2 NICs - can't access Trixbox web interface from Internet

We have a Trixbox that is successfully setup with 2 NICs, with one issue remaining

The LAN NIC (ETHO) serves our office where people can successfully make phone calls via Softphone through Trixbox and these get routed through the second NIC (ETH1) which has a public IP and is connected to a dedicated line just for VOIP traffic (we cannot come in on this IP for web admin access).

Internally in the office we can reach the Trixbox web interface on Local IP BUT when we try to access it from the internet it does not work. Below are the settings from Network Parameters on TRixbox web admin:

Default Gateway: ###.114.27.161
Ethernet 0 STATIC
Ethernet 1 STATIC ###.114.27.162

###.114.27.161 = the public internet address (### used just for security/anonymity)

Now the interesting thing is if we change the Default Gateway above on the Trixbox to (which is the ASTARO Firewall/Gateway on our LAN) then we can access the web config from the Internet BUT VOIP calls no longer work. :frowning:

So it seems we can have VOIP calls via trunk OR remote access to web admin but not both.

We know Our Astaro Firewall is NATing OK as when Gateway on Astaro is set to is localIP we have access OK. The puzzling thing is that even when Default Gateway is set as the External IP on ETH1 ###.114.27.161 that we can access the webadmin from inside the office LAN but cannot via Internet. I would have thought that given we had tested Firewall is NATing properly the web-forwarded packets would just look like local packets to Trixbox and access would either work or not work for web packets that come from Firewall exactly the same as from a typical LAN machine browser

It ‘feels’ like somehow the webpackets are being identified and treated differently

There must be some setting somewhere I am missing - hope someone can help :slight_smile:

I set up systems with 2 NICs all the time. What device is ###.114.27.161?

Looking the the Voice traffic route coming from the service provider>>>

###.114.5.126 is the input from Our Service Provider to our CISCO 1900 Router.

###.114.27.161 is the ip address output of our CISCO Router.

###.114.27.162 is the ip of the NIC card of the Trixbox - this is connected via Ethernet cable to CISCO Router.

The VOIP Network is therefore very small - just a single ethernet connection from Trixbox NIC to Cisco Router and then a second ethernet cable from Cisco Router to a Converter that converts the Ethernet signal to Optical as the traffic to/from the Service Provider is via Optical cable.

VOIP works fine is just internet access to the web admin interface (via the other NIC) that does not

Do you know that trixbox software has been abandoned? You should not be deploying trixbox it is unsupported and full of bugs.

We, the genuine authors of FreePBX have an ISO distro you can download.

For no internet access, can you ping default gateway? What about Is DNS setup? What is output of route command? You sure you don’t have a gateway on second interface by accident.

The Trixbox is a legacy install at a client’s site. To persuade them to swap to FreePBX (which I would like to do!) I will need to show I can fix this issue as their system is working fine otherwise and “Better the Devil you know” is what they think ;-O

Below is the output of the ROUTE command on the machine
I can confirm we can successfully Ping and (The ASTARO firewall on the LAN) and (current Default gateway set on Trixbox)

Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 eth1 * U 0 0 0 eth0 * U 0 0 0 eth1
default UG 0 0 0 eth1

The output of resolv.conf is

Ping Google.com does not work - but I can’t see how DNS can be the thing that blocks us accessing the Trixbox web interface from internet (via Astaro firewall on LAN) as we are trying to do this via IP address only not by a domain name

Well if you want to retain the customer you might want to tell them to expose the trixbox web interface to the Internet. It was not resigned to do this and full of security holes. You will be looking at a huge phone bill in no time.

Second, trixbox is a major liability. If someone hits update by accident the system will be trashed and basically unrecoverable.

Lastly, if that’s your real IP you should not post it, but in any case a traceroute to the IP dies at your carrier. If you trace out from the trixbox you see it hitting the 114,113.27.161 gateway. I can trace to your gateway just fine. Are you sure you don’t have the iptables firewall running on the trixbox?