[Discuss] Placing SIP Server in DMZ or use DNAT?

[derek at ihtfp.com (Derek Atkins)]

Dan,

On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote:
>
> eth0:  .121/29
> eth1:  10.1.1.1/30
> eth2:  192.168.0/24
> eth4: ...
>
> then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
> router adds a static route for .122/32 with 10.1.1.2 as a
> gateway. This avoids assigning competing subnets to different
> NICs.

Hmm.  So how is the SIP server configured?  Is it configured with eth0
having two IP addresses, .122/29 and 10.1.1.2/30?  If not, then how does
the SIP server know it's supposed to be .122/29?

I'd also be worried that SIP would attempt to send out packets "from" its
.2/30 address?   Do don't you still need to NAT this, somehow?

> Yes, you need to turn on proxy arp on eth0:
>
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>
> so it will answer for the .122 when the modem asks.
>
> (If the modem spoke a routing protocol, you could advertise
> reachability through that, but odds are good it does not.)

I am fairly sure it does not.  It's an Arris NVG599.

In my ACTUAL implementation I actually don't need proxyarp because I've
got one more box (which I didn't show earlier) which ensures that all of
the /29 traffic gets sent to the ERPro (except for .126/29, which gets
shunted over to the Modem).  I could change that so that .122/29 gets sent
to the SIP box, and the rest to the ERPro.  Or I could have it all sent to
the ERPro and then have the SIP box on another port -- but then I need to
figure out how to configure that port and how to configure the SIP server,
which I am still confused about as per above.

> -dsr-

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant