1 |
On 12/23/18 7:03 PM, Daniel Frey wrote: |
2 |
> This is correct. A is the voice vlan, the black box is the phone server |
3 |
> (which I am unable to add custom routes or new software packages to), B |
4 |
> is another vlan that has access through site-to-site vpn to C. |
5 |
|
6 |
That makes perfect sense. There is functionally zero hope of modifying |
7 |
the phone system. Even if you could, it would likely compromise |
8 |
warranty, other complications ensue. Let's just consider this a no-fly |
9 |
zone. |
10 |
|
11 |
> A needs to send to a mail server on C but it isn't a part of the |
12 |
> addressing required to traverse through the vpn. |
13 |
|
14 |
Yep. A LOT of VPNs decide what traffic is interesting and / or allow |
15 |
traffic based on source and / or destination subnet. |
16 |
|
17 |
> Hence my thought of a mail forwarder. |
18 |
|
19 |
Can the phone server in A talk to a system in B? Or does the magic need |
20 |
to happen on a multi-homed host that is in both the Voice VLAN (A) and |
21 |
data VLAN (B)? |
22 |
|
23 |
> I've never had to deal with a server in this manner before... needing to |
24 |
> go through a different vlan/vpn. Hence my thought of a mail relay. |
25 |
|
26 |
I believe the mail relay, particularly if it's multi-homed in both voice |
27 |
and data VLANs, is a viable option. |
28 |
|
29 |
> I was messing with source and destination nat but because of the site |
30 |
> vpn addressing, and the phone server not being in that address range... |
31 |
> I'm pretty sure that's why it wasn't working. |
32 |
|
33 |
Depending where you do it, I would expect that the NAT would work. |
34 |
|
35 |
Hypothetical scenario: |
36 |
|
37 |
Voice VLAN = 192.0.2.0/24 |
38 |
Local Data VLAN = 198.51.100.0/24 |
39 |
Remote Data VLAN = 203.0.113.0/24 |
40 |
|
41 |
I'm guessing that you need to get voice messages as attachments from the |
42 |
VoIP PBX, 192.0.2.123, to the corporate email server, 203.0.113.234. |
43 |
The problem is the site-to-site VPN only allows 198.51.100.0/24 and |
44 |
203.0.113.0/24 to communicate. Meaning that the site-to-site VPN won't |
45 |
pass traffic from the VoIP PBX. |
46 |
|
47 |
Here's an important question: Does the VoIP PBX have a default gateway |
48 |
configured? Or does it /only/ know about the voice VLAN, 192.0.2.0/24? |
49 |
Because if it doesn't have a default gateway, then (what it knows as) |
50 |
the mail server will have to be local to the voice subnet. |
51 |
|
52 |
We already know that the local side of the email solution will have to |
53 |
be in the 198.51.100.0/24 subnet to bee able to use the VPN. |
54 |
|
55 |
You could probably fairly easily have a multi-homed host that is in both |
56 |
the Voice VLAN, 192.0.2.252, and the Local Data VLAN, 198.51.100.252. |
57 |
|
58 |
That would allow you to run an MTA on the multi-homed host and forward |
59 |
email at the SMTP application layer. |
60 |
|
61 |
That would also allow you to use NAT to translate the SMTP traffic as it |
62 |
passes between the VoIP PBX and the corporate email server. |
63 |
|
64 |
Let's say that eth0 is in the Voice VLAN, 192.0.2.252, and that eth1 is |
65 |
in the Local Data VLAN, 198.51.100.252. |
66 |
|
67 |
# Traffic from the VoIP PBX to the corporate email server. |
68 |
iptables -t nat -A PREROUTING -i eth0 -s $PBXIP -d 192.0.2.252 -p tcp |
69 |
--dport 25 -j DNAT 203.0.113.234 |
70 |
iptables -t nat -A POSTROUTING -o eth1 -s $PBXIP -d 203.0.113.234 -p tcp |
71 |
--dport 25 -j SNAT 198.51.100.252 |
72 |
|
73 |
# Traffic from the corporate email server to the VoIP PBX. |
74 |
iptables -t nat -A PREROUTING -i eth1 -s 203.0.113.234 -d 198.51.100.252 |
75 |
-p tcp --sport 25 -j DNAT $PBXIP |
76 |
iptables -t nat -A POSTROUTING -o eth0 -s 203.0.113.234 -d $PBXIP -p tcp |
77 |
--sport 25 -j SNAT 192.0.2.252 |
78 |
|
79 |
That should get quite close to what you need. That alters both the |
80 |
source and destination IP addresses as the traffic passes through the |
81 |
multi-homed host, in each direction. |
82 |
|
83 |
Aside: I call that "Double NAT" because it NATs two different addresses |
84 |
on one device (as two distinct operations). But the rest of the world |
85 |
thinks "Double NAT" is something else. :-/ |