I have a question that is more network related than FreePBX related.
One of our clients has a router that is provided and managed by the “mothership”. They have no access to it and the cannot ask for any modifications (very tedious everytime). However, the company policy allows them to have a second router with a second internet connection. They want to use this second connection for VPN access and to connect outside IP phones (the FreeePBX is local)
I’m pretty sure I can setup something for them, but I have a question regarding the “gateway”.
Let’s say I have a second Internet connection with a fixed IP, configured in the second router. This router has a LAN interface connected in the LAN network. I know that all traffic originating from the devices on the LAN will go to their default gateway, which is the “locked down” main router. BUT, if I have traffic incoming in the second Internet connection, through the second router (like a VPN connection or a SIP phone registration, through port forwarding), once this traffic reaches it’s destination on the LAN, will the “replying” traffic go back the way it came to the second router or will it be directed to the default gateway (main router), thus breaking everything ? I’m pretty sure that the traffic will go back the same way it came in, but I need to be sure and I cannot really test it for now.
Note: Adding a route to the main router to redirect some traffic to the second router is not possible.
You need that your pbx will have a network interface on both of the networks. You can do it with two physical network interface, or a virtual interface on the main LAN interface of the pbx. Then, add a static route in the pbx that will sent the traffic for the ip phones to the main router.
I personally, prefer to separate completely the voip network from the LAN. So, All the ip phones, would be connected to the voip router.
It will go out according to the network config of the PBX. If the default gateway of the PBX is set to your ‘main router’ and there are no defined static routes that override, than packets to the internet will be routed to the main router. If you change the default gateway on the pbx to use your second connection, then internet traffic will use that one.
It is very possible traffic may come in from one public IP, but the reply go out the other public IP. If the reply is going to an off-LAN address, it will go out via the default gateway, unless you force it with routing rules.
In a more “general” way: if a connection is initiated outside the network (on the Internet), comes in the 2nd router via VPN to a pc on the network (like a remote desktop connection for example), in the routing table of the computer, all traffic related to this RDP session should be sent back to the LAN address of the 2nd router, correct ?
In a similar way, if a phone registers from outside, via that 2nd internet connection, wouldn’t the same thing happen ? Like, all traffic related to this registration would be directed to the LAN address of the 2nd router (as long as the SIP connection stays active)
Not unless the VPN router is NATing the VPN to a single LAN IP. Some VPN gateways do so as an option, but proper routing causes less headache in the long run.
No, again, unless the router is NATing all incoming traffic to a single LAN IP. I guess such a config could work, but it seems especially problematic for SIP traffic.
For routed traffic, most of the IP stack essentially has no idea what “LAN address” the packet came from.
The default is ALL traffic to an off-LAN address goes to the default gateway regardless of the source IP or interface it came in on.
It is not going to “just work”. It will require additional routing config on the PBX. Routes can be set up pretty easily to direct traffic out the interface it comes in on, but that is not the default.
I could set the default gateway for all network devices to the 2nd router. Then, in that 2nd router, I create routes that redirect the traffic that has to get to the “mothership” via the first router. This way, I control everything I need to control and traffic that needs to go to the main office via the site to site VPN can still get there.
Note: I forgot to mention that there is a site to site VPN, configured on the main router, that links the branch office to the main office.