iPECS Remote Phones / Gateways / VPN's

[Paulburton26]

Hi all,

Having already had some great support on other problems from you guys, thought I would try this

We have a 100 at our head office

System IP 192.168.1.150

Lots of phones on the same LAN, all good

We have lots of remote phones too, all connected via our VPN to the 100 here

Remote sites IP's

192.168.21.0

192.168.23.0

These are just examples, our range is different, and we have 25 sites (not all have phones)

Problems come when people try and call between sites (calls to head office to sites are perfect)

Between sites, we get one way, or short audio

So after reading on here, that the system only sets up the call, then the handsets will talk direct

I then started webbing the VPN, so each site had a VPN between each other, not just head office, this was taking so long to setup each individual VPN

Is there no other way to do this, as for some reason it doesn't effect all sites,

It then gets more complicated, as some large remote sites have their own iPECS 50B (with networking licence) - I know that between these we will need VPN's

Thought I would ask you guys before I made the rest of the VPN's for the sites with only remote phones and no system


Paul

 

[martinhodge]

you dont need vpns to get remote phones to work,

you can have them truly as remote phones and just put them in remote mode with dhcp turned on and use the wan address of the 100 to get to the system

you will need all the correct port forwarding to the system at the 100 site to do this.

you dont technically need vpns to network ipecs together as you can just use each sites wan address and as long as the port forwarding is there it will work fine . and you can dictate how many networking trunks are in use between each mfrim . then just tie the firewall down to each site wan etc

the only advantage of vpns is that the phones can then technically stay as local handsets and they wont use a voim channel when they are in use .

in true full remote mode every time you pick up a remote handset it will use a voim channel.

so if you only have 10 voim channels only ten remote handsets will be able to be in use at one time. depends how busy your sites are and the remote sites etc.

its all a balance really there are several different ways of setting up things.

id be tempted to set up a phone at each site that has the speech issue into true remote mode using the wan address . and see if that cures ur issue . as the only reason your losing speach it down to a firewall blocking ports .

if you look on the device over view you will see what phones are in remote mode as it will have unicast on not multicast and it will say RNAT as well against the phone . i wouldnt be surprised if the phones thst didnt have issues are in full remote mode and the phones that do have issues are still technically local phones

id also be looking at zoneing as well . are they all in the same zone under zone data on the system?

 

[Paulburton26]

Sorry for the slow reply

We don't want to shoot holes in our firewall with port forwarding, the Draytek 2860's we run - you cannot bound the sending IP, so it becomes open to the world

So I think you are saying we will need VPN's between each site, which is a pain

Found this article previously, not sure if it's relevant

https://www.tek-tips.com/viewthread.cfm?qid=1678136

Thanks, Paul

 

[martinhodge]

yes does look relivent, sounds like a very similar problem to what you have m have you tryed putting in the router ip in pgm 132 for the phones not on the same lan ?

 

[martinhodge]

also when you say bound the sending ip what do you mean?

 

[Paulburton26]

With the Draytek range, you cannot bound an inbound port forward to only be allowed from a certain IP address, therefore if I add a firewall rule, it would be available to anyone on the internet, not just our IP addresses,

 

[nfcphoneman]

Don't forget that the IPECS has a built-in Access Control List. You can whitelist the IP's (or ports) you need to have access to the system and deny the rest of the world.

http://www.jacksonvilletelephone.com

Jacksonville Florida Telephone Systems

 

[martinhodge]

the draytek does have that feature paul .

i set it up all the time to only allow 5060 requests from the sip carrier we use and only

in the filter page of the firewall .

just set all your ports to deny and then allow only from a single or a range of ip addresses .

eg:

 

[Paulburton26]

Thanks for that, I didn't know the 2860 support this

Really thought there would be an easier way to do it when they all have a VPN to our head office, without having to web all the sites together


Thanks everyone,


Paul

 

[Paulburton26]

On another note Martin - make sure you flash your 2860's with the latest firmware, 3.8.8 released over the weekend 19-5-18

They found a security bug, and when I checked mine 3 or 4 of our 25 had been hacked,


Paul

 

[martinhodge]

yeah i have over 500 out there this will be fun . ive found a few not to many lol

did you get anywhere with your problem?

 

[Paulburton26]

Hi Martin,

Yes, we have done all our 2860's, and they have now released the new firmware for the 2830's, so we have had to do all them too

We had DNS settings changed and DHCP enabled on WAN1 (where we would always disable it)

Didn't really get anywhere, so finished webbing the VPN's (which was very time consuming) but is working

Next time we add a new site though, I will have another go, as I am sure you can do it without doing what I did


Thanks for your help,


Paul