linux routing table. I see these sorts of setups a lot, so you should not have any problems with it.

The problem isn’t the level 3 routing, it is the Contact: header, etc., at the application layer.

Asterisk assumes a properly multi-homed system, i.e. that all its IP addresses are equally valid from anywhere that can reach it. It does not provide a mechanism for choosing between addresses at that layer, except in the context of at most one NATted address.

The actual choice of outgoing interface is made by the kernel, not by Asterisk.

What I am saying is also, that Asterisk uses a correct IP address in the SIP Headers (according to via which IP interface kernell will send the IP packet). So what I see in practice does not go well with your statement, that Asterisk has no mechanisms that handle multi-homed systems.

I suppose this could be a version thing, although it would mean allocating a new SIP socket for each session, or reading the kernel routing tables.

In any case, a wrong Via doesn’t matter, as the UAS will record the actual layer 3 source address.

However, in any case, Asterisk has no problem with muti-homed systems. What it has problems with is systems with two disjoint networks.

Since VoIP providers in my country don’t provide VoIP via Internet connection, but rather bring in a dedicated intranet link that is dedicated for VoIP, systems with two disjoint networks is more or less the only thing that is put on field. I have good experiences with multiple versions of 1.4, 1.6 and 1.8 and no issues what so ever. So I doubt that this is “a version thing”.

If you are still sceptical, I can do a quick SIP trace and you will see that all the IP’s (L3 and SIP) are in order.

Make sure that you show traffic for both interfaces, as it will get it right for at least one interface, even if it doesn’t do anything clever. Also confirm that any externip, stunaddr, etc., relates to the real public network, as I suspect you can make this work by pretending the ITSP is the public network, which is probably a reasonable approach for a dedicated Asterisk box.

A surprising number of people seem to have problems with such configurations if Asterisk is clever enough to work out which interface will actually be used when it sends the request, before it actually does so.

Guys, first of all I’d like to thank you for paying attention to my post.
Today after two days of Googling, I’ve installed a virtual Asterisk server (Centos 6.3, Asterisk 1.8.5) and added two network cards to the system.
Eth0:192.168.40.10/24
Eth1:192.168.77.10/24
Then I created two sip trunks pointing to another Asterisk servers with destination addresses as follows:
Trunk1:192.168.40.20 - Asterisk server #2
Trunk2:192.168.77.20 - Asterisk server #3

Then I started making test calls from a phone registered at the Asterisk server with two networking cards, having enabled sip debugging on both sides.
And ip addresses in SIP messages were correct!
No extra congifuration at all (NAT, localnet, extip).
I’ve also played with shutting down one of interfaces and then bringing it up and then restarting Asterisk - all addresses are correct.
Then I decided to share my experience in this thread and I found dejant’s posts, which confirmed the results of my experiment.
I have no idea how Asterisk does it but it does work without any extra configuration.
Thank you for not leaving me alone, guys :smile:

I stand corrected on this, although I still don’t understand why so many people report problems with such configurations.

Asterisk uses a routine called ast_ouaddrfor in main/acl.c to make a best effort to find the local IP address that will be seen by the peer. The fact that it uses the primary local address as a fall back, and the way it is commented, suggest that best efforts sometimes fail.

It does it by opening a temporary socket to the destination, reading the local address from that socket and then closing it, before using the shared socket for the actual SIP dialogue.

There is a wrapper around this, in chan_sip.c, which deals with NAT issues.

Great to hear that someone else confirms my test experiences. I hope we made David a believer now (we clashed about this in a couple other topics also :wink:) :smiley: :smiley:

Hello

I’ve been strggling with this issue and still no luck, as opposed to dejanst, unfortunately.

My setup isnt optimal, but there isnt much I can do at this time.

I have a 1.6.1.20 version. Two nics - 192.168.0.x and 192.168.1.x - then each interface is hooked to a modem/router, and goes to the internet with a different public address.

All clients are on the public internet (security is implemented). I would like to use both links at the same time - some client on one link, other on the second link. And obviously, use one link as the failover for the other (so I cant just do IP based routing in linux)

asterisk is listenning on both nics and receives correctly packets from both networks.
With externip set to nic0, nic0 being also listed as default in ip route, system works fine with Nic0 - audio and signalling - but packets received from nic 1 are answered on nic 0

Removing externip causes nic0 to no longer have sound…

dejanst/bichara: can you confirm that your NICs have different ip gateways - I made it work when both subnets could reach a unique Gateway

Anyother help is welcomed…

Both NIC’s have different gateways, but a server has only ONE default route.

My setup totally different from yours, so this topic does not apply to your case.

Firstly, I don’t use NAT on both networks where my NIC’s are connected to. I think that only ONE externip= can be used at a time.

Secondly, I don’t use two NIC’s for making Asterisk some sort of “failover” or “distribued” system. One NIC is for all phone traffic and the second NIC is ONLY for connecting a single SIP Trunk to a VoIP provider. So I can eazily have one static route for traffic to my VoIP provider and default route pointing on the network where I use IP Phones (or to the internet via NAT router).

I think that your setup is not possible to implement in Asterisk. I also think the design is very bad, but that’s just my opinion. Disrtibuted and Failover systems are much more complex to set up than you think. I don’t have any experience with them, so saddly I can not be of assistance.

ok - I agree the setup is not great.

But it makes sense (to me at least) to have 2 connections to my asterisk- or even more - , that remote users will use as they please. I see that as load balancing the links, and failover - links do go down, so how do you mitigate this ?

So how can I have asterisk using 2 routes ? I may use one NIC and have a router later split the trafic, but I fail to see how the internal fields (contact,via, etc…) would be correct

thanks for any guidance !

Hi there,

I was wondering if you evr found a solution to your problem ?

I now have an asterisk box with 2 nics, both on separate private nets leading to separate ISPs with separate external ips. I can get a sip softphone register and use the asterisk box properley make calls, but I have to adjust the externaddr when switching isp to connect to.

No, no luck so far…

my understanding (may someone correct me if i’m wrong), is that asterisk matches the destination with the interfaces addresses (using localnet as a mask), and if it matches, no nating occurs and it is sent thorugh the matching interface. If no match is found, it uses externip in the protocol elements as contact address, and sends it using the default route

I briefly though of playing with the firewall to force an outgoing packet to go out by the same interface as the matching incoming, but a) this would not correct the @ in the contact fields, and b) wasnt that easy to achieve. alternatively, using a sip proxy could probably do the job, but again, significant work to implement

J

Outgoing routing does not take account of localnets; it uses the standards OS routing, i.e. it uses the best route and gateway known to the OS for the given destination address (Linux routing can be cleverer than this, but very few people will be familiar with the details). The layer 3 (IP level) source address is also determined by the OS.

Localnets determines what goes in the Contact: header, and whether things like directmedia=nonat are effective.

I haven’t re-read the whole thread, but I may have made a mistake early on. The Contact address when not determined to be a NAT case is that which the OS reports it would use for a dedicated UDP socket bound to the destination address.

Generally, connecting multiple networks to a machine which are not mutually routable, is going outside the intended use of IP. and will cause problems, even though some ITSPs seem to like forcing this sort of situation. They need to be treated as NAT for directmedia, even though they are not really NAT.