MBG in DMZ - one-way audio issue

Mmmmm..... It will eventually work, we'll help you. Let's start by the basics, what kind of firewall are you using? Make sure your firewall has got a phisical DMZ interface and it is not one of those firewalls that emilates the DMZ.

Also, get yourself a copy of the MBG engineering guidelines and follow port forward recomendations. You must make sure that all policies are correct between the Wan and the dmz, between the dmz and the lan, between lan and dmz, and between lan and the wan.

Make sure udp ports (20000 to 31000) are forwarded correctly from the wan public IP address to the MBG ip address on the DMZ.

Also, to make things easier. Make sure the gateway of all phones and the Pbx is the Lan ip address on the firewall, and that the gateway of your mBg is the DMZ ip on thefirewall.

Let us know how it goes, i will send you a document with thr way I programmed pur firewall when having an MBG on the DMZ.

danramirez,

Our customer uses the Endian Firewall installed in a Dell server with 3 physical interfaces.

The first time we tried to make this work was with his firewall.

This last time I bring my Sonicwall TZ 210. It has more than 3 physical ports.

We configure it with 2 WAN, 1 LAN and 1 DMZ ports. (2 WAN ports for redundancy connection to internet)

For the test we permit all traffic from and to all ports.

MBG used x.x.x.x IP address with gateway x.x.x.x (firewall DMZ port).

ICP used x.x.x.x IP address with gateway x.x.x.x (firewall LAN port).

Firewall used x.x.x.x IP address for the ISP1 WAN port and x.x.x.x for the ISP2 WAN port (the 2 firewall WAN ports).

We created NAT for x.x.x.x and x.x.x.x IP addresses to the MBG x.x.x.x (WAN->DMZ) and NAT for the MBG to IP addresses x.x.x.x and x.x.x.x (DMZ->WAN).

The teleworkers are setting with x.x.x.x teleworker IP address.

I programmed resiliency (sub tab Resiliency) in the MBG using the x.x.x.x and x.x.x.x IP addresses.

I already have de MBG EGL document.

Did you send me the doc with your way to configure the firewall? Can you send me too your MBG configuration?

Thanks a lot for your help. I really appreciate.

Best regards.

Rogério.

Sorry I had forgotten to send the file, here you have it. Please pay special attention at the virtual IP (This is the way we do the port forwards) and the policies.


Regards,

Daniel

Thank you, Daniel.

We will compare your firewall configuration with ours.

Do you have the configuration of the MBG to send me?

Thanks again for your help.

Rogerio,

As soon as I get back to the office I'll send a couple of screen shots of our MBG configuration.

For testing purpouses, can you stick with one WAN interface only?. I would asume that both the MBG and the Phones inside the LAN must be surfing the web over the same wan connection. I don't want the phones going to the internet over a differnet link than the MBG.

Talk to you later,

Daniel

The default WAN connection is the 187.X.X.3

The secondary is a bakcup WAN and it is used only when the default is down.

We have only the weekends to test the MBG because the impact on customer operations. So when we go again test the MBG, we're going to remove the 2nd WAN connection.

Thanks again.

mitelbr,

Not to worry, try to gather as much information as you can and then get ready for your next roun of tests over the weekend.

I always check tek-tips over the weekends as well.

here are a couple of screen shots, the programing on the MBG is simple, keep it simple!!


this MBG is not of the same customer where the firewall screenshots were taken, but this customer is also in DMZ mode using a fortigate firewall.

good luck,

Daniel

I'm writing here again the addresses because moderator edited the post that I asked but he suppressed all numbers not just the numbers in the middle.


MBG used 192.168.26.207 IP address with gateway 192.168.26.254 (firewall DMZ port).

ICP used 192.168.25.204 IP address with gateway 192.168.25.203 (firewall LAN port).

Firewall used 187.x.x.3 IP address for the ISP1 WAN port and 200.x.x.99 for the ISP2 WAN port (the 2 firewall WAN ports).

We created NAT for 187.x.x.6 and 200.x.x.99 IP addresses to the MBG 192.168.26.207 (WAN->DMZ) and NAT for the MBG to IP addresses 187.x.x.3 and 200.x.x.99 (DMZ->WAN).

The teleworkers are setting with 187.x.x.6 teleworker IP address.

I programmed resiliency (sub tab Resiliency) in the MBG using the 187.x.x.6 and 200.x.x.99 IP addresses.


danramirez,

Thanks for the screens.

I saw the address in set-side and icp-side is the same. Is that address the firewall WAN port?

I am going to check the addresses we used to be sure that what I put here is correct.

Thanks for the help.

Rogerio.

Yes Regerio,

both IPs are to be the same, and are indeed the WAN port IP address through which the MBG is accessing the Internet.

If you select the DMZ mode on the MBG, this automatically shoud set you both IPs as the same.

I would suggest that for the time being you do not mess with resiliency yet, remember to keep it simple until you make it to work, then you could be more creative...

I have always had discussions with people about the use of the term NAT... so... What the firewall needs to do is to forward the WAN IP address (187.x.x.3), ports TCP3998, TCP6801, TCP 6802, TCP6880, TCP22, UDP20000-31000 to you MBG local IP address (192.168.26.207). Whether you call it NAT or not.

Then, you will need policies (Permissions) so the WAN (all IP "0.0.0.0/0.0.0.0") can access the MBG IP address by NOT doing NAT, for the ports mentioned above. Note that this is from the outside world to your DMZ interface.

Also, you will need another policy so that the MBG can surf the web. This policy will allow MBG subnet (192.168.26.0/24) to access all IPs on the Internet (0.0.0.0/0) by doing Network Access Translation "NAT". This is from the inside (your MBG) to the outsideworld, this is where you need to NAT.

Also... you will need policies (Permisions) so that the DMZ interface and the LAN interface can access each other (both ways).

Last, you will need another policy so that the LAN (Where your PBX is at) can surf the web, again doing NAT.

Some firewall do, some others don't allow you to specy when you want to NAT, 'cause you don't always need nat when routing accross different subnets, be very carefull. Again from my po8int of view you don't need to NAT from WAN to DMZ, agin what I think you need is to port forward.

Have a look again at the first document I sent, where I specify where NAT is needed, which is not always the case.

Again, don't forget the phones (within your LAN) also have 192.168.25.203 as their gateway and that your firewall policies allow them to go to the outside world. Remember that audio traffic will go out through the firewall not through the MBG. They need a direct path to go to the internet.

Your IPs and gateways are fine, what worries me are the policies in your firewall.

Have a look and please post back. Regards,

Daniel

Thanks again for your help, danramirez.

The DMZ mode is not setting automatically the streamming addresses.

I will try following your tips here.

Best regards. I'll post back with the results.

Rogerio.

mmmm.... if it's not setting addresses automatically something is wrong with the Firewall I would assume...

Regards,

Daniel

Do I need to change something on AMC if I want to change WAN IP address in MBG setting?

I don't remember if I saw something like that in the manual.

Nop!

don't have to chance anything on AMC

Rogerio, give us some feedback!!
Regards,
Daniel

I am going to visit the customer on 08/17.

I will feedback you.

Thanks.

Rogerio, how was it?

I didn't make it work with your infos, dan.

It worked in the DMZ when we use the 3300 IP address in the ICP-side stream field and the public IP in the set-side stream field.

Anyway we needed to put the MBG to work with redundant internet links through NAT but how to do it when we already defined one of public IP address at set-side field?

I don't have much experience with MBG and I am not yet a network expert.

Can we make it work (with audio at both sides) with redundant links without using a public IP address at set-side field?

At this moment the customer will use the MBG in server-gateway mode with manually changing the public IP address in the MBG and remote phones.

I just want to know if the MBG work in DMZ with resiliency using NAT for 2 public IPs from 2 different ISPs.

Thanks for your help.