[Discuss] Placing SIP Server in DMZ or use DNAT?

[derek at ihtfp.com (Derek Atkins)]

Hi,

On Wed, May 22, 2019 1:10 pm, Dan Ritter wrote:
> Derek Atkins wrote:
>> Dan,
>>
>> On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote:
>> >
>> > eth0:  .121/29
>> > eth1:  10.1.1.1/30
>> > eth2:  192.168.0/24
>> > eth4: ...
>> >
>> > then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
>> > router adds a static route for .122/32 with 10.1.1.2 as a
>> > gateway. This avoids assigning competing subnets to different
>> > NICs.
>>
>> Hmm.  So how is the SIP server configured?  Is it configured with eth0
>> having two IP addresses, .122/29 and 10.1.1.2/30?  If not, then how does
>> the SIP server know it's supposed to be .122/29?
>
> SIP server:
>
> eth0     10.1.1.2/30
> eth0:sip a.b.c.122/32
>
> SIP server route:
> default via 10.1.1.1
>
> Bind the SIP server only to the .122 address.

I can bind SIP, but not necessarily other services.

> Incoming path: internet to modem looking for a.b.c.122. Modem
> gets ARP from router, hands packet for .122 to the router.
> Router hands it out via eth1 to 10.1.1.2, the SIP server, which
> hands it to .122.
>
> Return path: SIP server sends to x.y.c.d, only route is via
> 10.1.1.1, so it sends it that way.

The problem here is that any "unbound" service will choose the 10.1
address when going out the route to 10.1.1.1.

>> I'd also be worried that SIP would attempt to send out packets "from"
>> its
>> .2/30 address?   Do don't you still need to NAT this, somehow?
>
> I haven't set this up and tested it. I could be wrong.

I've had issues with multi-homed (on the same port) servers in the past. 
It can get confused about what the source IP should be, and that can cause
issues elsewhere/later.  Of course this is where NAT comes into play --
you could change 10.1.1.2 <-> a.b.c.122..

>> > Yes, you need to turn on proxy arp on eth0:
>> >
>> > echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>> >
>> > so it will answer for the .122 when the modem asks.
>> >
>> > (If the modem spoke a routing protocol, you could advertise
>> > reachability through that, but odds are good it does not.)
>>
>> I am fairly sure it does not.  It's an Arris NVG599.
>>
>> In my ACTUAL implementation I actually don't need proxyarp because I've
>> got one more box (which I didn't show earlier) which ensures that all of
>> the /29 traffic gets sent to the ERPro (except for .126/29, which gets
>> shunted over to the Modem).  I could change that so that .122/29 gets
>> sent
>> to the SIP box, and the rest to the ERPro.
>
> I think that last bit solves all the problems, doesn't it?

No, this last bit is if I wanted the SIP server outside my gateway.  This
was my original option 1.

> -dsr-

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant