Jumping back into the pond, have questions

After a long (6 year) hiatus, I have once again been tasked with setting up a FreePBX based phone system at work. As I have been away for so long, I wanted to ask the community to look over my initial idea and let me know if it’s do-able, or if I’m drinking the funny kool-aid.

The SIP provider we are talking to installs a dedicated box with a network port.
The FreePBX box will have 2 NICs, one for the general internal LAN (with internet access).
ALL Phones will be connected to a dedicated switch, this switch will be connected to the SIP box and the 2nd NIC on the Free PBX.

Is this a decent setup, do I need to have a DHCP server somewhere on the isolated network, or do I need to re-think my setup.

hi, take it for what you paid for it, but in my opinion, you should add a 3rd nic (cheep) and make one net for management, one for your phones and one for your trunk provider. I think debugging and troubleshooting is easier this way.
As far as dhcp, i guess that depends on whether or not you want to auto provision. I don’t know how many phones you are working worth, but i would want to use EPM and build config files, so dhcp is part of that…

good luck

This is not a odd setup at all.

These companies usually have a small network for these SIP devices, which you will connect one of the NICs, the 2nd NIC you’ll use as you would regularly with any PBX, in other words, you’ll have a “additional NIC” which you’ll use to connect to that SIP device.

Just make sure, that you set the “regular NIC” as the default.

As far as DHCP, you can use the current server you have on the network.

IMO that’s a bad idea

how so?

Because there is no need for it. Honestly, there might not even be a need for two nics at all. But that would require a complete understand of the network infrastructure to offer alternatives.

1 Like

so, it sounds like your objection is that it might be overy complicated…I guess I disagree, but it is up to them in the end.


I said nothing about over complicated, I said it was unnecessary. There is a difference.

Tony, nothing against you. But there’s a huge misconception that when dividing traffic/services between separate NICs, your system will be more secure. there was someone not too long ago here, who wanted 3 NICs, 1 for local extensions, 1 for external extensions and third for the internet connectivity/SIP Trunk.

Yes, it might make things easier to troubleshoot, but it’s really unnecessary and doesn’t provide any more security.

The 2nd NIC that all the phones are on would be a different subnet than the first.

the main purpose for this is so all the phone traffic can be isolated. we have 17 end points, and even presently we get some congestion and slowdown with them on the same network as our normal internet traffic. As for the DHCP, worst case, I can always set up a Pi on the isolated net to nothing but DHCP if I need to, It will also somewhat depend on the phones the boss eventually decides on.

Hi, first, I never mentioned security. As it happens, I am a network engineer with many years experience…I understand layer2,3 and security pretty well.
It may be unnecessary by the strict definition, but I believe it is a good idea, it will provide a growth path for the pbx and allow them to avoid the issues of trying to QOS sip/rtp traffic when mixed with regular user traffic.
again, i never mentioned security.

While I may not be a full fledged network engineer, I am a voice engineer. Having 1, 2 or 3 NICs in a PBX has nothing to do with the PBX’s growth path. Not a single thing. Same for the QoS for SIP/RTP traffic. You do not need multiple NICs to make this happen.

Except for the fact that this is the ONLY way to properly QoS voice traffic. Anything less is not actually QoS on the voice traffic only.

Except for that, I’d say “rock on”. I’ve set up several customers with a setup just like you are describing without the dedicated box. You can even install/enable the DHCP server on FreePBX to only provide services in the “dedicated” network and let another DHCP server handle the other network.

There are so many ways to do this; most of which will work.

One NIC - assign addresses to everything and connect everything to the same network switch. This can get complicated, but once set up should provide a reasonably solid experience.

Two NICs - put the phone network on one NIC and the rest of your services (and the VOIP box) on the other. Set up a “static route” to the VOIP box so that your VOIP traffic gets routed out correctly. You may need to set up a second address on your “network” NIC to talk to the VOIP interface. Your installation engineer should be able to help you with that.

Three NICs - put the VOIP box on one, VOIP network on the second, and everything else (including the “default route”) on the third. The advantage here is that the network paths are clearly delineated and each port has it’s own specific configuration.

QoS is a routing protocol issue. If you have a separate physical network for your phones, you do not need to be concerned with QoS on that network - all of your phone assets will benefit/suffer from being on that network together with no real differentiation. The place where QoS will become important is in your mixed-mode network and in your external connection. Since you are using a dedicated VOIP interface, one could reasonably assume that, like the physical network, there’s no QoS risk/reward since the network is once again dedicated to voice traffic.

You can assign more than one IP address to a NIC. If you do this (or go with some even more exotic, like VLANs), you can have all of your traffic running on your basic network infrastructure, but it’s no longer dedicated. At this point, you run into spots where you may need to be able to tune your network to get the kind of support you need for voice.

If you have the resources, I’d recommend against this “shortcut”. Having a dedicated network for your phones and another dedicated network for the rest of your equipment is a solid approach and, with the prices of switches these days, a solid way to provide reasonable levels of support to your customer.

So, while there are lots of things that may need to be considered in the long-term, in the short term you can get started with whatever configuration you feel like working with. One, two, or three Network Interface Cards can be used to make this configuration work; analysis paralysis can set in if you try to solve a problem with too many variables.

1 Like

Thanks for the input Cynjut.

I love the joke about the install engineer

So if I am understanding this if I want to truly ensure the phones are isolated (physically and logically)

1 NIC - Connects from the FreePBX box to the SIP unit
2 NIC - Connects from FreePBX box to dedicated internal phne network
3 NIC - Connects FreePBX to general internal network (allows for admin, etc)
Route needs to be set (I am assuming within FreePBX) to allow traffic from NIC 2 to talk to NIC 1
DHCP can be setup on FreePBX to assign addresses to network on NIC2
All NICs will have static addresses within thier appropriate networks

Usually not. Asterisk normally receives all voice packets from extension and trunk endpoints and bridges (forwards) them to the appropriate destination. On very large systems, ‘direct media’ is used so endpoints can communicate directly, reducing the processor load. For a small system like yours, I would recommend against that, as it’s difficult to set up and makes troubleshooting more complex. Of course, if Asterisk is recording the call, listening for DTMF, transcoding or encrypting, it must remain in the audio path anyway.

You will likely need to set up DNS and NTP as well. Or, you could set up the PBX as a router and the phones would get those services from your main network or the public internet.

Also, consider admin access to the phone network, e.g. to view or modify settings in the phone’s GUI. If done rarely, SSH port forwarding may be adequate. Otherwise, consider a VPN server on the PBX, or setting up routing from the main network to the phones.

Yes, but not for that reason.

Each interface will have its own IP address and will need a route to get “out”. Since Asterisk is a “back to back” user agent, all of the traffic from and to the phones will happen through the Asterisk box. Because of the B2B nature of the communications, NIC2 will talk to the stuff on “Network 2”, stuff on NIC3 will talk to “the rest of the world”. There’s no time (unless you make it happen) where anything on Network2 will want or need to talk to Network3. (See below) Setting an IP address and mask on NIC2 that corresponds with the network setup for “network 2” will be enough for the comm to flow in and out. Setting the IP and Netmask on the interface will establish a route for that interface that talks to the entire network.

NIC1 will have a similar setup, but it will need to be set up with the VOIP Interface box in mind. Traffic to and from this interface will be based on the IP address of the VOIP box. In this case, though, anything outside the IP address and Netmask will need to have a static route.

So, logically, if your VOIP box is “”, your NIC1 address could be “”. That establishes a route that says “anything with an address of 10.0.0.x will go through this interface.” That’s cool until your provider says "the machine at the end of the network is “”. In order to hit this, you need to make sure the network can handle it. One way is to change the netmask to /22. Another is to establish a static route that says “Hey, is accessible through”. There are a couple of different choices for that, so get with your installation engineer.

NIC3 would be whatever local address you need to use. For example, if your “network3” (your computers and servers) is on 192.168.0.x/24, your NIC3 PBX IP address could be or …0.253/24 (for example). On this interface, you’d add a Default Route ( that points to your Firewall.

Now, with three balls in the air, you must make sure that your addresses and netmasks all make sense. Traffic destined for one place or another needs to get there through your netmasks.

Note (from above). Some phones need to “phone home” from time to time. These include some Polycom and Sangoma phones that look to the “big server in the sky” for firmware and configuration updates. If your phones are in this category, you will need to set up a way for traffic to flow from the telephone network to the outside world. You can use any one of a dozen methods, including things like adding a firewall between your two internal networks for “Internet” traffic. You can (even though it’s not really supported) configure your Asterisk/FreePBX box to route that traffic (highly not recommended). You could even connect the two networks and provide the “outside world’s” default address to your phones (even though your networks wouldn’t be isolated any more).

Network Engineering in a situation like this can be a challenge - you just need to think about how your traffic needs to flow and provide ways for that to happen.

The word from the SIP trunk people’s tech gusy is that I can use 2 NICs.

NIC 1 is internal lan so we can access admin and so forth.
NIC 2 will the entire isolated Phone network AND the SIP device.

I thank you all for your input and insight. Now it’s in thier hands (evil laugh)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.