2 WAN split phone and data traffic



  • The Setup:

    Maybe this is simple and I just can't see it, but is there a way to setup rules that say if I have a phone at 10.1.1.70 then I want all traffic from that source to go out over OPT1?
    The problem is, while my phone can see and communicate freely with my IP PBX, all of the actual call traffic goes out over my WAN port which makes for some terrible call quality if someone's downloading something large.
    I could do QoS on the 1st connection, but there's no need if I can direct the traffic through the 2nd.

    I've thought about setting up a VIP on the LAN interface and then setting the phone's gateway to that, but then I don't know if there's a way to forward all the traffic that's going to the VIP to OPT1

    Thanks!



  • Why even have the DDWRT? Having that subnet between is going to cause routing complications regardless of what you have connected on both ends, I'd get rid of the DDWRT and setup dual WAN.



  • The reason for the DMZ type setup is to allow for remote extensions and automatic provisioning remotely without worrying too much about the security of my LAN computers.
    I can keep the pfSense firewall tight and the DD-WRT somewhat loose.

    I know it would be easier to just drop my PBX into my LAN and run dual WAN but I don't want the security risks that would bring.

    Also it gives me more flexibility for my other public servers, I can stick them in there and tell them to use my primary internet connection.



  • If you want to send sip traffic to opt 1 do packet based routing. In the rules for LAN send from lan net all 5060 traffic to opt1. also send all the rtp traffic. I assume you are using asterisk so the range is either 10000–20000 or whatever you changed the rtp.conf to. I setup pfsense with dual wan and haven't had any issues with security. The only issue that ever arose from security is users creating extensions with lame passwords...ext 101 with password 101..etc...



  • Forwarding the packets based on port from LAN to OPT1 would work but I'm unsure on how to do that with pfSense.

    I investigated that earlier but couldn't find anything on it (maybe wasn't using the right terms?), could you point me in the right direction?



  • @FirebornX:

    The reason for the DMZ type setup is to allow for remote extensions and automatic provisioning remotely without worrying too much about the security of my LAN computers.
    I can keep the pfSense firewall tight and the DD-WRT somewhat loose.

    I know it would be easier to just drop my PBX into my LAN and run dual WAN but I don't want the security risks that would bring.

    There's no reason to do that, add a 4th NIC and you have what you need in a single box.

    You can policy route the traffic, but only to gateways, and that likely wouldn't accomplish what you're looking to do here.





  • @handanril:

    http://www.pfsense.org/mirror.php?section=tutorials/policybased_multiwan/policybased_multiwan.pdf

    Don't use that, it's outdated and partially wrong. I just overwrote it with a pointer to the current documentation here:
    http://doc.pfsense.org/index.php/MultiWanVersion1.2
    though it'll take a bit for the mirrors to sync.

    and that's not really thorough, the best source of info is in the book.  http://pfsense.org/book


Log in to reply