1 |
On 12/23/18 8:21 PM, Grant Taylor wrote: |
2 |
|
3 |
> Can the phone server in A talk to a system in B? Or does the magic need |
4 |
> to happen on a multi-homed host that is in both the Voice VLAN (A) and |
5 |
> data VLAN (B)? |
6 |
|
7 |
Yes, I control the router, poking a hole allowing port 25 from the phone |
8 |
server IP to the mail relay IP is trivial. This would lessen the need |
9 |
for a multi-homed server - although that is possible too as the |
10 |
infrastructure is virtualized. |
11 |
|
12 |
> |
13 |
>> I've never had to deal with a server in this manner before... needing |
14 |
>> to go through a different vlan/vpn. Hence my thought of a mail relay. |
15 |
> |
16 |
> I believe the mail relay, particularly if it's multi-homed in both voice |
17 |
> and data VLANs, is a viable option. |
18 |
> |
19 |
>> I was messing with source and destination nat but because of the site |
20 |
>> vpn addressing, and the phone server not being in that address |
21 |
>> range... I'm pretty sure that's why it wasn't working. |
22 |
> |
23 |
> Depending where you do it, I would expect that the NAT would work. |
24 |
> |
25 |
> Hypothetical scenario: |
26 |
> |
27 |
> Voice VLAN = 192.0.2.0/24 |
28 |
> Local Data VLAN = 198.51.100.0/24 |
29 |
> Remote Data VLAN = 203.0.113.0/24 |
30 |
> |
31 |
> I'm guessing that you need to get voice messages as attachments from the |
32 |
> VoIP PBX, 192.0.2.123, to the corporate email server, 203.0.113.234. The |
33 |
> problem is the site-to-site VPN only allows 198.51.100.0/24 and |
34 |
> 203.0.113.0/24 to communicate. Meaning that the site-to-site VPN won't |
35 |
> pass traffic from the VoIP PBX. |
36 |
> |
37 |
> Here's an important question: Does the VoIP PBX have a default gateway |
38 |
> configured? Or does it /only/ know about the voice VLAN, 192.0.2.0/24? |
39 |
> Because if it doesn't have a default gateway, then (what it knows as) |
40 |
> the mail server will have to be local to the voice subnet. |
41 |
> |
42 |
> We already know that the local side of the email solution will have to |
43 |
> be in the 198.51.100.0/24 subnet to bee able to use the VPN. |
44 |
> |
45 |
> You could probably fairly easily have a multi-homed host that is in both |
46 |
> the Voice VLAN, 192.0.2.252, and the Local Data VLAN, 198.51.100.252. |
47 |
> |
48 |
> That would allow you to run an MTA on the multi-homed host and forward |
49 |
> email at the SMTP application layer. |
50 |
> |
51 |
> That would also allow you to use NAT to translate the SMTP traffic as it |
52 |
> passes between the VoIP PBX and the corporate email server. |
53 |
> |
54 |
> Let's say that eth0 is in the Voice VLAN, 192.0.2.252, and that eth1 is |
55 |
> in the Local Data VLAN, 198.51.100.252. |
56 |
> |
57 |
> # Traffic from the VoIP PBX to the corporate email server. |
58 |
> iptables -t nat -A PREROUTING -i eth0 -s $PBXIP -d 192.0.2.252 -p tcp |
59 |
> --dport 25 -j DNAT 203.0.113.234 |
60 |
> iptables -t nat -A POSTROUTING -o eth1 -s $PBXIP -d 203.0.113.234 -p tcp |
61 |
> --dport 25 -j SNAT 198.51.100.252 |
62 |
> |
63 |
> # Traffic from the corporate email server to the VoIP PBX. |
64 |
> iptables -t nat -A PREROUTING -i eth1 -s 203.0.113.234 -d 198.51.100.252 |
65 |
> -p tcp --sport 25 -j DNAT $PBXIP |
66 |
> iptables -t nat -A POSTROUTING -o eth0 -s 203.0.113.234 -d $PBXIP -p tcp |
67 |
> --sport 25 -j SNAT 192.0.2.252 |
68 |
> |
69 |
> That should get quite close to what you need. That alters both the |
70 |
> source and destination IP addresses as the traffic passes through the |
71 |
> multi-homed host, in each direction. |
72 |
> |
73 |
> Aside: I call that "Double NAT" because it NATs two different addresses |
74 |
> on one device (as two distinct operations). But the rest of the world |
75 |
> thinks "Double NAT" is something else. :-/ |
76 |
> |
77 |
|
78 |
So it basically comes down to picking a package and then locking it down |
79 |
so it only forwards mail to that specific IP, and only allows mail to be |
80 |
received from the phone server. |
81 |
|
82 |
It would be easier to use the public IP but due to regulations it has to |
83 |
go over the VPN. |
84 |
|
85 |
Dan |