On 02/03/2023 22.13, [EXT] Tim Bowyer wrote:

I’m having the same issue but believe it’s related to my network topology.

I have multiple carrier-facing NIC’s and an internal NIC on each media proxy.

 

Is this configuration supported?

This should work fine as long as it's "just" normal IP routing and doesn't involve network namespaces or cgroups or things like that. (Source-based routing should work, but other policy routing options might not.)

[root@per01-mtp01.dev.xyz blah]# cat /proc/rtpengine/0/list

local inet4 203.x.x.x:40000

    stats:               350880 bytes,                 2040 packets,                    0 errors

        RTP payload type   0:                    0 bytes,                    0 packets

        RTP payload type   8:               350880 bytes,                 2040 packets

    SSRC in: 65aa31af

    output #0

       src inet4 10.y.y.y:40000

       dst inet4 203.x.x.x:39302

This looks like the kernel module is receiving packets just fine and is sending them out (or trying to). It should work as long as the kernel is able to route packets from the 10.x address to the 203.x address.

I was also looking to find some config to make this working using firewalld rules, fishing through the Sipwise repos I stumbled across some firewalld rules as part of their automated builds but didn’t have any luck with them

If somebody had some rules I could try would be much appreciated!

There's two things here. One is the necessary "-j RTPENGINE" iptables rule, which is needed to pass the packets to the kernel module to process. The bundled systemd startup scripts are in charge of adding and removing that. However, if you have separate firewall scripts which may override or remove this rule in some way, then this needs to be taken into account, so you don't lose this rule. But from your /proc output it's obvious that this rule is in place.

The other thing is that rtpengine is able to manage firewall rules for individual ports directly, opening and closing the firewall rules as individual ports are opened and closed. This is entirely optional, and needs to be enabled explicitly, and is in fact not recommended usage.

Cheers