I wonder if someone might be able to assist me. We are building a new network at our offices and are using a Peplink Balance 380 at our Head Office and Balance One’s at our smaller branches. Everything works fine except the voip phone system.
The old system was running a L2TP tunnel through a mikrotik router at every branch to allow communication between the phones and the PBX. I have tried to configure this on the Balance devices and failed miserably.
If someone could possibly try to assist me with this as we really need to get all devices including the PBX on the new system as the old device are going to be removed.
The PBX is at our head office, but there is another external company that manages and supports it. We have tried to get them to assist us but they are insistent that they do not need to change anything on their side.
I am no PBX expert so I have no idea what type it is. It is inside our server room against the wall with a telephone line coming into it and then to our voip phones.
The pepVPN is set up and running quite well. Just need to get the phones to work.
OK, I was asking about the system type to see if we can manipulate SIP/RTP to work over the routed VPN, but we’re not going to b able to do anything much if its 3rd party managed.
If you were using L2TP before it suggests a configuration where a VoIP network at the head office was extended over Layer 2 to the remote sites, so that the handsets at the remote locations were for all intents and purposes on the same network as those at head office.
So something like this perhaps:
To prove this you need to gather some info (ie the network ranges and ip addresses of the phones at each location compared to the PC’s laptops servers etc. If the phones all have IP addresses in the same subnet - even those at the remote locations, then we have our answer.
What doesn’t work exactly. Is it one way audio, phones not ringing it all, phones not registering - what are the symptoms?
Then you said:
So you have site to site VPN up and running for the computers and printers I assume. You need to start working out what routing is or isn’t working.
Yes but are the phones at a location on a different subnet to the pcs and printers? And if so, have you set up your balance routers to be the gateway device for both VoIP phones and the PC’s printers.
Once we have gotten phones working, you’ll just need a way to identify traffic to and from them so that you can favour the fiber line.
The moment we connect the PBX system and the phones to the new network then we cannot phone out to the other braches and the other branches cannot phone to head office.
Yes that is correct. The routing for the computers and printers are fine. Just need to figure out how to set the routing up for the phones and PBX.
The phones are on different subnets than the computers and printers. If we change the default gateway of the VOIP phones then they do not work either.
Ok cool. Then let’s see if we can get them working.
If Martins drawing is correct, the computers and printers are working via a L3 VPN (routing). There should be a second PepVPN-Profile with a L2-Setup for the VoiP-Stuff. So the PBX and the remote VoiP Phones are in the same network and there should be no communication problem.
Regards
Theo
OK, so you need a way to migrate from mikrotik to Peplink in a staged way right?
One way to do that would be to use on of the WAN ports on the B380 in IP forwarding mode and connect that to the LAN of the Mikrotik at head office that has the PBX on it. Then advertise that WAN Subnet over OSPF so that devices connected to the remote Balance Ones can the route to the PBX (once you have added static routes for them to the head office mikrotik).
Probably needs a diagram to explain that. Who is your Peplink partner - you should do knock on their door. They should be showing you how to do this stuff!
If the home office PBX is running Asterisk, then the firewall settings within Asterisk itself must allow for the remote office subnet. I’ve run into this before.
If the original VPN was set up so that the remote devices were part of the home office subnet, this would not have been a problem.
Hello - we have almost 2,000 remote customer locations running on hosted multi-tenant asterisk clusters, so this is something in which I have deep experience.
First - if the L2 is set up properly then you should not be having one way audio.
but…this is really not best practice. Far, far better to assign a small unique subnet to each remote office and route that traffic over speedfusion VPN to main office.
Advantages:
ability to prioritize phone traffic (low bandwidth/high sensitivity to congestion) over other PC traffic (high bandwidth/low sensitivity to congestion).
built in diagnostics and displays. You can look at speedfusion status on both sides and see routes, congestion etc, and run speed tests over the vpn
tight control over routing. Control over priority, failover, bonding multiple paths.
Simple setup in Asterisk. Just have all the phone subnets under one larger subnet and allow that through any firewall.
We use 10.106.x.x for small customers and assign a /28 to each, then 10.107 for people needing /27 etc.
Since many of our customers (who’s networks we do NOT control) use same base subnet for their PCs, such as 192.168.0.0/24 we use one to one NAT to assign a unique /24 to each where needed. This allows the same PC subnet to exist at multiple remote locations. That is the 10.123.x.x/24 segments in image below. If you are not familiar with this, you map a subnet to the “real” lan subnet. so if real network is 192.168.0.0/24 and has IPs 192.168.0.10, 192.168.0.15 on it, and you map 10.123.17.0/24 to it then those devices will be 10.123.17.10 and 10.123.17.15 over the VPN. Meaning that you can have 192.168.0.10 at MANY locations and they are all accessible over the VPN.
Here is a small segment of speedfusion status screen on one of the three hub routers at one of our data centers:
