We have a Trixbox that is successfully setup with 2 NICs, with one issue remaining
The LAN NIC (ETHO) serves our office where people can successfully make phone calls via Softphone through Trixbox and these get routed through the second NIC (ETH1) which has a public IP and is connected to a dedicated line just for VOIP traffic (we cannot come in on this IP for web admin access).
Internally in the office we can reach the Trixbox web interface on Local IP 172.17.148.197 BUT when we try to access it from the internet it does not work. Below are the settings from Network Parameters on TRixbox web admin:
###.114.27.161 = the public internet address (### used just for security/anonymity)
Now the interesting thing is if we change the Default Gateway above on the Trixbox to 172.17.148.4 (which is the ASTARO Firewall/Gateway on our LAN) then we can access the web config from the Internet BUT VOIP calls no longer work.
So it seems we can have VOIP calls via trunk OR remote access to web admin but not both.
We know Our Astaro Firewall is NATing OK as when Gateway on Astaro is set to is localIP 172.17.148.4 we have access OK. The puzzling thing is that even when Default Gateway is set as the External IP on ETH1 ###.114.27.161 that we can access the webadmin from inside the office LAN but cannot via Internet. I would have thought that given we had tested Firewall is NATing properly the web-forwarded packets would just look like local packets to Trixbox and access would either work or not work for web packets that come from Firewall 172.17.148.4 exactly the same as from a typical LAN machine browser 172.17.148.5.
It ‘feels’ like somehow the webpackets are being identified and treated differently
There must be some setting somewhere I am missing - hope someone can help
Looking the the Voice traffic route coming from the service provider>>>
###.114.5.126 is the input from Our Service Provider to our CISCO 1900 Router.
###.114.27.161 is the ip address output of our CISCO Router.
###.114.27.162 is the ip of the NIC card of the Trixbox - this is connected via Ethernet cable to CISCO Router.
The VOIP Network is therefore very small - just a single ethernet connection from Trixbox NIC to Cisco Router and then a second ethernet cable from Cisco Router to a Converter that converts the Ethernet signal to Optical as the traffic to/from the Service Provider is via Optical cable.
VOIP works fine is just internet access to the web admin interface (via the other NIC) that does not
Do you know that trixbox software has been abandoned? You should not be deploying trixbox it is unsupported and full of bugs.
We, the genuine authors of FreePBX have an ISO distro you can download.
For no internet access, can you ping default gateway? What about 4.2.2.2? Is DNS setup? What is output of route command? You sure you don’t have a gateway on second interface by accident.
The Trixbox is a legacy install at a client’s site. To persuade them to swap to FreePBX (which I would like to do!) I will need to show I can fix this issue as their system is working fine otherwise and “Better the Devil you know” is what they think ;-O
Below is the output of the ROUTE command on the machine
I can confirm we can successfully Ping 4.2.2.2 and 172.17.148.4 (The ASTARO firewall on the LAN) and 115.114.27.161 (current Default gateway set on Trixbox)
Destination Gateway Genmask Flags Metric Ref Use Iface
115.114.27.160 * 255.255.255.240 U 0 0 0 eth1
172.17.148.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 115.114.27.161 0.0.0.0 UG 0 0 0 eth1
The output of resolv.conf is
nameserver 4.2.2.2
nameserver 121.242.190.211
Ping Google.com does not work - but I can’t see how DNS can be the thing that blocks us accessing the Trixbox web interface from internet (via Astaro firewall on LAN) as we are trying to do this via IP address only not by a domain name
Well if you want to retain the customer you might want to tell them to expose the trixbox web interface to the Internet. It was not resigned to do this and full of security holes. You will be looking at a huge phone bill in no time.
Second, trixbox is a major liability. If someone hits update by accident the system will be trashed and basically unrecoverable.
Lastly, if that’s your real IP you should not post it, but in any case a traceroute to the IP dies at your carrier. If you trace out from the trixbox you see it hitting the 114,113.27.161 gateway. I can trace to your gateway just fine. Are you sure you don’t have the iptables firewall running on the trixbox?
