Post by gwatson » 2024/02/07 16:47:18

Hello all,

I have a pbx with a centos OS with 2 NIC's with phones running off of 1 interface with no internet access and a 2nd interface that is connected to the local lan with access to the internet.

Phones are on PBX NIC 1 on the 10.1.1.x/24 subnet with the pbx at Phones do not have a gateway provisioned in their config

The PBX NIC 2 is on the LAN which is and a gateway of

Is it possible to add a route to the PBX on the 10.1.1.x network that will get the phones to use the gateway on the second NIC

If a route can be added, I would expect I would set the gateway in the phones to be

Thanks in advance, GW

Post by jlehtone » 2024/02/08 07:48:12

You have phone "A" with address that wants to connect to (that has address C).
The connecting program creates a packet with FROM=,TO=C

In current config C is not in and A does not have additional routes. "no route to host"

If A is given as gateway, as default route, i.e. "if you don't know better route, then send to", then A will send packet to

What will pbx do with that packet? The C is not in nor in, but pbx has a default route;
The packet should be routed to
The pbx will do this, if:
1. Routing, aka forwarding is enabled, and
2. Firewall in pbx allows forward of new packets from to

Let say that happens. Then the "FROM=,TO=C" packet.
Lets further assume that packet goes forward and a reply arrives back. Now has a packet "FROM=C,TO="
How does know where the is? If it is typical edge router, then it knows only the and the "outside".

One option is to give that router an additional route: to via

The second option is to add sNAT rule to pbx. Rather than sending "FROM=,TO=C" to it can send "FROM=,TO=C"
Then the reply will have "FROM=C,TO=", which the knows to forward to pbx.
Due to the sNAT system the pbx will then send "FROM=C,TO=" to
There is option for "masquerade" in FirewallD that is essentially the sNAT.

* set the gateway in the phones to be
* enable IP forwarding in pbx
* allow forwarding in firewall in pbx
* masquerade to traffic in pbx

The things to do in pbx may be explained in ... _firewalls

Post by gwatson » 2024/02/08 11:36:14

Thank you for the reply jlehtone ! It looks like you have the scenario correct.

Your option # 1 is a no go for me as in these instances I typically dont have access to the routers, so adding routing to them is not an option.

Option 2 sounds promising as it looks like I dont need to touch the router

I will look through the docs at your link and see if I can figure out the SNAT and Masquerade. The system uses IPtables for the firewall as that's what's bundled in the system with Fail2ban

Thanks again

