Shamus, If you want "auto-magic" addition of the NAT firewall rules, possibly if the SIP phones supported some sort of Universal Plug-n-Play like NAT-PMP then you could enable NAT-PMP in AstLinux, but you would still need to know what the WAN port number was for each phone, so this probably won't work well for a couple of reasons.
Another possibility is to use IPv6, single firewall rule "Pass EXT-LAN" for any TCP 80 to all SIP LAN IPv6's. While easy in practice after DNS is setup and you can enter names with AAAA records to the various internal SIP devices, you would also need to add a static IPv6 route in the upstream LAN subnet to the SIP LAN subnet. Clearly not the easiest if you aren't already using IPv6 everywhere. Lonnie On Apr 13, 2015, at 7:16 PM, Shamus Rask <sha...@srask.ca> wrote: > Thanks for the responses. I tried Lonnie’s suggestion adding the NAT rules > and it worked. I was hoping for something more elegant. > > Just wondering if the following would be possible… On my LAN > (192.168.10.0/24) I have an existing Ubuntu-based server. This is on the same > subnet that AstLinux sees as its EXT interface. Could I run STUN on this > server and have the SIP devices behind AstLinux’s local interfaces talk to > it? The LAN is also an RFC1918 space, so I may be overly-complicating things… > > I guess the one other option would be to write some sort of script, that when > a device did a DHCP request, a corresponding firewall rule was also created. > > > … thoughts? > >> And another option which is what I use is SSH Tunnelling. Use SSH Keys and >> in user.conf set SSHDPORT=“<not the standard 22>” and SSHDROOT=“No” in >> user.conf. >> You can tunnel to any device on the network. So simple. No need to establish >> VPN connections. No problems with overlapping IP ranges and a single >> firewall rule. >> >> Regards >> Michael Knill >> >> >> >> >> On 14 Apr 2015, at 2:58 am, Lonnie Abelbeck <lists@...> wrote: >> >> Hi Shamus, >> >> One method would be to manually add Firewall Rules for each SIP phone >> (example): >> -- >> NAT EXT->LAN TCP Source: 0/0 8010 Destination: 192.168.5.10 80 >> NAT EXT->LAN TCP Source: 0/0 8011 Destination: 192.168.5.11 80 >> ...etc for each phone >> -- >> (of course use any NAT'ed port numbers you wish) >> >> Then use this URL to access the first of the phones (example): >> http://pbx:8010/ >> >> >> Another method would be to enable OpenVPN Server in AstLinux and check in >> the Firewall tab: >> -- >> _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) >> -- >> >> Then use an OpenVPN client on your LAN computer to access the SIP phone >> network. >> >> This is a more general solution, but requires a little more initial setup. >> >> Lonnie > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
