2 interfaces (one local phones, one external voip trunk)?


Hey guys,
I just got a business sip-trunk from vodafone.
They are using a registrar-less connection.
So I have one dedicated external ip that is assigned to the voip-trunk.

On my opnsens-firewall I configured a 1:1 NAT for that particular IP and directed it to a dedicated interface on freepbx.

So freepbx has
a) eth0: -> opnsense -> internet public IP for voip-trunk
b) eth1: -> local voip-net

On eth1 I have all my local voip phones.
On eth0 I ONLY want to have my external trunk (no remote phones)

If I setup the trunk now, how can I specify which interface it should use?
Do I have to setup some iptables manually?
What about the freepbx-firewall. Do I need it at all, as I only allow port 5060 and 10000… ?


There are different ways of doing that. One is to specify the static route on the desired interface to reach the IP of your provider. Are both interfaces on FreePBX on the same subnet or different ones? If both interfaces are on the same subnet it might be a little trickier.



both interfaces are in different subnets.
Should I add this static route manually or is there a gui way?


Manually only. Take a look at CentOS manual on how to add static routes. Is just a matter of creating a text file in the correct directory with the correct file name, I just don’t remember exactly right now, but that is how I did it and it was quite straightforward.

(Dave Burgess) #5

Another way to approach this is to set up the machine so you ignore the “external” interface since you are using a NAT anyway.

  • Don’t use a 1:1 NAT. Instead, set up normal NAT rules in the firewall and add inbound ALLOW rules for your ITSP’s IP addresses, then add redirection rules for your ITSP’s SIP connections in the firewall. This way, you can set up the incoming in PJ-SIP and have a single trunk for your incoming traffic (from the IP address of your provider) and can route the calls to that same set of addresses. Additionally, you should redirect UDP ports 10000:20000 to your PBX.

One you have the NAT relationship set up, you can use the normal connections for your PBX through the default route at your Firewall and you don’t have to try to figure out which is NAT and which isn’t. You should set the NAT=YES in the extensions, but PJ-SIP is supposed to take care of the NAT issues for you. You can set it to YES as well.

I tried to set up a dual-interface system recently (one interface is connected directly to the Internet, the other is on the local interface) and had to do a lot of hand-work to get it all working the way I wanted it to.


It depends on the scenario. I have several dual-nic setups and it was just a matter of defining the static routes. In my case, I connect the public IP directly to FreePBX, not through a router, as that connection is only intended for the connection to the VoIP provider anyway.


Hi Dave,

I’m not sure if this will work out.
I need to make sure that all outgoing sip traffic (PBX->VF-SBC) uses one specific public IP (I have 10 public IPs). So a 1:1 NAT assures that this is happening. Maybe I can redirect outgoing traffic to a specific public IP by another rule but that’s what 1:1 NAT is normally made for…

I will try to add a static route now. As long as freepbx is not overriding those settings


The static route is OS based so FreePBX will not override it.

Take a look a the following link, where it says how to a add a permanent route.



I added a temporary route first. I can see now on my firewall that it uses the right interface.
Unfortunately I still cannot connect to vodafone but I think that’s another topic.
I don’t have any information how vodafone is expecting the connection…

I only received this:

Realm-SIP Domän: xxxxxx.ngn.vodafone.de
One Group (VPN) ID: xxxxxx
Kunden PBX: xx.xx.xx.xx Port: 5060 UDP
VF-SBC IP + Port: Port: 5060 UDP
Sprachkanäle: 4

(system) closed #10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.