Above is what in the end I am trying to accomplish. Please let me know if this is even possible and if so how you would go about this. I am really trying to put this into production. There must be a way to accomplish this if not now with current firmware then in the near future. I just can’t seem to figure out the best way to implement Speedfusion like this in the hosted VoIP environment.
I really appreciate all the help and patience but I really don’t want to give up on this one.
I think you are right. NAT mode may not suitable for your environment since this is tested. And yes, you may turn off NAT mode. Anyway, please take note all Vlans (Untag and Voip) will be advertised to SpeedFusion peers after NAT mode was disabled. This is not a good design for multitenancy service environment. As suggested earlier, FusionHub is the recommended solution.
I have made changes below on both units below. Please test again and feedback.
Balance 380
Disabled SpeedFusion NAT mode
Configured WAN Mapping for SpeedFusion
This will increase the bonding performance.
Balance 210
Configured WAN Mapping for SpeedFusion
This will increase the bonding performance.
Limit only Voip Vlan to advertise to SpeedFusion Peers.
Only Voice Vlan to be visible by all SpeedFusion peers
Configured Internal Firewall
Only Voice Vlan able to communicate with SIP server and vice versa.
I think you may have found it this time my friend. I have had about 20-25 calls and all good so far. Now for the last part:
If I were to create another Speedfusion Tunnel for another customer, how would I make it so each tunnel can only communicate within itself and not communicate with the other 20 Speedfusion Peers. Or have you already done this via the Internal Firewall Rules at the remote end like you have stated in 3.
if that is the case then every Speedfusion Peer I make, I would just basically set up all the same rules you have created in my 210 for every remote device?
My last concern is at the 380 end, the Outbound Firewall Rules. I only can input 1 IP (1 SIP Proxy, Feature Server) but these 20 Speedfusion Peers could have 20 different Feature Servers that the remote site phones communicate with. Would I just literally have to create 20 rules just for UDP 5060 and RTP 10000-30000? Because I want all Feature severs t have same priority out the same ports.
This has been taken care with existing Internal Firewall Rules that I configured on the Balance 210.
I have added another 2 rules in Internal Firewall for inter-Vlan Communication (Data to Voice and vice versa) for your reference. You may enable it in case this is needed.
Yes.
May I know Outbound Firewall Rules with destination IP is mandatory? If this is mandatory, the answer is yes. Else you may create Outbound Firewall Rules as below:- SIP
Protocol = UDP
Source IP & Port = Any, Any
Destination IP & Port =Any, 5060
Action = Allow
RTP
Protocol = UDP
Source IP & Port = Any, Any
Destination IP & Port =Any, 10000-30000
Action = Allow
Default
Action = Deny
Current this rule set as Allow. This will allow all traffics if 2 rules above not match. Is this what you need? If not just set it as Deny. Of course you need to add more rules if others traffic are allow after set to Deny.
Please take note the you have filtered Feature Servers IP on remote end (Balance 210) Internal Firewall. Not filter Feature Servers IP on Balance 380 should be fine.
Everything is working great. Few more random questions that have popped up since this is now working.
I can’t access IP phones GUI when PPTP or directly onsite. Would I just need to temporarily run the VoIP traffic out locally again in order to access the phone GUI. This seems to be the case. “Inter-VLAN Routing” is on for both subnets.
Is there any monthly style reporting showing the benefit of the VoIP traffic running through the Speedfusion peer I could download from the Balance to show the customer:
This is how much packet loss you had and this is how the peer helped and re-routed the traffic in like a visual measurable scale. Or is there just the real time tools within the Speedfusion tunnel provided and the bandwidth reporting?
It would be cool to sent the customer some time of report showing how the Speedfusion Peer came in to play and “saved the day”.
If not, maybe in the future? Other than that everything is working very smoothly and couldn’t be a more happy customer!
My coworker actually found that when using a linux machine you can convert back and forth between different interfaces ex. native lan and VLAN 10 and once you are on the VoIP interface, the phones GUI can be reached.
The real-time tool is great. I was more saying like a report like the bandwidth reports per client type of thing that can be generated on a weekly or monthly basis. Anyway its not that big of a deal at the moment. Just throwing it out there for possibly the future so that IT firms like us can generate a report for our customers showing them the benefits of using the Speedfusion is all.
InterVLAN communication is working without those 2 rules you defined. It seems like if the device is tagged onto the subnet that you have tagged for whatever VLAN ID, then it works.
looking forward to future reporting upgrades with Speedfusion.
