FreePBX with multiple network cards (vlans)

I would like to set up our FreePBX server on 3 vlans:

Admin VLAN: for access to the web and ssh interface.
Phone VLAN: non-routable subnet for phones. FreePBX provides DHCP and TFTP server.
DMZ VLAN: for trunk connection to our internet VOIP provider.

First of all I’d be interested in knowing if there would be any issues with this architecture?

I’m having a few challenges with setup. Can anyone help or point me to some docs? I have no problem getting the OS or network cards setup. I’m not seeing how set the IAX2 trunk to run on a particular interface.

Thanks!

Mark

But wouldn’t your IAX2 trunk use the same route as any other type of traffic to a particular IP address? In other words, if you can ping your IAX2 provider from the command line and it goes out the correct VLAN, then IAX2 traffic to that same IP should take the same route. And if the traffic isn’t going out the correct VLAN, you then have a Linux networking configuration question, not a FreePBX question.

I’m 99.9% sure there are ways to route traffic to particular IP ranges out through a particular network adapter, but it’s not something that most FreePBX users would know how to do. I’m just suggesting you may want to ask in a Linux forum or a Networking forum, and have it clear in your mind that what you really want to do is route traffic to certain IP addresses or ranges differently than traffic to other IP addresses or ranges.

You are right in that the IAX2 trunk interface could have the default route. It is the most likely interface that would need to talk to different servers on the internet.

But let’s assume I have a good handle on the routes and every interface can ping the endpoints and peers it needs to. I can tell my DHCP server to only service requests from my phone VLAN interface/ip. I can tell the web server to only listen on my admin VLAN interface/ip. Is there any way to do the same for the IAX2 trunk? I’m pretty sure you can change the port…

I think it depends on what is controlling the VLAN’s. What is your switching architecture? It could be done with one NIC controlled at the switch port.

If you bind IAX to the IP of the interface you want the traffic to egress it will select that interface.

This is exactly what I was trying to ask. So you can do it. My next question is how :slight_smile:

If it were me, I’d use a managed switch and control the VLAN’s there.

If your next question is how do you do that with a switch… My answer depends on the switch… The only place I have ever used VLAN’s is the LAN and VPN.

So, set up some trunk ports for connecting the WAN(s) and the separate out Ethernet ports for:

Admin VLAN: for access to the web and ssh interface.
Phone VLAN: non-routable subnet for phones. FreePBX provides DHCP and TFTP server.
DMZ VLAN: for trunk connection to our internet VOIP provider.

Then another VLAN for the PBX and do some interVLAN routing.

Not exactly Networking 101, VLAN’s (I think) can be considered advanced. Especial when done right with ACL’s.

Your not saying anything about your available equipment to accomplish this? I wonder why you would want to go to the bother time begin with?

Mark,

While it seems that it’s a simple which for inbound it is but to do load balancing for outbound is NOT.

to get Inbound working you just have it bind to all IP’s. The problem with outbound is that when the server is located behind a firewall each packet it sends out it needs to have the external IP that traffic should return on placed in it and not the internal IP as the remote side will not know how to get there. This is defined in the config files and the code reads that info at load time and then places that into each packet being sent external.

So let’s make this simple:

ip1 1.1.1.1
ip2 1.1.1.2
it3 1.1.1.13

Now in the config file you say use 1.1.1.2 so now all outgoing traffic will be told that it needs to return on 1.1.1.2 well that will work until that given connection starts to get more calls then the bandwidth can handle, then you’ll have problems. The issue is server does not know that and will only hand out that one IP until it is changed and the config is reloaded.

I think people are overthinking this one. I have the vlans set up. I have cool expensive equipment. I just want to control what IP/interface IAX will listen on because my machine is multi-homed. It’s a security thing.

For example, I only want my DHCP server to give IP’s to the VLAN with my phone, so I set up DHCPDARGS=eth0 in my /etc/sysconfig/dhcpd config file. So it will only answer DHCP requests for phones.

Is there an equivalent in FreePBX?

Mark,

Have you looked at the Deny= and Permit= statements.

deny=0.0.0.0/0.0.0.0 Deny all
permit=4.2.2.0/255.255.255.0 Permit the subnet

It does what I think you are asking…


First, lets be clear on the physical topology … the asterisk/freepbx box has ONE lan card operating in a VLAN TRUNK mode (802.1q), correct? (Or is is three separate lan cards?)

Second, each VLAN is its own SUBNET – e.g. 10.10.1.0/255.255.255.0, 10.10.2.0/255.255.255.0, and 10.10.3.0/255.255.255.0; and NOT 10.10.1.1/24, 10.0.1.2/24, and 10.10.1.3/24, correct?

Assuming the IAX2 trunk’s local (near side) IP end point is 10.10.3.99 and its SUBNET gateway is 10.10.3.1 and the remote (far side) IP end point is, say, 1.2.3.4, then an O/S-level route statement is needed (exact syntax is O/S dependent) but something like (root or sudo privileged needed)…

route add -host 1.2.3.4/32 gw 10.10.3.1 [[dev] vlan_if_tagget]

where you may or may not need the [[dev] vlan_if_tagget].

alternatively

route add -net 1.2.3.0/24 gw 10.10.3.1 […]

if you want to talk to more then ONE target on the remote side.

/8

All he wants to do is split IAX and SIP traffic (if I understand).

So in:

sip_general_custom.conf add the bindaddr=interface1 IP address (dotted quad)

and in:

iax_general_custom.conf add the bindaddr=interface2 IP address

That’s exactly what I was looking for! Thanks!