[Discuss] Placing SIP Server in DMZ or use DNAT?
Derek Atkins
derek at ihtfp.com
Wed May 22 12:55:59 EDT 2019
Dan,
On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote:
>
> eth0: .121/29
> eth1: 10.1.1.1/30
> eth2: 192.168.0/24
> eth4: ...
>
> then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
> router adds a static route for .122/32 with 10.1.1.2 as a
> gateway. This avoids assigning competing subnets to different
> NICs.
Hmm. So how is the SIP server configured? Is it configured with eth0
having two IP addresses, .122/29 and 10.1.1.2/30? If not, then how does
the SIP server know it's supposed to be .122/29?
I'd also be worried that SIP would attempt to send out packets "from" its
.2/30 address? Do don't you still need to NAT this, somehow?
> Yes, you need to turn on proxy arp on eth0:
>
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>
> so it will answer for the .122 when the modem asks.
>
> (If the modem spoke a routing protocol, you could advertise
> reachability through that, but odds are good it does not.)
I am fairly sure it does not. It's an Arris NVG599.
In my ACTUAL implementation I actually don't need proxyarp because I've
got one more box (which I didn't show earlier) which ensures that all of
the /29 traffic gets sent to the ERPro (except for .126/29, which gets
shunted over to the Modem). I could change that so that .122/29 gets sent
to the SIP box, and the rest to the ERPro. Or I could have it all sent to
the ERPro and then have the SIP box on another port -- but then I need to
figure out how to configure that port and how to configure the SIP server,
which I am still confused about as per above.
> -dsr-
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Discuss
mailing list