November 18, 2008 at 3:08 pm #41301
First I want to congratulate you for this great software, I’m using it mainly for load balancing between 2 ISPs and filtering traffic.
The load balancing I’m using is a fail-over, so, when the 1st provider goes down, it will use the 2nd provider, and that is working as expected, the problem is that I’m using
some VoIP extensions, and I want that the extensions will keep working even after the 1st provider goes down. Here is the test I did. Both providers were up, then, I changed
the net balancing policy to some devices (trough IP address origin) to the 2nd provider but the extension didn’t go up, I believed that the problem was with the provider but I added some other IP addresses to check and those devices worked ok (I tested those devices using a traceroute command and browsing some web pages), I made some traces with the iptraf tool and found that zeroshell is trying to send the packets to the destination using the 2nd provider (the 2nd interface) but the nated ip was from the 1st provider so the 2nd provider is dropping the packets since the origin nated IP address is other than the assigned. Maybe you can reproduce the bug doing this:
Use 2 different routes to the same destination with nat enabled.
First access the destination with the first route, it is neccesary that the origin device use the same origin port, in the whole test.
Then try to change the route in the route policy option with the same destination and the same origin port, then you will see that it uses the same NAT ip used with the first route, if you change the origin device port , it will correct the problem, it will start using the 2nd NAT ip, but if you set again the origin port as it was first, the problem will return.
I think that there is a policy in the Zeroshell device which binds a nat ip address once it has initiated a connection with some origin port and a particular destination IP address, I believe that this is pretty useful when using a load balancing rule round robin, because some applications (for security reasons) don’t support that the origin IP address change in the same session, but it is wrong to send a different nated IP address to another interface. Please, let me know if you need more information or do some more tests or whatever you need.
You must be logged in to reply to this topic.