Hello all,
I have a pbx with a centos OS with 2 NIC's with phones running off of 1 interface with no internet access and a 2nd interface that is connected to the local lan with access to the internet.
Phones are on PBX NIC 1 on the 10.1.1.x/24 subnet with the pbx at 10.1.1.2. Phones do not have a gateway provisioned in their config
The PBX NIC 2 is on the LAN which is 192.168.1.2 and a gateway of 192.168.1.1
Is it possible to add a route to the PBX on the 10.1.1.x network that will get the phones to use the gateway on the second NIC 192.168.1.2.
If a route can be added, I would expect I would set the gateway in the phones to be 10.1.1.2
Thanks in advance, GW
Two NICs one Internet
Re: Two NICs one Internet
You have phone "A" with address 10.1.1.8 that wants to connect to forums.centos.org (that has address C).
The connecting program creates a packet with FROM=10.1.1.8,TO=C
In current config C is not in 10.1.1.0/24 and A does not have additional routes. "no route to host"
If A is given 10.1.1.2 as gateway, as default route, i.e. "if you don't know better route, then send to 10.1.1.2", then A will send packet to 10.1.1.2.
What will pbx do with that packet? The C is not in 10.1.1.0/24 nor in 192.168.1.0/y, but pbx has a default route;
The packet should be routed to 192.168.1.1.
The pbx will do this, if:
1. Routing, aka forwarding is enabled, and
2. Firewall in pbx allows forward of new packets from 10.1.1.0/24 to 192.168.1.0/y
Let say that happens. Then 192.168.1.1 the "FROM=10.1.1.8,TO=C" packet.
Lets further assume that packet goes forward and a reply arrives back. Now 192.168.1.1 has a packet "FROM=C,TO=10.1.1.8"
How does 192.168.1.1 know where the 10.1.1.8 is? If it is typical edge router, then it knows only the 192.168.1.0/y and the "outside".
One option is to give that router an additional route: to 10.1.1.0/24 via 192.168.1.2
The second option is to add sNAT rule to pbx. Rather than sending "FROM=10.1.1.8,TO=C" to 192.168.1.1 it can send "FROM=192.168.1.2,TO=C"
Then the reply will have "FROM=C,TO=192.168.1.2", which the 192.168.1.1 knows to forward to pbx.
Due to the sNAT system the pbx will then send "FROM=C,TO=10.1.1.8" to 10.1.1.8.
There is option for "masquerade" in FirewallD that is essentially the sNAT.
Summary:
* set the gateway in the phones to be 10.1.1.2
* enable IP forwarding in pbx
* allow forwarding in firewall in pbx
* masquerade 10.1.1.0/24 to 192.168.1.0/y traffic in pbx
The things to do in pbx may be explained in https://access.redhat.com/documentation ... _firewalls
The connecting program creates a packet with FROM=10.1.1.8,TO=C
In current config C is not in 10.1.1.0/24 and A does not have additional routes. "no route to host"
If A is given 10.1.1.2 as gateway, as default route, i.e. "if you don't know better route, then send to 10.1.1.2", then A will send packet to 10.1.1.2.
What will pbx do with that packet? The C is not in 10.1.1.0/24 nor in 192.168.1.0/y, but pbx has a default route;
The packet should be routed to 192.168.1.1.
The pbx will do this, if:
1. Routing, aka forwarding is enabled, and
2. Firewall in pbx allows forward of new packets from 10.1.1.0/24 to 192.168.1.0/y
Let say that happens. Then 192.168.1.1 the "FROM=10.1.1.8,TO=C" packet.
Lets further assume that packet goes forward and a reply arrives back. Now 192.168.1.1 has a packet "FROM=C,TO=10.1.1.8"
How does 192.168.1.1 know where the 10.1.1.8 is? If it is typical edge router, then it knows only the 192.168.1.0/y and the "outside".
One option is to give that router an additional route: to 10.1.1.0/24 via 192.168.1.2
The second option is to add sNAT rule to pbx. Rather than sending "FROM=10.1.1.8,TO=C" to 192.168.1.1 it can send "FROM=192.168.1.2,TO=C"
Then the reply will have "FROM=C,TO=192.168.1.2", which the 192.168.1.1 knows to forward to pbx.
Due to the sNAT system the pbx will then send "FROM=C,TO=10.1.1.8" to 10.1.1.8.
There is option for "masquerade" in FirewallD that is essentially the sNAT.
Summary:
* set the gateway in the phones to be 10.1.1.2
* enable IP forwarding in pbx
* allow forwarding in firewall in pbx
* masquerade 10.1.1.0/24 to 192.168.1.0/y traffic in pbx
The things to do in pbx may be explained in https://access.redhat.com/documentation ... _firewalls
Re: Two NICs one Internet
Thank you for the reply jlehtone ! It looks like you have the scenario correct.
Your option # 1 is a no go for me as in these instances I typically dont have access to the routers, so adding routing to them is not an option.
Option 2 sounds promising as it looks like I dont need to touch the router
I will look through the docs at your link and see if I can figure out the SNAT and Masquerade. The system uses IPtables for the firewall as that's what's bundled in the system with Fail2ban
Thanks again
Your option # 1 is a no go for me as in these instances I typically dont have access to the routers, so adding routing to them is not an option.
Option 2 sounds promising as it looks like I dont need to touch the router
I will look through the docs at your link and see if I can figure out the SNAT and Masquerade. The system uses IPtables for the firewall as that's what's bundled in the system with Fail2ban
Thanks again