sergey-safarov
commented
1 year ago [Match]
Name=lan
[Network]
DHCP=no
Address=10.136.3.19/24
DNS=8.8.8.8
[Route]
Destination=0.0.0.0/0
Gateway=10.136.3.18
[Route]
Destination=10.122.235.0/24
Gateway=10.136.3.18
PreferredSource=158.51.225.1Where 158.51.225.1 IP address is configured on another interface. A similar config may be prepared using secondary IP.
And then check route command output
[root@wc-0 ~]# ip route show
default via 10.136.3.18 dev lan proto bird metric 32
10.122.235.0/24 via 10.136.3.18 dev lan proto static src 158.51.225.1
10.136.3.0/24 dev lan proto kernel scope link src 10.136.3.19That means new socket connections towards 10.122.235.0/24 will be initiated using a socket with a 158.51.225.1 IP address.
In IvozProvider, both on standalone and on distributed installations, at least one of the Kamailio processes listens on a non-primary IP address:
Standalone: if using two IPs, one of them is non-primary.
Distributed: both Kamailios bind to virtual IPs managed by a cluster.
When Kamailio initiates a TCP connection (for both TCP and TLS transports), instead of using the TCP/TLS IP:PORT defined in corresponding listen directive, it asks the OS for a port. The OS replies with a IP:PORT of the primary IP and Kamailio warns:
This causes TCP connections with a source address different from the IP assigned to the proxy (which can lead to firewall problems in the other side).
tcp_reuse_port may skip this logic, but requires that the system on which Kamailio is running on supports SO_REUSEPORT..
Configurations affected by this issue:
Consequences:
In all the cases, if Kamailio is listening on a primary address, the connection uses an incorrect port. If running on a non-primary, uses both an incorrect IP and port.