[Discuss] Placing SIP Server in DMZ or use DNAT?

[Dan Ritter]

Derek Atkins wrote: 
> 
> On Wed, May 22, 2019 9:34 am, Dan Ritter wrote:
> 
> > Option C: pretend NAT doesn't exist for the SIP server and:
> >
> >                .126   .121
> >     ISP -- <Modem> -- <firewall> -- intranet
> >                            \-- <sip> .122
> >
> > route packets to .122 without NATting them. This assumes that
> > you have an interface available on the firewall. You may want to
> > use an RFC1918 /30 subnet between them.
> 
> I had considered this approach as well, but there are several issues with
> it. The firewall is an Edgerouter-Pro-8.  It doesn't like having the same
> IP or even the same network on multiple ports.  And it does not have a
> hardware switch, so bridging ports is expensive.
> 
> So imagine this:
> 
> eth0: .121/29 (connected to ISP/Modem)
> eth1: .121/29 (connected to SIP)
> eth2: 192.168/24
> eth3: class-C
> 
> I would need specific rules to route the /29 between eth0 and eth1.  SIP
> would need to be told that the default router is .121 instead of .126
> (which I guess I can do).  But the firewall would need to proxy-arp for
> .122 in order to get the modem to send it everything.  This is where the
> demons lay.
> 
> I'm not sure where this /30 comes into play?  Could you be more explicit.

eth0:  .121/29
eth1:  10.1.1.1/30 
eth2:  192.168.0/24
eth4: ...

then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
router adds a static route for .122/32 with 10.1.1.2 as a
gateway. This avoids assigning competing subnets to different
NICs.

Yes, you need to turn on proxy arp on eth0:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

so it will answer for the .122 when the modem asks.

(If the modem spoke a routing protocol, you could advertise
reachability through that, but odds are good it does not.)

-dsr-