[Discuss] Placing SIP Server in DMZ or use DNAT?

[Dan Ritter]

Derek Atkins wrote: 
> Dan,
> 
> On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote:
> >
> > eth0:  .121/29
> > eth1:  10.1.1.1/30
> > eth2:  192.168.0/24
> > eth4: ...
> >
> > then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
> > router adds a static route for .122/32 with 10.1.1.2 as a
> > gateway. This avoids assigning competing subnets to different
> > NICs.
> 
> Hmm.  So how is the SIP server configured?  Is it configured with eth0
> having two IP addresses, .122/29 and 10.1.1.2/30?  If not, then how does
> the SIP server know it's supposed to be .122/29?
 
SIP server:

eth0     10.1.1.2/30
eth0:sip a.b.c.122/32

SIP server route:
default via 10.1.1.1  

Bind the SIP server only to the .122 address.

Incoming path: internet to modem looking for a.b.c.122. Modem
gets ARP from router, hands packet for .122 to the router.
Router hands it out via eth1 to 10.1.1.2, the SIP server, which
hands it to .122.

Return path: SIP server sends to x.y.c.d, only route is via
10.1.1.1, so it sends it that way.

> I'd also be worried that SIP would attempt to send out packets "from" its
> .2/30 address?   Do don't you still need to NAT this, somehow?

I haven't set this up and tested it. I could be wrong.

> > Yes, you need to turn on proxy arp on eth0:
> >
> > echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> >
> > so it will answer for the .122 when the modem asks.
> >
> > (If the modem spoke a routing protocol, you could advertise
> > reachability through that, but odds are good it does not.)
> 
> I am fairly sure it does not.  It's an Arris NVG599.
> 
> In my ACTUAL implementation I actually don't need proxyarp because I've
> got one more box (which I didn't show earlier) which ensures that all of
> the /29 traffic gets sent to the ERPro (except for .126/29, which gets
> shunted over to the Modem).  I could change that so that .122/29 gets sent
> to the SIP box, and the rest to the ERPro. 

I think that last bit solves all the problems, doesn't it?

-dsr-