I have a few questions about proper DMZ configurations but I figure I should start with some basic configuration info. All IPs here will be fake but I will be consistent across explanation of the configuration. Apologize in advance for wall of text.
Configuration:
- ISP Fiber Provider issued me a Layer 3 IP block and a Layer 2 block
- Layer 3 block and address is assigned to my WAN Interface Port [Address: 50.X.X.118/28]
- Layer 2 block is assigned to devices sitting in DMZ interface [Address of DMZ [50.Y.Y.1] Allowed is through .14
- VOIP Edgemarc device is configured at [50.Y.Y.14] providing VOIP connection to phone VLAN
- Firewall rules are created to allow any traffic to or from the DMZ to transit unhindered
- Masquerading Rules created to from DMZ Network -> WAN
- No NAT Rules Configured for DMZ
Things seem to work as they have been running for about a year now in this config. You can get to the Edgemarc at it's defined public IP address as I had hoped.
But... there's always a but, I ran into an issue today where I had requested information about some issues in voicemail delivery being delayed from our VOIP provider. They returned something that I hadn't anticipated after profiling the traffic. They said that the delay is because the packets coming back to the voicemail repository are showing as the Layer 3 address assigned to the WAN port and not the Layer 2 address assigned to the Edgemarc device so they're being delayed.
So, to my questions:
- What did I do wrong with my general DMZ setup?
- How can traffic coming from those addresses in the DMZ show as their actual public IP and not the IP of the UTM's WAN address itself?
- Is this a Masquerading/NAT issue? If so, what's the best path to fix this?
Thanks in advance for your help.
This thread was automatically locked due to age.
