Mitel Phones behind a Linux Firewall
My company recently moved from a business DSL line to a T1 w/ VOIP package from Broadview. In our old setup the DSL came into our firewall (a RedHat 9 box) on eth0 and our local network was attached to a switch behind eth1. With the new setup, however, Broadview wants us to put the Cisco2431-8FXS router they've provided us on the same switch that the firewall and local network machines are attached to. Obviously this isn't a terribly secure setup. Since they haven't been much help with alternative setups, I've tried a few of my own and getting the computers behind the firewall isn't a problem, but the Mitel phones are a bit more complicated.
First I tried to use proxy arp on our firewall to respond for the Broadview router IP the phones use as a gatway. With this setup if I configure my computer with an IP within the phones subnet I can ping the Broadview router, and I can ping the server the phones seem to be registering with (lets call it the phone server), but I can only ping the phone server, no ports seem to be open on it, including the TFTP service that the phones use once they get an IP. I think this might be solveable if I could retrieve and address for the phones via DHCP, however, I installed dhcrelay on the firewall and although it relays the phones DHCP discover request, neither the Broadview router nor the phone server will reply. What I'd like to do is configure our firewall to simply rebroadcast DHCP traffic between eth0 and eth1 unchanged, but if that's possible, I haven't been able to find a way.
Second attempt was to assign the phones addresses within our local subnet and then masquerade them as addresses within the phone subnet. After some packet sniffing I worked out the proper DHCP options to get the phones to accept a DHCP offer, but once again, no ability to contact the phone server for TFTP.
My guess is that the "phone server" will not respond to any IP it hasn't assigned via DHCP, but it also will not respond to relayed DHCP requests, most likely because they are non broadcast traffic with a source address outside of it's acceptable range. At this point I can't even think of what the next thing to try is. As a last resort I might add 2 additional NICs to the firewall, bridge them, and filter traffic using ebtables, but I would also like to be able to move some of these phones offsite and use them over a VPN tunnel, and a bridge will make that more complicated (I'd need separate tunnels at each offsite location for phone and data I think). Any suggestions would be greatly appreciated and thanks for taking the time to look this over.