Hi there.

My company recently moved from a business DSL line to a T1 w/ VOIP package from Broadview. In our old setup the DSL came into our firewall (a RedHat 9 box) on eth0 and our local network was attached to a switch behind eth1. With the new setup, however, Broadview wants us to put the Cisco2431-8FXS router they've provided us on the same switch that the firewall and local network machines are attached to. Obviously this isn't a terribly secure setup. Since they haven't been much help with alternative setups, I've tried a few of my own and getting the computers behind the firewall isn't a problem, but the Mitel phones are a bit more complicated.

First I tried to use proxy arp on our firewall to respond for the Broadview router IP the phones use as a gatway. With this setup if I configure my computer with an IP within the phones subnet I can ping the Broadview router, and I can ping the server the phones seem to be registering with (lets call it the phone server), but I can only ping the phone server, no ports seem to be open on it, including the TFTP service that the phones use once they get an IP. I think this might be solveable if I could retrieve and address for the phones via DHCP, however, I installed dhcrelay on the firewall and although it relays the phones DHCP discover request, neither the Broadview router nor the phone server will reply. What I'd like to do is configure our firewall to simply rebroadcast DHCP traffic between eth0 and eth1 unchanged, but if that's possible, I haven't been able to find a way.

Second attempt was to assign the phones addresses within our local subnet and then masquerade them as addresses within the phone subnet. After some packet sniffing I worked out the proper DHCP options to get the phones to accept a DHCP offer, but once again, no ability to contact the phone server for TFTP.

My guess is that the "phone server" will not respond to any IP it hasn't assigned via DHCP, but it also will not respond to relayed DHCP requests, most likely because they are non broadcast traffic with a source address outside of it's acceptable range. At this point I can't even think of what the next thing to try is. As a last resort I might add 2 additional NICs to the firewall, bridge them, and filter traffic using ebtables, but I would also like to be able to move some of these phones offsite and use them over a VPN tunnel, and a bridge will make that more complicated (I'd need separate tunnels at each offsite location for phone and data I think). Any suggestions would be greatly appreciated and thanks for taking the time to look this over.

I can't speak for using Mitel phones, but its my understanding that most VoIP phones expect a special option within the DHCP scope that defines the address of the tftp server the phone will contact for its config info after the IP stack comes up. When using Cisco VoIP phones, its option 150. Maybe the Mitel ip phones are expecting a similar option within the DHCP reply.

Example: from a cisco router configured as DHCP server at a home office. This same router connects into corporate network via VPN. So the home office IP phone can download its config via tftp and register with Call Manager.

Thanks, I had actually used a packet sniffer to view the options getting sent to the phones and configured them in my DHCP server, but I appreciate the tip.

I think I've got it now and here is how I got it to work for posterity:

The trick seems to be using dhcp-forwarder rather than dhcrelay. The dhcrelay program was setting my routers internal address in the giaddr field of the relayed DHCP request, which the Broadview DHCP server didn't see as valid. Once I configured that via dhcp-forwarder to a giaddr of an IP within the subnet the phones operate on, and I bound the giaddr IP I used to the external NIC on my firewall, the relay started to work. That coupled with proxy arp seems to have the phone traffic traversing my firewall without a problem. Now it's on to step 2, getting the phones to work from remote locations over VPN...

iradix

I have the same Broadview Officesuite system and would like to know how you got this to work. What ports / rules did you use to get the system to pass through your firewall?

It's been a while, but let this is what I remember:

Configure the external interface of your router to respond to ARP traffic for the phones (this should be the subnet the phones use, minus the IP assigned to the router broadview gave you).

Configure the internal interface of your router to respond to ARP traffic for the phone routers IP address.

Make sure you have the proper routing rules to forward traffic bound for either location out the proper interface.

Configure dhcp-fwd to relay DHCP traffic between the external and internal interfaces, make sure you set the giaddr field to the phones tftp server by using the "ip" config option.

Configure your firewall to accept traffic on udp/tcp ports 9000 and 6927

That should do it.