We have two physical MBGs that are only responsible for SIP trunking duties. They are both currently exposed directly to the internet. We would like to virtualize one of them, and to do so we need to move it behind our enterprise firewall (a pair of Fortigate 1000Ds). I set up the incoming/outgoing firewall rules using a VIP and NAT (respectively)*, and changed the network profile to LAN mode. I see that the RTP streaming IPs are now both set to the LAN IP. The SIP trunking status looks OK (green checkmark!), but I can't make any calls through that MBG (I just get a busy signal). I'm snooping traffic from that MBG, and it doesn't appear to be communicating with the service provider. If I replace the MBG with a workstation configured with the same IP, it has internet access.
When I make the switch to LAN mode, I disconnect the WAN NIC on the MBG to make sure traffic goes out the LAN interface. Curiously, this breaks the internet connectivity test. Should I perhaps configure the LAN IP on the NIC known as WAN, and use that instead?
Any clues?
*As per the MBG Engineering Guidelines:
EXT to INT: TCP/UDP 5060, UDP 20,000-31,000 (using a Virtual IP pointing to the MBG LAN IP)
INT to EXT: TCP/UDP 5060, HTTPS, SSH, UDP 1024 - 65535