Two routers, one firewall



  • I know this is talked about all over the site but after reading a lot of stuff, I'm still at a loss.

    I have a cisco 2600 with two T1's on it.

    WAN1 is all data, everything passes, no blocking, on to firewall #1.

    WAN2 is for SIP/RTP only. It allows SIP/RTP traffic to a trixbox,
    everything else is blocked, nothing else passes on it.

    It's a terrible setup and not it's not using the resources very well. I would prefer that SIP/RTP traffic be allowed on both T1's, along with DATA and of course, that it all be QoS.

    I would prefer that both T1's terminate onto a single firewall so that it is a world easier to manage machines and resources while not having to jump through loops.

    I have pssense installed and am looking at it, and even tried to get this going but just can't seem to get it right. There are so many posts from people doing a variety of things that I have nothing I can really follow other than a mix of things which just trash my traffic when I try it. Of course, I have this stuff in production so need to get this done in a way that does not totally disrupt my traffic.

    I figure I need to dumb down the 2600's config so that ALL traffic from both T1's will now go to pssense.
    I figure I need to configure pfsense to accomplish my needs.

    I don't even really know if pssense of my answer.

    Um, HELP! Please, community.. help! :).

    I'll be happy to provide more information which I'm sure I've left out, just ask. And, it goes without saying, THANK YOU for any help you can offer!

    Mike



  • There are two tricky things about this:

    • trafficshaping is not really supported on multiple interfaces yet (speaking of 1.2 release, it's on the way and almost done for the upcoming version 1.3 but it will take some more time until this release will be available/stable)

    • loadbalancing voip is not really doable due to the nature of the sip protocol (multiple ports for audiostreams and signalling, some of them randomly choosen from a pool) and because the asterisk probably will have issues if it's public IP is hopping between 2 IPs

    What you could do when 1.3 hits the daylight (some months from now):

    • use policybased routing to make the asterisk only use 1 of the links, preferably the better one (not only looking at downloadbandwidth but uploadbandwidth as voipstreams always cause symetrical load up/down)

    • have everything else balanced besides some protocols like https that won't work with balancing (use a failoverpool for these unless the sticky connections feature gets fixed by then)

    • use the trafficshaper to keep the voip run smooth with the additional loadbalancing load



  • trafficshaping is not really supported on multiple interfaces yet >(speaking of 1.2 release, it's on the way and almost done for the >upcoming version 1.3 but it will take some more time until this >release will be available/stable)

    I would not mind installing and being ready for that in the future if it's just going to be an upgrade. I don't really need traffic shaping just yet, more importantly, I need to be able to simplify this mess I have with two firewalls and two WANs.

    When you say traffic shaping, do you mean load balancing, fail over, things like that? Those are the things I would be happy with for now at least. If I can't use both T1's for asterisk for now, I could still benefit on the data side no?

    loadbalancing voip is not really doable due to the nature of the sip >protocol (multiple ports for audiostreams and signalling, some of >them randomly choosen from a pool) and because the asterisk >probably will have issues if it's public IP is hopping between 2 IPs

    That's too bad. How could someone put multiple WANs to better use with asterisk then? I was hoping to gain a little of being able to haave SIP/RTP traffic over both. Perhaps even a round robin method?

    I would guess I could still receive calls on one WAN, make them on another or have different providers/services on either WAN?
    If not, I would be happy if I would be able to gain benefits even on the data side only for now.

    What you could do when 1.3 hits the daylight (some months from >now):

    • use policybased routing to make the asterisk only use 1 of the links, >preferably the better one (not only looking at downloadbandwidth but >uploadbandwidth as voipstreams always cause symetrical load >up/down)

    Doable, assuming that pfsense could be a long term solution so that I don't have to change everything over again in a few months time. When new features/functions come out, I'd already be set up and running which would be good.

    • have everything else balanced besides some protocols like https >that won't work with balancing (use a failoverpool for these unless >the sticky connections feature gets fixed by then)

    Ok, so you are saying that I could balance on data then. What about fail over? Could I still benefit from that on either side, asterisk, data.

    • use the trafficshaper to keep the voip run smooth with the >additional loadbalancing load

    This is later or because I would be balancing data on both WANs now? I'm guessing you mean because I would now be able to use the WAN which is being used for voice only right now, for voice and data.

    I think that would be very cool so far. I would allow me to simplify things.

    Question: Can I still have the function of being able to go out of one WAN and back in on another? Guessing I can by using DMZ or something. This allows me to test things from a 'real world' perspective at times.

    Is a 1.7Ghz machine with 256RAM enough for this? I can add to the machine but it's what I scrounged up to try this software out.

    Thanks so much.

    Mike



    • loadbalancing voip is not really doable due to the nature of the sip >protocol (multiple ports for audiostreams and signalling, some of >them randomly choosen from a pool) and because the asterisk >probably will have issues if it's public IP is hopping between 2 IPs

    In re-reading this, do you mean that if I was using a public IP on the asterisk? The reason I'm looking at pfSense is because it can handle the asterisk ports. My older watchguard firewalls don't.

    So basically, it seems better if the PBX was on a private IP so would that then make a difference?



  • Without trafficshaping you already can do everything like I suggested. Use the asterisk at one of the wans, have everything else loadbalanced and failover for special services like https.



  • @hoba:

    Without trafficshaping you already can do everything like I suggested. Use the asterisk at one of the wans, have everything else loadbalanced and failover for special services like https.

    So, we might be able to use pfSense after all then. Is there a guide anywhere which clearly shows how to configure for asterisk? I just need to get that going before anything else so that we can switch over to pfSense.

    Mike



  • Search the forum. I don't have an asterisk but there is a lot of info in the forum already.



  • One other question as I think about this.

    What I have now are two firewalls, one for WAN1 and one for WAN2.
    I am going to leave WAN1 and firewall #1 in place as things are now but here's my problem.

    WAN1 and 2 are going to be combined onto pfSense. For now, I need to take WAN2 SIP/RTP traffic and pass it all over to pfSense.

    In order to reach pfSense, I had to give it a LAN IP of 192.168.1.3. Firewall #1 NATs for 192.168.1.0. On the WAN side of pfSense, I have WAN2's router gateway for IP and a public IP for pfSense from that network.

    So, my catch is, at some point, pfSense will be taking care of the 192.168.1.0 network and all of my other private LAN segments. But in the meantime, I need to find a way to allow SIP/RTP traffic to flow into pfSense from the WAN2 network and over to an IP on firewall #1. The PBX is at 192.168.1.102 and needs to remain there.

    So, is there a way in which I can do this while taking into account that firewall #1 is currently handling the 192.168.1.0 network?

    Mike



  • @hoba:

    Search the forum. I don't have an asterisk but there is a lot of info in the forum already.

    I have, that's why I'm asking. it's all bits and such but nothing from scratch clearly showing a configuration just for the asterisk.

    Mike



  • we will be putting in a Asterisk VoIP system in the office in the next month or so. and we have have been running pfsense fopr over a year now and it is kinda tricky to get all the setting "just right" but when you do…. just keep clean power going to the pfsense unit and life is real easy. ;D ;D

    i



  • @chazers18:

    we will be putting in a Asterisk VoIP system in the office in the next month or so. and we have have been running pfsense fopr over a year now and it is kinda tricky to get all the setting "just right" but when you do…. just keep clean power going to the pfsense unit and life is real easy. ;D ;D

    i

    Oh oh… tricky? That's why I'm hoping for a clear document. I've got it set up in a temp manner but don't dare flow sip/rtp through it just yet.

    Mike



  • not to be the dick but make one as you go and post it in the wiki.

    be the Hero and Rise up!



  • @chazers18:

    not to be the dick but make one as you go and post it in the wiki.

    be the Hero and Rise up!

    Don't be a dick then, help a new guy :). I'm not sure my document will be of much use, I'm a newbie and that's perhaps the problem. If newbies write the documents, oh my god, it's a mess waiting to happen, isn't it?



  • It's mot much of a work to set it up for Asterisk:
    1. Set up load balancer and failover.
    http://doc.pfsense.org/index.php/Tutorials
    http://doc.pfsense.org/index.php/MultiWanVersion1.2
    Seems pool order is still not fixed in the second guide:

    WAN1FailsToWAN2 pool order should be WAN then WAN1/OPT1
    WAN2FailsToWAN1 pool order should be WAN1/OPT1 then WAN.

    Another one:
    http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

    2. Make sure you enable static-port option in Outbound NAT and forward the appropriate ports to Asterisk/Trixbox (UDP 5060 and 10000-20000 are defaults) in Firewall: NAT: Port Forward.
    3.Do not use sticky connections, you may try to enable it later, once you get everything working.
    4. Use WAN1FailsToWAN2 or WAN2FailsToWAN1 as a gateway depending on your setup for the Asterisk/Trixbox IP in Firewall rules-LAN.
    You may create an aliase fro those ports and include HTTPS and other protocols which don't like load balancing. Use this alias instead of the Trixbox IP.
    5. Use the workaround for the dead states in this topic, until the team resolves the issue in a better way:
    http://forum.pfsense.org/index.php/topic,7808.0.html

    That's pretty much all about Asterisk/Trixbox setup. Does it help you?



  • Thank you very much for the help. I'll start on this tomorrow and see how far I can get. I can test over the weekend and at night since no one is on the phones.

    Looks very in-depth so am hoping I'll at least get some basics going.

    Thanks again.

    Mike


Log in to reply