Use a second internet connection for SIP

Situation: Asterisk is running on a box which is internet router for a LAN and has two internet connections. Assume that the default gateway sits on the first internet connection.

Goal: To use the first internet connection for all normal internet traffic and the second internet connection for all voip traffic. If reinvites are disabled, it would be enought just to route the SIP peer through the second internet connection. When using reinvites, this is not possible, because you never know which host the traffic is reinvited to.

It is currently not yet possible to use multiple addresses in the bindaddr parameter in sip.conf. To make sure that all voip traffic does use the second internet connection, you could use the following workaround.

In the following example, let's assume the following:
lan network: on eth0, server has
inet 1: on eth1, server has, gateway is
inet 2: on eth2, server has, gateway is
sip provider:
asterisk is running as user asterisk

1. Make sure you have a working setup with appropriate source routing for the IP of the second internet connection.

# Configure the nics
ifconfig eth0 netmask
ifconfig eth1 netmask
ifconfig eth2 netmask
# Create a separate route table for the 2nd nic
echo "100 line2" >> /etc/iproute2/rt_tables    (only once!)
# Add our default route
ip route add default via dev eth1
# Populate routing table for 2nd nic
ip route show table main | grep -v default | while read line ; do ip route add $line table line2 ; done
# Add a default route to table for 2nd nic
ip route add default via dev eth2 table line2
# Do appropriate source routing for IP address of 2nd nic
ip rule add from table line2

2. Add a route to your SIP peer (your provider) through the 2nd nic, but in the main routing table

ip route add via src table main

3. Set up appropriate firewalling:

iptables -t mangle -N asterisk-out
iptables -t mangle -A asterisk-out -j MARK --set-mark 2
iptables -t mangle -A asterisk-out -p udp --dport 5060 -j DSCP --set-dscp-class cs3
iptables -t mangle -A asterisk-out -p udp --dport 12500:12998 -j DSCP --set-dscp-class ef
iptables -t mangle -A asterisk-out -j RETURN
iptables -t mangle -A OUTPUT -m owner --uid-owner asterisk -j asterisk-out
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source

4. Route all marked traffic through the second nic:

ip rule add fwmark 0x2 table line2

The big trick here lies in fooling asterisk to register with the IP address of the second nic. Adding the route to the SIP peer to the main table causes asterisk to use the 2nd source address in the SIP packets themselves. (It might be possible to do something with SIP nat here, but I'm not sure about that.) All marked traffic is going out through the second nic, even when traffic is re-invited to other hosts. Because the asterisk registration at the provider carries the IP address of the 2nd nic, all incoming traffic will be sent to that nic as well.
Created by: rolek, Last modification: Wed 23 of Apr, 2008 (12:51 UTC)
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+