Page 1 of 1

Two NICs one Internet

Posted: 2024/02/07 16:47:18
by gwatson
Hello all,

I have a pbx with a centos OS with 2 NIC's with phones running off of 1 interface with no internet access and a 2nd interface that is connected to the local lan with access to the internet.

Phones are on PBX NIC 1 on the 10.1.1.x/24 subnet with the pbx at 10.1.1.2. Phones do not have a gateway provisioned in their config

The PBX NIC 2 is on the LAN which is 192.168.1.2 and a gateway of 192.168.1.1

Is it possible to add a route to the PBX on the 10.1.1.x network that will get the phones to use the gateway on the second NIC 192.168.1.2.

If a route can be added, I would expect I would set the gateway in the phones to be 10.1.1.2

Thanks in advance, GW

Re: Two NICs one Internet

Posted: 2024/02/08 07:48:12
by jlehtone
You have phone "A" with address 10.1.1.8 that wants to connect to forums.centos.org (that has address C).
The connecting program creates a packet with FROM=10.1.1.8,TO=C

In current config C is not in 10.1.1.0/24 and A does not have additional routes. "no route to host"

If A is given 10.1.1.2 as gateway, as default route, i.e. "if you don't know better route, then send to 10.1.1.2", then A will send packet to 10.1.1.2.

What will pbx do with that packet? The C is not in 10.1.1.0/24 nor in 192.168.1.0/y, but pbx has a default route;
The packet should be routed to 192.168.1.1.
The pbx will do this, if:
1. Routing, aka forwarding is enabled, and
2. Firewall in pbx allows forward of new packets from 10.1.1.0/24 to 192.168.1.0/y

Let say that happens. Then 192.168.1.1 the "FROM=10.1.1.8,TO=C" packet.
Lets further assume that packet goes forward and a reply arrives back. Now 192.168.1.1 has a packet "FROM=C,TO=10.1.1.8"
How does 192.168.1.1 know where the 10.1.1.8 is? If it is typical edge router, then it knows only the 192.168.1.0/y and the "outside".

One option is to give that router an additional route: to 10.1.1.0/24 via 192.168.1.2

The second option is to add sNAT rule to pbx. Rather than sending "FROM=10.1.1.8,TO=C" to 192.168.1.1 it can send "FROM=192.168.1.2,TO=C"
Then the reply will have "FROM=C,TO=192.168.1.2", which the 192.168.1.1 knows to forward to pbx.
Due to the sNAT system the pbx will then send "FROM=C,TO=10.1.1.8" to 10.1.1.8.
There is option for "masquerade" in FirewallD that is essentially the sNAT.


Summary:
* set the gateway in the phones to be 10.1.1.2
* enable IP forwarding in pbx
* allow forwarding in firewall in pbx
* masquerade 10.1.1.0/24 to 192.168.1.0/y traffic in pbx

The things to do in pbx may be explained in https://access.redhat.com/documentation ... _firewalls

Re: Two NICs one Internet

Posted: 2024/02/08 11:36:14
by gwatson
Thank you for the reply jlehtone ! It looks like you have the scenario correct.

Your option # 1 is a no go for me as in these instances I typically dont have access to the routers, so adding routing to them is not an option.

Option 2 sounds promising as it looks like I dont need to touch the router

I will look through the docs at your link and see if I can figure out the SNAT and Masquerade. The system uses IPtables for the firewall as that's what's bundled in the system with Fail2ban

Thanks again