Author Topic: Moving MBG from Server-gateway mode to LAN mode  (Read 3526 times)

Offline handwritten

  • Jr. Member
  • **
  • Posts: 63
  • Country: ca
  • Karma: +2/-0
    • View Profile
Moving MBG from Server-gateway mode to LAN mode
« on: December 05, 2017, 04:09:40 PM »
We have two physical MBGs that are only responsible for SIP trunking duties.  They are both currently exposed directly to the internet.  We would like to virtualize one of them, and to do so we need to move it behind our enterprise firewall (a pair of Fortigate 1000Ds).  I set up the incoming/outgoing firewall rules using a VIP and NAT (respectively)*, and changed the network profile to LAN mode.  I see that the RTP streaming IPs are now both set to the LAN IP.  The SIP trunking status looks OK (green checkmark!), but I can't make any calls through that MBG (I just get a busy signal).  I'm snooping traffic from that MBG, and it doesn't appear to be communicating with the service provider.  If I replace the MBG with a workstation configured with the same IP, it has internet access. 

When I make the switch to LAN mode, I disconnect the WAN NIC on the MBG to make sure traffic goes out the LAN interface.  Curiously, this breaks the internet connectivity test.  Should I perhaps configure the LAN IP on the NIC known as WAN, and use that instead?   

Any clues? 

*As per the MBG Engineering Guidelines:
EXT to INT: TCP/UDP 5060, UDP 20,000-31,000 (using a Virtual IP pointing to the MBG LAN IP)
INT to EXT: TCP/UDP 5060, HTTPS, SSH, UDP 1024 - 65535



Offline dilkie

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 324
  • Karma: +11/-0
    • View Profile
Re: Moving MBG from Server-gateway mode to LAN mode
« Reply #1 on: December 06, 2017, 09:32:49 AM »
you should be using DMZ mode, not LAN. LAN is for internal uses of MBG, like call recording setups.

Offline handwritten

  • Jr. Member
  • **
  • Posts: 63
  • Country: ca
  • Karma: +2/-0
    • View Profile
Re: Moving MBG from Server-gateway mode to LAN mode
« Reply #2 on: December 06, 2017, 10:55:34 AM »
I just tried DMZ mode, and the MBG doesn't seem to attempt to communicate using its LAN interface.  The SIP trunking status shows "non-INVITE transaction failure" when the WAN interface is disabled. Does it make sense to have LAN IPs on both the LAN and WAN interfaces, and let the firewall perform NAT on the WAN side?

Offline dilkie

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 324
  • Karma: +11/-0
    • View Profile
Re: Moving MBG from Server-gateway mode to LAN mode
« Reply #3 on: December 06, 2017, 11:30:42 AM »
both DMZ and LAN mode are single NIC configurations.... not dual... re-configure msl and drop your wan nic.

Offline handwritten

  • Jr. Member
  • **
  • Posts: 63
  • Country: ca
  • Karma: +2/-0
    • View Profile
Re: Moving MBG from Server-gateway mode to LAN mode
« Reply #4 on: December 06, 2017, 01:48:13 PM »
I reconfigured, and the trick was to not assign an IP to the WAN interface.  That looks like it works.... until you make a call.  The called line rings, but when you pick it up, the call is dropped with a busy signal sent to the caller.  I'm tapping the connectivity between the MBG and the service provider, and the MBG is sending a '500 Server Internal Error' at the time that the call is dropped. 

Offline dilkie

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 324
  • Karma: +11/-0
    • View Profile
Re: Moving MBG from Server-gateway mode to LAN mode
« Reply #5 on: December 06, 2017, 02:19:17 PM »
so the call is rejected because MBG doesn't like something... the details will be in the tug log.


 

Sitemap 1 2 3 4 5 6 7 8 9 10