Hi, this might be a stupid question, but i will try anyway. I have a box with 2 nics, 1 internal and 1 external. I have just bought a voip box that either needs to be in front of my existing router(shorewall), or behind it in a dmz, or behind it if my router supports symmetric nat. The second option is what i would prefer. I dont even know what the third option is. However, looking at the documentation it will only explain a solution when i have a separate nic for the dmz. The voip must have at least 128kb/s in both directions for a satisfying sound quality over the phone, but the traffic shaping/control page doesn''t mention if the is possible to achieve with a dmz, or i might not understand it completely. My local network is in the 192.168.0.0 subnet and the voip box will be on 192.168.1.0 subnet, will this cause any trouble? So is it possible to have a dmz and a non dmz network sharing the same nic on the shorewall machine? And is it possible to do the kind of shaping i want on the dmz? -- Michael Andersson - micke@mickeu.nu http://www.mickeu.nu/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
This is what you said Michael Andersson> Hi, this might be a stupid question, but i will try anyway. > I have a box with 2 nics, 1 internal and 1 external. I have just bought > a voip box that either needs to be in front of my existing > router(shorewall), or behind it in a dmz, or behind it if my router > supports symmetric nat. The second option is what i would prefer. I dont > even know what the third option is. However, looking at the > documentation it will only explain a solution when i have a separate nic > for the dmz. > The voip must have at least 128kb/s in both directions for a satisfying > sound quality over the phone, but the traffic shaping/control page > doesn''t mention if the is possible to achieve with a dmz, or i might not > understand it completely. > My local network is in the 192.168.0.0 subnet and the voip box will be > on 192.168.1.0 subnet, will this cause any trouble? > > So is it possible to have a dmz and a non dmz network sharing the same > nic on the shorewall machine? > And is it possible to do the kind of shaping i want on the dmz?This is probably off topic, but my VoIP "box" is behind the firewall. In my case VoIP is in it''s own zone (3 interface configuration), but I had it in the "loc" zone orginally when I first set things up. Scott ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Michael Andersson wrote:> I have just bought > a voip box that either needs to be in front of my existing > router(shorewall), or behind it in a dmz, or behind it if my router > supports symmetric nat. The second option is what i would prefer. I dont > even know what the third option is.It only applies if you have more than one public IP address.> However, looking at the > documentation it will only explain a solution when i have a separate nic > for the dmz.When the documentation for consumer-grade products talks about a DMZ, it bears little or no resemblance to a DMZ as described in the Shorewall documentation. But in both cases, a DMZ involves a separate NIC.> The voip must have at least 128kb/s in both directions for a satisfying > sound quality over the phone, but the traffic shaping/control page > doesn''t mention if the is possible to achieve with a dmz, or i might not > understand it completely.Only your ISP can guarantee a level of service for inbound traffic. Shorewall traffic shaping can ensure that your voip traffic gets 128kbs outbound, with or without a DMZ.> My local network is in the 192.168.0.0 subnet and the voip box will be > on 192.168.1.0 subnet, will this cause any trouble?Depends on how you configure your IP network. Without adding another NIC, you can configure two IP addresses on your internal interface -- the current one in the 192.168.0.0 network and a second one in the 192.168.1.0 network. That second address must be default gateway configured for the voip device.> So is it possible to have a dmz and a non dmz network sharing the same > nic on the shorewall machine?By definition, no. Can you make it work with a single NIC? Probably -- just make your last entry in the rules file a DNAT rule that forwards all untracked inbound traffic to your voip device.> And is it possible to do the kind of shaping i want on the dmz?Yes. Again, DMZ or no DMZ makes no difference. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV