Double NAT Issue


(Jae) #1

Hi Guys,

I have a fresh FreePBX install in Australia that is behind a double NAT. The Telstra provided DSL router has it’s own subnet 192.168.15.x/24 and I have s Sophos XG Firewall behind that with a 192.168.4.x/24 subnet. All ports UDP/TCP are forwarded from the Telstra modem to the Sophos firewall. The PBX shows all green in the connectivity/Sipstation tab including the firewall check. I can make outbound and inbound calls but no audio either way. I can’t change the modem, I need my firewall and I can’t setup a VPN or IAX trunks between the two networks. Does anyone have any other solutions that might work. It appears some people have gotten double NATS to work with FreePBX and others say it is impossible. Any help would be appreciated. Thanks.


(Sergio Lobera) #2

It’s difficult, to be honest I never tried to use a double NAT, but can’t you use two NIC interfaces on your PBX?
External Interface connected to your 192.168.15.0/24 network
Internal Interface connected to your 192.168.4.0/24

That should solves everything.
It’s that, or configuring your second router as bridge, but I guess that’s not what you want.


#3

A properly working double NAT is indistinguishable from a single NAT and is normally not a problem.

That sounds like you used a DMZ or similar function, which will not preserve source port numbers correctly. Please confirm that you have forwarded UDP ports 10000-20000, the SIP ports, and any ports needed for non-PBX use, e.g. inbound VPN or management access.

Because it was provisioned by Telstra with authentication data they won’t tell you? If some other reason, please explain.

Sure, for other assets, but why can’t you put the PBX on the 192.168.15.x network? You don’t trust the FreePBX firewall?

Are your extensions local and on the 192.168.4.x network? If not, please explain.

Do calls between extensions have proper two-way audio and can stay connected for more than 30 seconds?

I know nothing about Sophos, but assume it has some sort of packet capture feature. Can you see whether RTP from a calling extension is being passed to the Telstra with correct addresses and port numbers?

Do you have any trunks other than SIPStation? If so, do they have the same issue?


(Jae) #4

Yes, all ports are forwarded (2-65534) from the modem to the firewall. The DMZ feature did not work.

Yes, Telstra won’t let us change the modem and won’t give us the auth data to do it.

I tried putting the PBX on the .15.x network and could not see the PBX or the modem with a device sitting on both networks.

Calls between extensions in the building work fine but we are all outside the building because of COVID.

I will look at the packet filter and post a log.

I am only using Sipstation right now to get it to work then I will move it to a AUS SIP provider. I felt that Sipstation is much easier to work with and test.

I have not tried the dual NIC solution by Serigo but that may work. I don’t have anyone technical in the building down there to install one. I am in the USA.


(system) closed #5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.