Remote openVPN phone setup that need to exit on a different firewall

stephenw10

When you say Phase 1 and 2 you mean of the VoIP connection, not IPSec?

Are you seeing the traffic from the phone leaving the pfSense WAN directly rather than the interface to reach the Sonicwall? The states look correct?

Yes so we are clear the path here is:

Yealink Phone --<openvpn tun>-- [WAN] pfSense [LAN]------- Sonicwall---Cloud VoIP provider

And the phone(s) are at some remote location.

Steve

gpeting

@stephenw10 Phase 1 n 2 for VoIP vis Open VPN. Doesn’t appear to be exiting out PFSence, but not seeing exit out SW either

gpeting

@stephenw10 Stephen,

What we need to happen is a VoIP Phones come into PFSense (PF) on their VLAN, which is then routed to the VoIP VLAN and exit our a SonicWALL (SW) to the Cloud to register. Once registered the phone traffic needs to use this routing for the entire call session on outbound calls and inbound calls. This is needed because our call recorder Server is internal and is required for compliance. The actual calls shouldn't go out the PF WAN interface to the CM.

gpeting

@stephenw10 You indicated the OpenVPN is using the default gateway (WAN) and that we need to change that to point to the gateway for the LAN which is the address on the SW. Where do we go to make that change?

Thanks,

stephenw10

@gpeting said in Remote openVPN phone setup that need to exit on a different firewall:

VoIP Phones come into PFSense (PF) on their VLAN, which is then routed to the VoIP VLAN and exit our a SonicWALL (SW) to the Cloud to register

Where is the OpenVPN in that?
I assumed it was using the OpenVPN client in the Yealink phone connecting to an OpenVPN server running in pfSense? If so there's no VLAN involved there.

Steve

gpeting

@stephenw10 You are correct the client is on the Yealink Phones and the OpenVPN server is configured on the PF. The phones are getting a different IP Address from the LAN side of the PF. The phones are routing from their network into the VoIP network (PF LAN) and need to exit out the SW Gateway on the VoIP LAN. The SW is .1 and the PF is .2 on their respective LAN interface.

stephenw10

Ok. So I assume the phones are connecting to the OpenVPN server as expected and getting an IP in the OpenVPN tunnel network? The OpenVPN status page shows the phones connected?

What I expect then is to see a policy routing rule on the assigned OpenCPN server interface to send all traffic arriving from the phones via the LAN side gateway, which I expect to be the Sonicwall.

The default route for pfSense would still be via it's WAN so encrypted traffic to the phones goes that way. Is that a separate connection? A different public IP than the Sonicwall uses?

So look at the state table. You should see VoIP traffic (SIP and RTP) arriving from the phones on the assigned openvpn interface and then leaving on the LAN interface and no NAT happening. You should not see and VoIP states on the WAN.

Steve

gpeting

@stephenw10 Stephen your assessment is correct. I looked at gateways and the OpenVPN is showing Dynamic, I don't see where I can edit it to point to the SW. Is this done in another menu?

stephenw10

The gateway you are looking for is in the firewall rule that passes traffic coming into the OpenVPN server. That must be set to the Sonicwall in order to policy route it.

Check the state table and see what voip traffic from the phones is doing now.

Steve

gpeting

@stephenw10 That worked, Thank you very much for your help.

Best Regards