SOLVED Server and Multiple Local Subnets Behind Same NAT Firewall

Status
Not open for further replies.

Caleb

Member
Sep 12, 2017
42
17
8
WA, USA
We have a FusionPBX behind a NATing firewall, with multiple internal subnets connected to that firewall. Initially, when we had endpoints in subnets where the PBX was not located (e.g. FusionPBX on the LAN and the endpoint on the DMZ), FreeSwitch was sending the public IP address in the SDPs to those endpoints.

To fix this issue, I set external_sip_ip and external_rtp_ip to autonat:<public IP>, and then created a default deny ACL that 'allowed' all of our internal subnets where endpoints could be located, and referenced that ACL in the local-network-acl setting in the internal SIP profile. This caused FreeSwitch to send its private IP in the SDPs to endpoints on other internal subnets. Hope this helps someone else trying to do the same thing!
 
Last edited:

davemc

New Member
Aug 17, 2018
9
0
1
56
Auckland, New Zealand
Helpful Caleb, we had same issue, and used same solution for localnet and similar for ext-*-ip

This applies where you have 1 or more local LAN subnets for phones or softclients, accessible via routing (not NATing) that are in a different subnet to the fusionpbx server. eg via internal VPNs, DMZs & routers. The whole lot might be behind a NAT firewall to the outside internet.

In full...

https://<your fusionpbx server>
Advanced..Access Controls...
Name: localnet (add entry if not present)
Default: deny
Nodes table:
type: allow
cidr: 10.0.0.0/8 (adapt range to your network. example covers entire 10.x space)
type: allow
cidr: 192.168.0.0/16

Advanced..SIP Profiles..
internal..
Settings..
ext-rtp-ip $${internal_rtp_ip} enabled:true (note default was external_rtp_ip)
ext-sip-ip $${internal_sip_ip} enabled:true (note default was external_sip_ip)

local-network-acl localnet enabled:true
 
Status
Not open for further replies.