LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-24-2008, 11:11 AM   #1
iradix
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Rep: Reputation: 0
Mitel Phones behind a Linux Firewall


Hi there.

My company recently moved from a business DSL line to a T1 w/ VOIP package from Broadview. In our old setup the DSL came into our firewall (a RedHat 9 box) on eth0 and our local network was attached to a switch behind eth1. With the new setup, however, Broadview wants us to put the Cisco2431-8FXS router they've provided us on the same switch that the firewall and local network machines are attached to. Obviously this isn't a terribly secure setup. Since they haven't been much help with alternative setups, I've tried a few of my own and getting the computers behind the firewall isn't a problem, but the Mitel phones are a bit more complicated.

First I tried to use proxy arp on our firewall to respond for the Broadview router IP the phones use as a gatway. With this setup if I configure my computer with an IP within the phones subnet I can ping the Broadview router, and I can ping the server the phones seem to be registering with (lets call it the phone server), but I can only ping the phone server, no ports seem to be open on it, including the TFTP service that the phones use once they get an IP. I think this might be solveable if I could retrieve and address for the phones via DHCP, however, I installed dhcrelay on the firewall and although it relays the phones DHCP discover request, neither the Broadview router nor the phone server will reply. What I'd like to do is configure our firewall to simply rebroadcast DHCP traffic between eth0 and eth1 unchanged, but if that's possible, I haven't been able to find a way.

Second attempt was to assign the phones addresses within our local subnet and then masquerade them as addresses within the phone subnet. After some packet sniffing I worked out the proper DHCP options to get the phones to accept a DHCP offer, but once again, no ability to contact the phone server for TFTP.

My guess is that the "phone server" will not respond to any IP it hasn't assigned via DHCP, but it also will not respond to relayed DHCP requests, most likely because they are non broadcast traffic with a source address outside of it's acceptable range. At this point I can't even think of what the next thing to try is. As a last resort I might add 2 additional NICs to the firewall, bridge them, and filter traffic using ebtables, but I would also like to be able to move some of these phones offsite and use them over a VPN tunnel, and a bridge will make that more complicated (I'd need separate tunnels at each offsite location for phone and data I think). Any suggestions would be greatly appreciated and thanks for taking the time to look this over.
 
Old 01-25-2008, 06:33 AM   #2
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
I can't speak for using Mitel phones, but its my understanding that most VoIP phones expect a special option within the DHCP scope that defines the address of the tftp server the phone will contact for its config info after the IP stack comes up. When using Cisco VoIP phones, its option 150. Maybe the Mitel ip phones are expecting a similar option within the DHCP reply.

Example: from a cisco router configured as DHCP server at a home office. This same router connects into corporate network via VPN. So the home office IP phone can download its config via tftp and register with Call Manager.

Code:
ip dhcp pool IP-Phones
   network 192.168.64.16 255.255.255.248
   domain-name mydomain.com
   dns-server 10.22.22.10 10.33.33.10 
   default-router 192.168.64.17 
   option 150 ip 10.44.44.10 10.44.44.11 
 
Old 01-25-2008, 09:10 AM   #3
iradix
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, I had actually used a packet sniffer to view the options getting sent to the phones and configured them in my DHCP server, but I appreciate the tip.

I think I've got it now and here is how I got it to work for posterity:

The trick seems to be using dhcp-forwarder rather than dhcrelay. The dhcrelay program was setting my routers internal address in the giaddr field of the relayed DHCP request, which the Broadview DHCP server didn't see as valid. Once I configured that via dhcp-forwarder to a giaddr of an IP within the subnet the phones operate on, and I bound the giaddr IP I used to the external NIC on my firewall, the relay started to work. That coupled with proxy arp seems to have the phone traffic traversing my firewall without a problem. Now it's on to step 2, getting the phones to work from remote locations over VPN...
 
Old 11-14-2009, 08:51 AM   #4
rahul320
LQ Newbie
 
Registered: Nov 2009
Posts: 1

Rep: Reputation: 0
iradix

I have the same Broadview Officesuite system and would like to know how you got this to work. What ports / rules did you use to get the system to pass through your firewall?
 
Old 11-14-2009, 03:03 PM   #5
iradix
LQ Newbie
 
Registered: Jan 2008
Posts: 4

Original Poster
Rep: Reputation: 0
It's been a while, but let this is what I remember:

Configure the external interface of your router to respond to ARP traffic for the phones (this should be the subnet the phones use, minus the IP assigned to the router broadview gave you).

Configure the internal interface of your router to respond to ARP traffic for the phone routers IP address.

Make sure you have the proper routing rules to forward traffic bound for either location out the proper interface.

Configure dhcp-fwd to relay DHCP traffic between the external and internal interfaces, make sure you set the giaddr field to the phones tftp server by using the "ip" config option.

Configure your firewall to accept traffic on udp/tcp ports 9000 and 6927

That should do it.
 
  


Reply

Tags
dhcp, voip


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Do wireless cards work in Mitel Sme? ziggi Linux - Wireless Networking 0 12-24-2005 10:51 PM
upgrade clamav on mitel sme mail server Warmduvet Linux - Newbie 0 05-08-2005 10:10 PM
In over my head with mitel server sme. urquanmaster Linux - Software 0 02-28-2005 03:45 AM
In over my head with mitel SME server! urquanmaster Linux - Games 0 02-28-2005 03:08 AM
How do I update the template on a mitel e-smith ? mpk25 Linux - Security 1 04-13-2004 04:49 PM


All times are GMT -5. The time now is 05:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration