I keep reading how NAT is not recommended so I figured I use two NICs, one for the WAN with a dedicated public IP and one for the LAN. The FreePBX firewall is great, right? So no problem. But it’s acting weird; I can ping both NICs from the LAN but can’t ping the WAN IP from the WAN (Internet). Before I post my exact configuration, anyone got advice on whether or not this is a good idea, and if it is, general configuration? If it’s not a good idea, what would be a better configuration?
Post your exact configuration or we all have to guess 
Please expand .
If you can’t ping the the WAN IP from the ‘internet’, then your router, presumably present at the ‘WAN IP’, would be responsible for replying to ICMP, is it so set up to do that? , if you are inside the LAN, then you need to ‘hairpin’ that service.
(SIP does not rely on ICMP, it needs the bind port port forwarded and allowed to/from yourserver)
You should have a single default gateway, the interface where you want all traffic to go by default.
But you can have other gateways that route specific traffic appropriately by not the default route, add a metric if you need to
good start
ip route add 10.11.0.0/24 via 10.11.0.1
Pretty sure I’m missing the obvious. If NAT is never recommended, doesn’t that mean the server needs to be connected directly to the Internet? And if it is, connecting phones would have to be through that public IP, a 2nd NIC on the LAN, or VPN. Right?
-
What is best practice? What is most common?
-
If using 2 NICs is best practice, it seems that I’m overcomplicating things (a specialty of mine). Would I be better off to use a single NIC connected directly to the Internet and have phones use that public IP address for the server? Since the local phones are on the same public network (/29), they would only be 1 hop away via the ISP router.
If you have a choice, NAT is not the preferred configuration, but there are MANY systems behind a NAT router that successfully have trunks and remote endpoints working just fine. It’s not difficult to configure Asterisk to work with this setup, the problems (if there are any) are usually introduced by the NAT router.
A two NIC setup should work fine. Configure the LAN NIC with an IP and subnet, but no default gateway. Config the WAN NIC with the default gateway. If you are using LAN subnets that fall outside of the LAN /29 range, you will need to define static routes for each as Dicko noted.
1 Like
I’m about to remove the LAN gateway but wanted to ask one point of clarification first: why LAN /29? The 2 LAN networks I’m using are both /24 (and the local router has routes between them). The WAN network is a /29 though.
Just my sloppy reading, you know your network better than I do
No problem - I pretty much assume I’m missing something most of the time. Ha!
Here goes…
1 Like
Still don’t have it quite right. After removing the gateway from the LAN interface and rebooting, I can now ping the public IP from the LAN and from the WAN. But I can no longer ping to/from the LAN interface. I’m guessing I simply don’t understand the routes/routing well enough. Suggestions?
An example (with 1 private network)
Interface eth0
IP: 192.168.0.2
SUBNET: 255.255.255.0
Gateway: 192.168.0.1 (your router’s IP)
Interface eth1
IP: 192.168.0.3
SUBNET: 255.255.255.0
no gateway leave blank
Set all phones to use the address of eth1 to provision and communicate with the PBX (the server IP)
Traffic for the phones will go to eth1 all traffic destined from the PBX to the SOP Provider will use eth0
****** same example with 2 private networks VLANS
Interface eth0
IP: 192.168.0.2
SUBNET: 255.255.255.0
Gateway: 192.168.0.1 (your router’s IP)
Interface eth1
IP: 19/.168.2.3
SUBNET: 255.255.255.0
no gateway leave blank
This would require a router and switch that can do VLANS so that you are putting the phones on a separate VLAN (network) from the one the PBX is communicating with your carrier or SIP provider on. This example reduces multicast, broadcast and other network chatter from interfering so much.
Although I don’t always use two NICs, I almost always put my PBX and phones on their own network or VLAN separate from computers etc.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.