recommendations for multiple phones behind nat

Discussion:

m***@mattkeys.net

2012-07-03 02:14:07 UTC

When requesting a static IP from Comcast they force you use their CPE, a SMC modem/router combo, and then they provision the static with RIPv2. This leaves you with two usuable IPs when you request one IP; one static that is bridged through, the other is the gateway IP in which clients behind the SMC NAT would go out. I've set up sipxecs on the static IP only (multihome attempt was a failure) and phones are behind the NAT like so :

WAN (gateway IP) -> SMC -> 10.1.10.0/24 -> Firewall -> 192.168.1.0/24 clients and phones
WAN (public static IP) -> SMC -> sipxecs w/public static ip

I initially tried using the SMC's 10.1.10.0/24 NAT address space/firewall for clients but discovered quickly that I need to be able to set clients to 192.168.1.0/24 because of hard coded IPs inside their software/databases. For some reason the SMC just wouldn't let me set that address space and I can't change the hard coded IPs without major surgery. Anyway, I'm seeing the two phones (Polycom 321's with 3.2.7 firmware and 4.2.1 bootrom) successfully register and then "freeze" right after loading sip.ld. They become completely unresponsive and the only thing I can do at that point is hard power cycle them. Do I need to set up another sipxecs behind the NAT as a branch, or should both phones be able to stay registered with this setup using TCPPreferred transport? The firewall is just a linux box with iptables masquerading like so :

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

I've also tried using netfilter/conntrack and setting it to watch TCP, UDP, and RDP.

Thanks,
Matt

m***@mattkeys.net

2012-07-03 04:36:51 UTC

Permalink

Nevermind, I just realized I haven't tried putting the phones on 10.1.10.0/24 yet.

From: sipx-users-***@list.sipfoundry.org [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of ***@mattkeys.net
Sent: Monday, July 02, 2012 10:14 PM
To: sipx-***@list.sipfoundry.org
Subject: [sipx-users] recommendations for multiple phones behind nat

When requesting a static IP from Comcast they force you use their CPE, a SMC modem/router combo, and then they provision the static with RIPv2. This leaves you with two usuable IPs when you request one IP; one static that is bridged through, the other is the gateway IP in which clients behind the SMC NAT would go out. I've set up sipxecs on the static IP only (multihome attempt was a failure) and phones are behind the NAT like so :

WAN (gateway IP) -> SMC -> 10.1.10.0/24 -> Firewall -> 192.168.1.0/24 clients and phones
WAN (public static IP) -> SMC -> sipxecs w/public static ip

I initially tried using the SMC's 10.1.10.0/24 NAT address space/firewall for clients but discovered quickly that I need to be able to set clients to 192.168.1.0/24 because of hard coded IPs inside their software/databases. For some reason the SMC just wouldn't let me set that address space and I can't change the hard coded IPs without major surgery. Anyway, I'm seeing the two phones (Polycom 321's with 3.2.7 firmware and 4.2.1 bootrom) successfully register and then "freeze" right after loading sip.ld. They become completely unresponsive and the only thing I can do at that point is hard power cycle them. Do I need to set up another sipxecs behind the NAT as a branch, or should both phones be able to stay registered with this setup using TCPPreferred transport? The firewall is just a linux box with iptables masquerading like so :
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

I've also tried using netfilter/conntrack and setting it to watch TCP, UDP, and RDP.

Thanks,
Matt

Tony Graziano

2012-07-03 10:16:59 UTC

Permalink

SMC's firewall will not allow static port nat. Put the SMC in bridged mode.
Use any firewall that will allow you to use a firewall with both static
port nat and the ability to disable any ALG (pfsense, iptables if correctly
configured, etc.). When you put the SMC in bridged mode it will hand out
dhcp to your wan using the 10.x address but you can safely ignore it and
use the public ip you have been provisioned with your real firewall.

Post by m***@mattkeys.net
When requesting a static IP from Comcast they force you use their CPE, a
SMC modem/router combo, and then they provision the static with RIPv2. This
leaves you with two usuable IPs when you request one IP; one static that is
bridged through, the other is the gateway IP in which clients behind the
SMC NAT would go out. I've set up sipxecs on the static IP only (multihome
attempt was a failure) and phones are behind the NAT like so :****
** **
WAN (gateway IP) -> SMC -> 10.1.10.0/24 -> Firewall -> 192.168.1.0/24clients and phones
****
WAN (public static IP) -> SMC -> sipxecs w/public static ip****
** **
I initially tried using the SMC's 10.1.10.0/24 NAT address space/firewall
for clients but discovered quickly that I need to be able to set clients to
192.168.1.0/24 because of hard coded IPs inside their software/databases.
For some reason the SMC just wouldn't let me set that address space and I
can't change the hard coded IPs without major surgery. Anyway, I'm seeing
the two phones (Polycom 321's with 3.2.7 firmware and 4.2.1 bootrom)
successfully register and then "freeze" right after loading sip.ld. They
become completely unresponsive and the only thing I can do at that point is
hard power cycle them. Do I need to set up another sipxecs behind the NAT
as a branch, or should both phones be able to stay registered with this
setup using TCPPreferred transport? The firewall is just a linux box with
****
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE****
** **
I've also tried using netfilter/conntrack and setting it to watch TCP,
UDP, and RDP.****
** **
Thanks,****
Matt****
** **
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013%22>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Matt White

2012-07-03 12:35:32 UTC

Permalink

A nice thing about the SMC gateway used by comcast is they will "auto" switch to bridged mode if you put a firewall with the public static IP behind it.

You can also plug clients directly into the SMC and it will still nat them separately from the bridged static IP. So just assign the one static IP to the firewall and you wont have to worry about the smc getting in the way.

-M
SMC's firewall will not allow static port nat. Put the SMC in bridged mode. Use any firewall that will allow you to use a firewall with both static port nat and the ability to disable any ALG (pfsense, iptables if correctly configured, etc.). When you put the SMC in bridged mode it will hand out dhcp to your wan using the 10.x address but you can safely ignore it and use the public ip you have been provisioned with your real firewall.

On Mon, Jul 2, 2012 at 10:14 PM, ***@mattkeys.net <***@mattkeys.net> wrote:
When requesting a static IP from Comcast they force you use their CPE, a SMC modem/router combo, and then they provision the static with RIPv2. This leaves you with two usuable IPs when you request one IP; one static that is bridged through, the other is the gateway IP in which clients behind the SMC NAT would go out. I've set up sipxecs on the static IP only (multihome attempt was a failure) and phones are behind the NAT like so :

WAN (gateway IP) -> SMC -> 10.1.10.0/24 -> Firewall -> 192.168.1.0/24 clients and phones
WAN (public static IP) -> SMC -> sipxecs w/public static ip

I initially tried using the SMC's 10.1.10.0/24 NAT address space/firewall for clients but discovered quickly that I need to be able to set clients to 192.168.1.0/24 because of hard coded IPs inside their software/databases. For some reason the SMC just wouldn't let me set that address space and I can't change the hard coded IPs without major surgery. Anyway, I'm seeing the two phones (Polycom 321's with 3.2.7 firmware and 4.2.1 bootrom) successfully register and then "freeze" right after loading sip.ld. They become completely unresponsive and the only thing I can do at that point is hard power cycle them. Do I need to set up another sipxecs behind the NAT as a branch, or should both phones be able to stay registered with this setup using TCPPreferred transport? The firewall is just a linux box with iptables masquerading like so :

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

I've also tried using netfilter/conntrack and setting it to watch TCP, UDP, and RDP.

Thanks,
Matt

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net