[Discuss] Placing SIP Server in DMZ or use DNAT?

[derek at ihtfp.com (Derek Atkins)]

On Wed, May 22, 2019 9:34 am, Dan Ritter wrote:

> Option C: pretend NAT doesn't exist for the SIP server and:
>
>                .126   .121
>     ISP -- <Modem> -- <firewall> -- intranet
>                            \-- <sip> .122
>
> route packets to .122 without NATting them. This assumes that
> you have an interface available on the firewall. You may want to
> use an RFC1918 /30 subnet between them.

I had considered this approach as well, but there are several issues with
it. The firewall is an Edgerouter-Pro-8.  It doesn't like having the same
IP or even the same network on multiple ports.  And it does not have a
hardware switch, so bridging ports is expensive.

So imagine this:

eth0: .121/29 (connected to ISP/Modem)
eth1: .121/29 (connected to SIP)
eth2: 192.168/24
eth3: class-C

I would need specific rules to route the /29 between eth0 and eth1.  SIP
would need to be told that the default router is .121 instead of .126
(which I guess I can do).  But the firewall would need to proxy-arp for
.122 in order to get the modem to send it everything.  This is where the
demons lay.

I'm not sure where this /30 comes into play?  Could you be more explicit.

> Then you can firewall stuff without NAT funkiness. NAT never
> makes SIP better.

Yeah, I know, which is why I'm leaning towards just putting it outside the
firewall (option 1).

Thanks,

> -dsr-

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant