NAT 1:1 to PBX



  • I may be doing this quite wrong and there may be a better approach. I have a PFSense box with three virtual network cards setup.

    Card 1 -> LAN
    Card 2 -> WAN
    Card 3 -> OPT1

    LAN is on 192.168.104.0
    WAN PPPoE
    OPT1 is on 192.168.0.0

    Idea is to have a server with a virtual PBX sitting on 192.168.104.0, phones also on 192.168.104.0. I have PFSense dialling for the SIP trunks over WAN. Then the customer provides one IP from their network (192.168.0.x) for this example. I decided to put 1:1 NAT on OPT1 with their provided IP and configure the following:

    PBX on 192.168.104.10
    PFSense as local gateway on 192.168.104.1 on LAN
    Customer gives me address 192.168.0.210 and I put this in as an alias on interface OPT1.
    I then add in a 1:1 NAT with external address being 192.168.0.210 and internal being 192.168.104.10.
    Lastly I add in the rule to allow 0.210 to 104.10.

    When testing I can access SSH, web and pretty much any server. Which proves that my 1:1 configuration works. However
    one application running on a test computer on the network 192.168.0.0 fails to return that it is connected. I have run
    a Wireshark trace and get responses until it negotiates a TLS certificate. It then fails with TLS error, which is
    encrypted. I was suspecting the application until I connected the same PC onto the network 192.168.104.0 and it
    connected problem.

    Is there any other way to trace why it is failing on one application attempting TLS connection. Does TLS become affected
    by 1:1 NAT?

    Is there a better way to separate the two networks? I only need the customer to reach the PBX for example web
    access to change address book etc.

    Thanks


  • Banned

    What PBX software are you using.  they are not all the same.