Disable firewall?

[Gunnarsson]

Right.... And you think that what I said before was complicated

So, essentially what you're saying is that you want to double NAT the VOIP unit and you actually managed to get this setup to work with the one little problem that you had to reverse the network connections on the Bubba. Can I assume that while testing you only tried to place an outbound call and not verified that anyone else can actually call you?

No I tried outbound and inbound calls. No problems.

Good place to start would be here: http://www.voip-info.org/wiki/view/NAT+and+VOIP
Check out the "Workaround" section for what you should pass on to the VOIP unit.

I've got the ports, I just need the bubba's dhcp to run on the WAN-port, bride the two NIC's and disable any port blocking.

Note that if you configure your main router to DNAT directly to the IP address that you assigned to the VOIP router, it will try to locate that address on the internet and not in your home. You must therefore DNAT to the Bubba and have the Bubba next DNAT that traffic to the VOIP unit. Definitely have a look at iptable's mangle table to tweak the quality of service when doing this, because you may experience hickups while talking.

Your next problem will be to enable DHCP on the Bubba WAN interface to feed the VOIP unit its IP address. Since the Bubba uses the DHCP functionality of Dnsmasq which only supports a single segment, that will require you to install a different DHCP server (go for isc-dhcp-server).

Isn't it possible to use the existing dhcp on the WAN-port. The Lan-port uses static IP.

Seriously? I don't think this is the way to handle the issue properly. It will be far less complicated and more reliable if you'd reverse the network topology. Swap the Computer and the VOIP unit and swap the network cables on the Bubba. Configure the main router to use that public IP range (what's on that anyway?) as its LAN. There's no need to make the entire range 83.247.1.x unreachable, just set a netmask of 255.255.255.248 for a maximum of six valid IP addresses in that range (83.247.10.7 will be the broadcast address).

That could work. But if I uses the bubba the other way around as I tested it with the WAN-side on my network and LAN-side to the voIP. Is there a way to let me access everything on the bubba from the WAN-side?
(There is nothing special on that IP-rage, its just close to a swedish public IP-rage used by one of the ISP's. Thats the problem with the voIP unit. It won't work with a internal IP-adress...)

Serious serious? Forget all the above and put the VOIP router directly on the internet connection. If you want to keep the old router and leave everything as is, plug its WAN port into the new router's LAN port. Verify that both routers don't define the same LAN IP range and if they do, change one of them. Optionally scrap the old router and connect the Bubba WAN port to the new router (but I'm thinking you like that the old router acts as a switch also).

Cant do that because the voIP-router has 100 Mbit and my internet speed is 200 MBit

[Gordon]

Cant do that because the voIP-router has 100 Mbit and my internet speed is 200 MBit

Now why didn't you say that before?

Okay then. Let's work back from this:

That could work. But if I uses the bubba the other way around as I tested it with the WAN-side on my network and LAN-side to the voIP. Is there a way to let me access everything on the bubba from the WAN-side?

The thing is, you won't need to because the only thing accessing the WAN port will be the phone and whatever you let the old router forward from the internet. The advantage in this is that you can safely keep up with updates from Excito and not worry about pulling something in that will require you to go through the whole trouble of configuring again. Second it will save you the aditional hop that may interfere with the quality of your voice line; speed variations in raw data or data that can be buffered (read-ahead) will never be as disturbing as trying to speak to someone who sounds like he's talking that weird African language (Khoi - no offense intended). The disadvantage will be that you require an additional switch if you want to connect additional LAN devices.

Isn't it possible to use the existing dhcp on the WAN-port. The Lan-port uses static IP.

Essentially there's no difference in the two NIC ports on the B2 (and the non-WiFi B3). It's just how some of the services are bound to one of them and the firewall is configured to regard one of them as "hostile" that makes them different.

Essentially this means that you can stick with what you did before and the only thing you'd have to change is set the firewall policy for INPUT to ACCEPT (OUTPUT is already ACCEPT). There's a few things that may still prevent you to access the Bubba though:

• you may have set a forwarding rule in the PREROUTING table that causes *all* traffic coming in on the "WAN" interface to be passed on to the VOIP router
• the service (e.g. Samba) is bound to the "LAN" interface.
• some things I can't think of this moment

First thing you'll want to check is whether you can access any of the services that the Bubba allows you to access using its firewall configuration. If you can't, you should *insert* ACCEPT rules in the PREROUTING table for each service that you want the Bubba to handle itself.

[Gunnarsson]

Now why didn't you say that before?

Mabye I should've. It would've explained my strange setup

The thing is, you won't need to because the only thing accessing the WAN port will be the phone and whatever you let the old router forward from the internet. The advantage in this is that you can safely keep up with updates from Excito and not worry about pulling something in that will require you to go through the whole trouble of configuring again. Second it will save you the aditional hop that may interfere with the quality of your voice line; speed variations in raw data or data that can be buffered (read-ahead) will never be as disturbing as trying to speak to someone who sounds like he's talking that weird African language (Khoi - no offense intended). The disadvantage will be that you require an additional switch if you want to connect additional LAN devices.

Understood

Essentially this means that you can stick with what you did before and the only thing you'd have to change is set the firewall policy for INPUT to ACCEPT (OUTPUT is already ACCEPT). There's a few things that may still prevent you to access the Bubba though:

• you may have set a forwarding rule in the PREROUTING table that causes *all* traffic coming in on the "WAN" interface to be passed on to the VOIP router
• the service (e.g. Samba) is bound to the "LAN" interface.
• some things I can't think of this moment

First thing you'll want to check is whether you can access any of the services that the Bubba allows you to access using its firewall configuration. If you can't, you should *insert* ACCEPT rules in the PREROUTING table for each service that you want the Bubba to handle itself.

I've done some hwo-to reeding about changing the PREROUTING and changing the firewall rules manually but I can't find the setup-file for the bubba firewall.
How do I change samba to use the WAN-port?
The only thing I use my bubba for is a small web server and file storage. The web server use the wan so thats fine but samba and access to the bubba web interface uses the LAN-port..

[Gordon]

The web server use the wan so thats fine but samba and access to the bubba web interface uses the LAN-port..

That is actually not a firewall issue but a deliberate configuration (tweak) in these services. You can verify by running `netstat -an` that the samba protocols (port 139 and 445) are most likely bound to the "LAN" address, whereas the other services will display 0.0.0.0 as their listener address. You can change this in the smb.conf file.

The web interface is something different and I'm actually not really sure what is controlled where. I am able to access the full admin interface (i.e. including system setup) through my vpn connection though, so that proves that it is sufficient to access the web interface using the "LAN" address. There's two ways to accomplish this:

• configure your workstation with a static route and actually target that "LAN" address in stead of the one that your router gives you (the "WAN" address)
• inserting a PREROUTING rule that forwards all traffic from the WAN interface destined for port 80 towards the address assigned to the "LAN" interface

  Code: Select all

  iptables -I PREROUTING 1 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 83.247.10.1

[mm tylor]

First please can you tell me that what is the main purpose to use both the LAN and WAN port on your bubba. What reason behinds it? Please give me some explanation.