[ale] Placing SIP Server in DMZ or use DNAT?

DJ-Pfulio DJPfulio at jdpfu.com
Wed May 22 10:00:22 EDT 2019

Don't know if this will help, but here's what I do.  It certainly isn't

My VoIP service has been perfect for over a decade. Prior to that, I had
different providers and each had different issues. $5/month is a bargain
to me for SIP.

I wanted MY router in the setup for security control, so pass the public
/29 IPs to it using the ISP's bridge mode. The ISP's router is both a
router and switch, so I connect my ATA (I pay for a SIP service) to it
directly on their 10.1.10.x/24 subnet. I put all wifi devices onto this
subnet too - outside my real network - basically on the internet since
the ISP controls that box. Some IoT devices are there as well. That can
prevent internal access to media, but I was willing NOT to allow roku
access to the plex server. WiFi devices need to run a VPN to access the
internal network. I don't trust wifi-anything.

My ATA keeps an active connection to the SIP service. My SIP service
just started providing STUN capabilities, which I haven't enabled. Need
to. All SIP connections come from that service provider, so the ATA only
needs to allow SIP from the 3 servers I use in their ATL PoP.

My router gets all the public IPs, except the ISP "gateway" IP. The
lowest one is the default. For the others, I have in/out forwarding
rules to specific IPs on the server LAN.  This configuration avoids
double-NAT.  My router controls the different internal LANs and which
subnets are allowed to talk on which ports. I use separate physical
switches inside the each LAN to add more ports to each.

If the ISP device truly is just modem, with 1 port, then you'll want a
5-port GigE switch there. Those are cheap.

The last few months, I've been reconfiguring the public services to go
through a single IP using a reverse proxy and have email services going
through an email gateway. The plan is to move to a cheaper, faster, ISP
connection, GigE symmetric, and have 1-2 $5/month VPS systems doing the
gateway/rev-proxy work. If I insisted on running my own SIP server, that
would move out too, but with just an ATA connected to a 6-node phone
system, that isn't needed.

On 5/22/19 9:20 AM, Derek Atkins via Ale wrote:
> HI,
> I've got a network with the following configuration.  I am being routed
> IP range a.b.c.120/29.  The modem takes .126.  I've configured my
> firewall for .121.  I can add a switch between the modem and firewall to
> add additional machines there:
>               .126           .121
>    ISP -- <Modem> --<switch>-- <firewall> -- intranet
> I want to add a SIP server as .122.  I have two ways to do this.
> I could put it outside the firewall and just have it be natively on
> .122:
>               .126           .121
>    ISP -- <Modem> --<switch>-- <firewall> -- intranet
>                             \--<sip> (.122)
> Or I have it inside the intranet and configure the firewall to
> forward and rewrite packets via a set of (D)NAT rules:
>               .126   .121/.122
>    ISP -- <Modem> -- <firewall> -- intranet
>                                  \-- <sip>
> What do you all feel is the best approach?  I feel like the former is a
> simpler configuration, even though it requires one more piece of
> hardware.  On the other hand, the latter approach lets me have more
> visibility into the packets hitting the SIP server.
> I should add that I do have at least 2 phones/ATAs sitting in the
> intranet network that need to connect to the SIP server, but standard
> NAT should work for that.
> Currently the SIP server is sitting behind the firewall but living on a
> tunneled class-C network.  My IP phones are able to talk to it directly,
> and because it's got a public IP on the class-C it is reachable from
> devices outside the intranet.  Part of this project is to remove that
> extra level of latency caused by the tunnel, with the hope that removing
> that extra point of failure will improve my VOIP service.
> What do you all think? 

More information about the Ale mailing list