GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » VoIP Telefone-System behind dual-WAN-Control
VoIP Telefone-System behind dual-WAN-Control [message #145282] Sat, 16 March 2019 18:07 Go to next message
T.Pajtler is currently offline  T.Pajtler
Messages: 2
Registered: March 2019
Hi!

We got the following Setup:

+ GW is a Kerio Control, latest FW, two WAN-lines
+ WAN1 is a FTTB, our main internet connection
+ WAN2 is „Deutsche Telekom" (provider), VDSL100
+ LAN is 192.168.0.0/24

Our provider will soon deliver our telephone numbers via SIP-Trunk on our WAN2-line.
Our IP-Telefone-System is a „Innovaphone 1060", and is just an IP-Client in the LAN.

Following questions:
+ We have to make sure that the Innovaphone connects to our SIP-Provider only on the WAN2-interface.
How can that be done? Do you have some practical tips?

+ Since the Innovaphone is in the LAN, behind the Control, we have to know
what traffic-rules we have to configure.
I found many information about it, but some seame to contradict others.
We read that we need to forward (MAP) SIP-Ports to the internal Innovaphone. Is that right?
We also found, that we then should change the protocol inspector of the default SIP-Service-Object.
Why, and is that true?

Thanks die any tips/ thoughts/ hints!
(And sorry for my bad english, i hate myself writing that dilettante..)

[Updated on: Mon, 18 March 2019 08:22]

Report message to a moderator

Re: VoIP Telefone-System behind dual-WAN-Control [message #145738 is a reply to message #145282] Wed, 08 May 2019 15:18 Go to previous messageGo to next message
T.Pajtler is currently offline  T.Pajtler
Messages: 2
Registered: March 2019
Push...?
Re: VoIP Telefone-System behind dual-WAN-Control [message #145740 is a reply to message #145282] Thu, 09 May 2019 06:58 Go to previous messageGo to next message
mwgbr is currently offline  mwgbr
Messages: 53
Registered: June 2012
Hi,

Quote:
We have to make sure that the Innovaphone connects to our SIP-Provider only on the WAN2-interface.
How can that be done? Do you have some practical tips?

To bind an internal host to a specific WAN interface for outgoing connections you need a traffic rule:
Source: IP from host (VoIP System)
Destination: Internet Interfaces
Service: Any or SIP / SIP TCP
Translation: Enable source NAT -> Use specific outgoing interface -> Interface: WAN2

Quote:
Since the Innovaphone is in the LAN, behind the Control, we have to know
what traffic-rules we have to configure.

Under Services, create a new one:
Name: VoIP RTP
Protocol: UDP
Source: Any
Destination: In range -> 10000-20000

Then create a traffic rule:
Source: Any or Internet interfaces
Destination: Firewall
Service: SIP, SIP TCP, SIP TLS, VoIP RTP
Translation: Enable Destination NAT -> IP from VoIP System (do not activate "Translate port as well").

Normally in the last rule, I would suggest to limit the "Source" to IP addresses from the VoIP provider. Unfortunately, Deutsche Telekom does not provide static IP ranges for their services, so you have to leave that to "Any". Make sure you have a VoIP system which can dynamically block IPs which try to authenticate to your system. Because of the open ports, that will be many.

Do not change the protocol inspector, because Kerio Control "speaks" SIP and can handle these connections properly.
Re: VoIP Telefone-System behind dual-WAN-Control [message #146871 is a reply to message #145740] Tue, 22 October 2019 13:20 Go to previous message
victorjohn9211 is currently offline  victorjohn9211
Messages: 1
Registered: October 2019
Location: Erina, NSW
This is a great conversation on VOIP telephone systems.
Thanks to all
Previous Topic: Content filter vs google.com
Next Topic: Kerio Contro VMs High Availability - different interface names
Goto Forum:
  


Current Time: Thu Feb 20 03:29:12 CET 2020

Total time taken to generate the page: 0.05498 seconds