Posted: Sat Nov 30, 2019 20:15 Post subject: Strange routing problem
I have two Netgear WNR3500L routers in different locations, one running V24-sp2 and the other running v3.0-r30471 big. A few months ago I set up OpenVPN to run bi-directionally between the two locations and eventually got it working so that I can see both notworks from both locations.
So far so good.
For a long time I have also been running Asterisk systems in the two locations with both IAX and SIP connections using the remote address of the router with ports forwarded to the correct ones for Asterisk listeners. That has been running without issue as well.
A couple of weeks ago I though it might be better if I changed the Asterisk systems to use the OpenVPN connection directly rather than going across the internet. Sure enough, changing the Asterisk client end to address the remote end directly worked. That is until I restarted the OpenVPN client, then it all goes wrong, but only with Asterisk - everything else works without any problem.
After looking carefully at the data flow, mainly with tcpdump, I discovered that after the OpenVPN client is restarted the source address going into the tunnel has become the WAN address of the router. But, it wasn't before the client restart and I can't find any way of making it change back. If I send an nc from the client to the server, using the same port, it routes correctly and the nc connects.
This is one of the strangest problems I've come across so if anyone can shed some light I would love to be able to understand why this is happening and if there is a way of correcting it.
Asterisk has a config entry that defines local networks. If the remote network is not in that config then asterisk assumes the SIP connection to that remote is going through a NAT and may rewrite the SIP packet. In some cases (with broken phone firmware, etc.) you want that even when the remote network is directly routable. But not when it's 2 asterisk systems talking to each other and NOT going through a translator.
I had noticed that about Asterisk and configured the localnetwork, including the local address of the VPN link. However, tcpdump shows that the data coming from Asterisk is still using the local address of the server when it gets to the router, it's when it appears on the tunnel that the address has changed.
I've now seen this with the IAX interface as well and I've tried using a number of different ports with the remote end pointing back to the correct port on the Asterisk server. All goes well for some time and then the local end reports Unreachable and inspecting with tcpdump once again the address going into the tunnel is the WAN address of the router. If I switch to another port it will immediately start working and the source address is the one for the tunnel.
That implies that the iptables are set up correctly but something happens which is causing the effect but only on the port currently in use.
I am somewhat stumped as to what to do next to see why this is happening.