Dual Homed (2xNICS) Config - How to route/nat

Discussion in 'General' started by perezil, Apr 7, 2009.

  1. perezil

    Joined:
    Feb 4, 2009
    Messages:
    20
    Likes Received:
    0
    My question is in several parts. Please feel free to answer some or all.

    I have setup Elastix 1.5.2 (Stable) onto a Dell Optiples GX270, 1GB RAM, 160GB IDE HDD. I have added a PCI Network Interface Controller (NIC). The PCI card is detected and identified as ETH1 and is connected to the Local network (phones, users, computers, etc.). The onboard NIC is identified as ETH0 and is facing the Internet. I have enabled DHCP Server and (I hope) is serving devices connected to the ETH0 interface.

    I am hoping to perform the following:

    1. Route data from the Local network to the Internet.
    2. Control data from the Internet into the Local network (firewall).
    3. Control data traffic and prioritize VOICE traffic (QoS).
    4. Any other need ideas that sound good (recommendations?)

    Of course, this leads to the following questions:
    1. How do I get the traffic from ETH0 to pass through to ETH1?
    2. How do I protect the Internal Network?
    3. Should one use NAT or Routing?
    4. How is performance affected?
    5. Suggestions? Pros/Cons?

    Thank you very much for reviewing my question, and I hope that you will take the time to respond and help me (and the community) on this topic.

    B) Luis Perez
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    perezil:

    You ask a question that comes up more than occasionally.

    The fact that you are asking these question (the right questions I might add) lead me to suggest that you are not quite ready to do this yet, whilst Elastix is an effective VOIP appliance, it does not (and should not IMHO) pretend to be a router/QOS shaper/IDS,. there are many solutions "out there" and your hardware is certainly capable of supporting this sort of deployment, but routing and security require a depth of knowledge you need to "hone" as an un-informed deployment of all that is needed will, I believe, lead you to much frustration and, further, expose your system to possible security holes that might well hurt your pocket/system/internal hosts.
    I'm certainly not saying it can't be done but only that there is no simple recipe apart from gathering knowledge and tools and doing what makes sense for your particular deployment. Unfortunately all these are learned skills and you really don't want to cheat here.

    Google words to get you going in the right direction

    ip-tables (if done right will eventually give you mosty all you ask)
    masquerade (to route the LAN to the WAN)
    wonder-shaper ( a nice QOS script for ip-tables)
    "Intrusion detection and prevention" (so you can sleep at night)
    Webmin ( a bit of a cheat but it helps check your syntaxes)

    In the interim get a cheap firewall/router and look forward to replacing it when you can comfortably answer all your own questions.

    Good luck and let us know how you progress.

    Dicko
     
  3. perezil

    Joined:
    Feb 4, 2009
    Messages:
    20
    Likes Received:
    0
    Dicko, you never seem to amaze me.

    I've been working in Technology in one way or another since the age of 4 (about 35 years now). Your response was great because it allows me to learn, which is the KEY to "honing" those skills that allow one to come up with better solutions and answers. Thank you.

    I can tell you this much from what I have done so far:
    The performance and stability with all calls have significantly increased by setting it up this way. Although computers connected to the telephones (using Polycom 330s, 550s, Aastra 480i CT) do not connect to the Internet, the phones work just fine. My next goal I find out how and implementing a way to get the computers to route through the system and reach the Internet. Then I can test that performance and tweak things as I learn.

    This is quite a lot of fun learning (when bugs don't get in the way). Thank you so much for your contributions.
    :silly: Luis
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Good choice of hardware both Polycom and Aastra phones support tagged vlan's for the phone and the pass-through port

    It makes the QOS and NAT/masquerade/routing easier and you can treat the phones and the hosts behind the phones as different LAN's with all the advantages of QOS etc.
    True, you have to figure out even more, but the solution is much more solid.
    (oh, and thank you for your kind words!)

    p.s. when I was four (oh, alright 8), I discovered the "potential" of the final anode on an unplugged tv's crt I was "taking to pieces", that's where I first learned that we learn from our mistakes.
     
  5. perezil

    Joined:
    Feb 4, 2009
    Messages:
    20
    Likes Received:
    0
    LOL! Yes. I bet the experience was quite shocking <grin>! Somewhat of a common bond there...
     
  6. perezil

    Joined:
    Feb 4, 2009
    Messages:
    20
    Likes Received:
    0
    Webmin, yes. I stumbled into that app/gui when I installed and tested Thirdlane PBX a few days ago. It was then that I was just going through digital puberty in the NIX world.

    I've got some catching up to do. Not enough books and videos out there, it seems. Maybe I should work for someone that does this stuff, even in their sleep.

    Suggestions encouraged. (while I keep Googling..)
     
  7. ronaldlw

    Joined:
    May 7, 2009
    Messages:
    81
    Likes Received:
    0
    I have a similar question so I thought I should post it here. I don't want to do any of the routing qos or anything like that but I do have a server with two nics in it that I would like to use.

    One nic I would like to connect to a dedicated dsl connection (say eth0) and the other I would like to connect to our regular network (eth1) which has phones and computers and another dsl router on it (only 7 phones and about the same computers). I'd like for all voice internet traffic to travel out of the elastix box through eth0.

    Are there settings in elastix and/or asterisk that will accomplish this? Or is it enough to just set up the default gateway to be the ip of the dedicated voice dsl router?

    thanks,
    Ron
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Sorry to bust your bubble but you WILL need to use routing here, that's just how we send packets to different places (routes) ! :) :)

    True webmin makes it relatively easy (set up routing in network configuration (IP forwarding) and masquerading in the firewall (NAT) and that's basically it) but only you can engineer your network and only you are responsible for it's security. I don't think webmin can do that for you yet. (but please, go fishing B) )
     
  9. ronaldlw

    Joined:
    May 7, 2009
    Messages:
    81
    Likes Received:
    0
    :blush: Lol, true. I guess what I meant is I don't need the Elastix box to be my primary router. At least I don't think so. B)

    So the solution to this would be purely routing then? I wasn't sure if there were settings in Asterisk that would accomplish this.

    I used webmin years ago when I had an opportunity to mess around with linux for a short time, I'll check it out again. I would imagine it's changed quite a bit since then!

    Thanks dicko,
    Ron
     

Share This Page