| 1 |
On 12/23/18 7:03 PM, Daniel Frey wrote: |
| 2 |
> This is correct. A is the voice vlan, the black box is the phone server |
| 3 |
> (which I am unable to add custom routes or new software packages to), B |
| 4 |
> is another vlan that has access through site-to-site vpn to C. |
| 5 |
|
| 6 |
That makes perfect sense. There is functionally zero hope of modifying |
| 7 |
the phone system. Even if you could, it would likely compromise |
| 8 |
warranty, other complications ensue. Let's just consider this a no-fly |
| 9 |
zone. |
| 10 |
|
| 11 |
> A needs to send to a mail server on C but it isn't a part of the |
| 12 |
> addressing required to traverse through the vpn. |
| 13 |
|
| 14 |
Yep. A LOT of VPNs decide what traffic is interesting and / or allow |
| 15 |
traffic based on source and / or destination subnet. |
| 16 |
|
| 17 |
> Hence my thought of a mail forwarder. |
| 18 |
|
| 19 |
Can the phone server in A talk to a system in B? Or does the magic need |
| 20 |
to happen on a multi-homed host that is in both the Voice VLAN (A) and |
| 21 |
data VLAN (B)? |
| 22 |
|
| 23 |
> I've never had to deal with a server in this manner before... needing to |
| 24 |
> go through a different vlan/vpn. Hence my thought of a mail relay. |
| 25 |
|
| 26 |
I believe the mail relay, particularly if it's multi-homed in both voice |
| 27 |
and data VLANs, is a viable option. |
| 28 |
|
| 29 |
> I was messing with source and destination nat but because of the site |
| 30 |
> vpn addressing, and the phone server not being in that address range... |
| 31 |
> I'm pretty sure that's why it wasn't working. |
| 32 |
|
| 33 |
Depending where you do it, I would expect that the NAT would work. |
| 34 |
|
| 35 |
Hypothetical scenario: |
| 36 |
|
| 37 |
Voice VLAN = 192.0.2.0/24 |
| 38 |
Local Data VLAN = 198.51.100.0/24 |
| 39 |
Remote Data VLAN = 203.0.113.0/24 |
| 40 |
|
| 41 |
I'm guessing that you need to get voice messages as attachments from the |
| 42 |
VoIP PBX, 192.0.2.123, to the corporate email server, 203.0.113.234. |
| 43 |
The problem is the site-to-site VPN only allows 198.51.100.0/24 and |
| 44 |
203.0.113.0/24 to communicate. Meaning that the site-to-site VPN won't |
| 45 |
pass traffic from the VoIP PBX. |
| 46 |
|
| 47 |
Here's an important question: Does the VoIP PBX have a default gateway |
| 48 |
configured? Or does it /only/ know about the voice VLAN, 192.0.2.0/24? |
| 49 |
Because if it doesn't have a default gateway, then (what it knows as) |
| 50 |
the mail server will have to be local to the voice subnet. |
| 51 |
|
| 52 |
We already know that the local side of the email solution will have to |
| 53 |
be in the 198.51.100.0/24 subnet to bee able to use the VPN. |
| 54 |
|
| 55 |
You could probably fairly easily have a multi-homed host that is in both |
| 56 |
the Voice VLAN, 192.0.2.252, and the Local Data VLAN, 198.51.100.252. |
| 57 |
|
| 58 |
That would allow you to run an MTA on the multi-homed host and forward |
| 59 |
email at the SMTP application layer. |
| 60 |
|
| 61 |
That would also allow you to use NAT to translate the SMTP traffic as it |
| 62 |
passes between the VoIP PBX and the corporate email server. |
| 63 |
|
| 64 |
Let's say that eth0 is in the Voice VLAN, 192.0.2.252, and that eth1 is |
| 65 |
in the Local Data VLAN, 198.51.100.252. |
| 66 |
|
| 67 |
# Traffic from the VoIP PBX to the corporate email server. |
| 68 |
iptables -t nat -A PREROUTING -i eth0 -s $PBXIP -d 192.0.2.252 -p tcp |
| 69 |
--dport 25 -j DNAT 203.0.113.234 |
| 70 |
iptables -t nat -A POSTROUTING -o eth1 -s $PBXIP -d 203.0.113.234 -p tcp |
| 71 |
--dport 25 -j SNAT 198.51.100.252 |
| 72 |
|
| 73 |
# Traffic from the corporate email server to the VoIP PBX. |
| 74 |
iptables -t nat -A PREROUTING -i eth1 -s 203.0.113.234 -d 198.51.100.252 |
| 75 |
-p tcp --sport 25 -j DNAT $PBXIP |
| 76 |
iptables -t nat -A POSTROUTING -o eth0 -s 203.0.113.234 -d $PBXIP -p tcp |
| 77 |
--sport 25 -j SNAT 192.0.2.252 |
| 78 |
|
| 79 |
That should get quite close to what you need. That alters both the |
| 80 |
source and destination IP addresses as the traffic passes through the |
| 81 |
multi-homed host, in each direction. |
| 82 |
|
| 83 |
Aside: I call that "Double NAT" because it NATs two different addresses |
| 84 |
on one device (as two distinct operations). But the rest of the world |
| 85 |
thinks "Double NAT" is something else. :-/ |
Archives