[Discuss] Placing SIP Server in DMZ or use DNAT?
Derek Atkins
derek at ihtfp.com
Wed May 22 09:45:30 EDT 2019
On Wed, May 22, 2019 9:34 am, Dan Ritter wrote:
> Option C: pretend NAT doesn't exist for the SIP server and:
>
> .126 .121
> ISP -- <Modem> -- <firewall> -- intranet
> \-- <sip> .122
>
> route packets to .122 without NATting them. This assumes that
> you have an interface available on the firewall. You may want to
> use an RFC1918 /30 subnet between them.
I had considered this approach as well, but there are several issues with
it. The firewall is an Edgerouter-Pro-8. It doesn't like having the same
IP or even the same network on multiple ports. And it does not have a
hardware switch, so bridging ports is expensive.
So imagine this:
eth0: .121/29 (connected to ISP/Modem)
eth1: .121/29 (connected to SIP)
eth2: 192.168/24
eth3: class-C
I would need specific rules to route the /29 between eth0 and eth1. SIP
would need to be told that the default router is .121 instead of .126
(which I guess I can do). But the firewall would need to proxy-arp for
.122 in order to get the modem to send it everything. This is where the
demons lay.
I'm not sure where this /30 comes into play? Could you be more explicit.
> Then you can firewall stuff without NAT funkiness. NAT never
> makes SIP better.
Yeah, I know, which is why I'm leaning towards just putting it outside the
firewall (option 1).
Thanks,
> -dsr-
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Discuss
mailing list