Hi there!

I'm seeng a very strage behavior sometimes when I have my exernal IP changed by my ISP.

I have detected the problem in my SIP VoIP providers, but may occur to any other service, (my guess)

Normally, outgoing SIP packets viewed in the pppoe interface have the ISP assigned public IP in the source address IP header.
But, upon a WAN IP change, I have some packets (sometimes for all of my providers, sometimes only for one or two providers) getting the PRIVATE IP Address (192.168.200.3 in my case) in the source address IP header on the outgoing interface!!
Obviously packets exit the router to never come back, and thus the VoIP provider gets marked as unreachable by my Asterisk PBX.

I tried restarting the firewall, but no luck... Any idea on why this is happening or how can I avoid or ease this problem?

Thanks!

Maybe this could help: https://forum.openwrt.org/viewtopic.php?id=34811

thanks Adze,

I've been reading through these and found somethings I can try, although the problem there is tcp related, while mine is udp, so the underlying problem solved there may not apply.
Funny fact: I can ping an "unreachable" VoIP provider and everything seems OK for the ping. Only SIP UDP packets are not being MASQed before output for that host. Pretty weird, huh?
Performing a full reboot of the router makes it work again, but takes too much downtime for a phone system...

After some testing with Adze's link info I'm still suffering the problem (the solution proposed just drop invalid packets, but my router thinks they're OK, so keep on sending them packets).
I'll try to clarify what is happening, hoping someone have had some experience with this before:

- I'm happily connected to my VoIP provider at 1.2.3.4 (UDP SIP packets exiting the router on the WAN port with my WAN PPPoE assigned IP address).
- My ISP change my WAN IP address
- I can ping my VoIP provider at 1.2.3.4, (ICMP traffic with my new WAN IP address exiting the router correctly).
- BUT any UDP SIP traffic addressed to that VoIP provider is exiting the router UNMASQERADED!! They sport my internal LAN IP Address instead of the new WAN IP.

I'm struggling my head trying to find a way to solve this, but restarting the firewall is not enough, and rebooting the router is too much (though it solves the problem)...

So... any idea on how to reset the MASQ tables or force the router to MASQ those packets normally again would be more than welcome :-)

Thanks!

How do you manage wan, wan0 and wan2? Have you installed multi-wan or mwan2 packages?

no packages installed (other than quagga to cope with the RIPv2 packets coming through wan2, and it's not working yet either).

fyi, I get you're asking me this because you answered my other post about using different vlans on the WAN port of the router, don't you? (I mean, nothing in this topic suggests I have wan, wan0 and wan2 interfaces )

Back to the point, and because of your comment, you got me guessing I'll have to install a multi wan support package in order to get this problem solved, am I right?
(sh*t, every time I think I'm a bit closer to really know about something, a whole new unexpected aspect materializes and I have to start all over again... Don't you love/hate that feeling?)

Thanks again!

no improvements with the multi-wan package :-(

I've been trying with no better luck. I see what it does (policy based routing), but after considering it, I think I actually don't need it, because:

- I have all the "normal" Internet traffic going through the default pppoe-wan interface (WAN) (eth1.6 for the router).
- I just need to route a couple of nets through the DHCP interface (WAN2) (eth1.3 in the router). (I receive RIPv2 packets for that, but quagga not working yet for me, so added a static route meanwhile).

And my problem is that, sometimes, upon a IP change on my pppoe-wan interface (WAN), packets addressed to the destinations behind the WAN2 interface are not being masqueraded with the IP of the WAN2 interface. (I worte a script for restarting (ifup) the WAN2 interface after a IP change on the WAN interface, but even after that, it is unable to get its traffic properly masqeraded again)

Masquerading happens in the kernel, it will figure out a suitable source address for outgoing connections and use that. I doubt you can outsmart that with a script.

The only solution I can think of is to install an explicit SNAT rule, but that would need to be refreshed whenever the WAN IP changes.

Thanks jow, I'll try something like

iptables -t nat -I POSTROUTING -d destination.network/mask -j SNAT --to-source my.ip.on.wan2

funny how it works on first boot but doesn't stand a WAN IP change. Besides, it might be a problem to have those internal IPs showing off at the WAN side...

I'll keep the topic posted...

Well, things just got worse....

I've just learnt that after a IP renewal, some of the VoIP Providers on the WAN interface (PPPoE "default Internet") are also getting their packets exiting the router UNMASQed!!!...

Now this is a real problem. I can ping their IP and that traffic gets the correct IP, but UDP VoIP traffic does not!

I'm a bit out of ideas here, anything I could try? Please?

Hi, ivanxx, I've got same situation but inversed - SIP UDP packets at some point getting masquarading while they shouldnt'

I have
pppoe-wan outgoing interface
and ipip tunnel going throu the pppoe-wan to another OpenWRT router
where packets going to internet via pppoe-wan should and packets going to another local subnet via ipip tunnels should NOT be masquaraded

and yes, ICMP pings goes correctly throu ipip tunnel - parasiting masquarade hits only SIP UDP packets

look here http://asterisk-support.ru/question/194 … p-v-linuks for another proposed solution:

iptables -t nat -I POSTROUTING -m udp -p udp -dport 5060 -j ACCEPT
iptables -t nat -I POSTROUTING -m udp -p udp -sport 5060 -j ACCEPT