Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 5490 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure Routing for VoIP and DATA over 2 WAN IP's

Alex_B81

 I am hoping for some assistance in configuring XG125 for use with 2WAN IP's, one for Data one for VoIP.

 

Currently, traffic is flowing correctly for the DATA network, through WAN 1 (port 2 on XG)

 

I have another WAN interface (WAN 2 - Port4) for VoIP traffic, using a separate ISP from the DATA network, which I have taken from the initial br0 bridge pair

My Phones system comes from a device on the LAN with the IP 172.20.164.190, and I need all traffic from that IP to be routed through WAN2.

I then need the incoming traffic from WAN2 port to be accepted, and forwarded to that device on my LAN using a set of TCP and UDP ports.

 

Do I need to create a new LAN zone for the device in question?

Which firewall rules are needed to route the correct traffic through the correct gateway. / User/Network rule or Full NAT?

Do I need to create Policy Routes?

 

VoIP currently working through Draytek but need to move it over to the XG.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Alex,

    If you have 2 WAN links configured on your firewall. You could create a network/user rule to allow the traffic to your VOIP server. I believe your VOIP server has an IP address or URL it connects to. You may create a destination based rule using an IP address or FQDN rule using a URL. Apply NAT MASQ and configure your primary gateway on that firewall rule as the link on WAN2 and backup as WAN1. 

  • 0 in reply to Aditya Patel

    Thanks Aditya

     So, if I enable rule 8 in the above screenshot, this should take care of the incoming connection (WAN2 ->LAN) using the required ports. The rule is configured as below:

    Summary

    VoIP Incoming

    Allow

    Rule

    Accept "VoIP Services" service going to "LAN" zone, when in "WAN" zone, and coming from "#Port4" network

    Source & schedule

    WAN

    Source networks and devices : #Port4
    During scheduled time : All the time

    Destination & services

    LAN

    Destination networks : VoIP Server
    Services : VoIP Services

    Advanced

    Synchronized security

    Source : Minimum heartbeat is No restriction, Clients with no heartbeat allowed
    Destination : Minimum heartbeat is No restriction, Request to destination with no heartbeat allowed

    Masquerading is ON

     

    For the outgoing, do I then configure an IPv4 Policy route?

Reply
  • 0 in reply to Aditya Patel

    Thanks Aditya

     So, if I enable rule 8 in the above screenshot, this should take care of the incoming connection (WAN2 ->LAN) using the required ports. The rule is configured as below:

    Summary

    VoIP Incoming

    Allow

    Rule

    Accept "VoIP Services" service going to "LAN" zone, when in "WAN" zone, and coming from "#Port4" network

    Source & schedule

    WAN

    Source networks and devices : #Port4
    During scheduled time : All the time

    Destination & services

    LAN

    Destination networks : VoIP Server
    Services : VoIP Services

    Advanced

    Synchronized security

    Source : Minimum heartbeat is No restriction, Clients with no heartbeat allowed
    Destination : Minimum heartbeat is No restriction, Request to destination with no heartbeat allowed

    Masquerading is ON

     

    For the outgoing, do I then configure an IPv4 Policy route?

Children
  • 0 in reply to Alex_B81

    Hi,

    outgoing is a straight firewall rule with MASQ and the second WAN port selected primary gateway.

    For incoming traffic that would be going to an internal PABX, the PABX would have to setup connections to the source of your VoIP traffic, so in reality you do not need an incoming rule.

    Ian

  • 0 in reply to rfcat_vk

    Thanks Ian

     

    I will need to schedule some testing to check the suggestions. This will only be in around two weeks time unfortunately.

  • +1 in reply to rfcat_vk

    HI All

     

    Had time over the weekend to finalise config. 

    First change that was made was to disable SIP ALG on the XG.

    Second, with the assistance of Riley at Sophos, new rules were created as follows:

     

    Inbound: Business Application Rule

    Source: WAN

    Allowed Networks: ANY

    Destination host/network: #Port4 (my WAN 2 port)

    Services: VoIP Services group with the required ports

    Forward to: My VoIP server in LAN

     

    Had to disable Masquerading (the initial rule was with Masquerading however incoming calls stopped working after about 20 mins) and unchecking masquerading has since helped.

     

    Outbound: User/Network Rule

    Source: LAN

    Source networks/devices: VoIP Server

    Destination Zone: WAN

    Destination Networks and Services: ANY

     

    NAT & Routing: checked rewrite Source Address

    Outbound Address MASQ

    Primary Gateway: WAN2 port

     

    Updated the default network firewall rule to use WAN1 as the primary gateway as the default was set to WAN link load balance