1 dsl modem with 2 routers question

[systemx]

Hi guys, i got a client who's getting a VOIP system installed into their/my network.
The VOIP IT guys are demanding a separate static public IP address to be forwared/made available to their router. They will put their phones on a different local subnet.

So here's what i've offered them and they refused
1. separate PPPOE login; that way we share the modem and each router handles their own session (cleanest solution but they don't want to pay extra)
2. plug their router into DMZ of my WRV210 (they said they require publicly routed IP going direct to their device (but in this case they would have to assign my private IP as their WAN IP and all internet traffic would go to them unfiltered))

Attached is a network layout.
Any ideas what to do here?

 

[Jay_2]

there is nothing more you can do.

 

[orienz]

One word, QoS

 

[Mackintire]

Purchase a second IP address place a 5 port switch between the modem and your WRV210.

Purchase another router and manage that for them.

Since I just replaced my RV082 with a Zyxel USG 100. I suggest using a Zyxel USG 50 or 100. You get 4 DHCP servers, in each unit with the ability to set static routes between subnets. It also support multi wan- lan routing.


So you can set-up your router like normal using what I will call (public IP #1) and create a separate network for the VoIP guys and route (public IP #2) directly to their subnet. You can traffic shape, monitor or restrict them any way you want all with one device.. Its listed under "multiNAT mappings" in the owners manual. The VPN not being robust enough is why I pulled my 10 day old RV082 out of service. Cisco offered to buy it back at full price.


The Zyxel USG 100 It does all the routing the WRV210 does and a lot more, it does not have wireless built in. Here's a description page of its capabilities : http://www.zyxel.com/products_services/zywall_usg_2000_1000_300_200_100.shtml

 

[gimp]

Purchase a second IP address place a 5 port switch between the modem and your WRV210.

Purchase another router and manage that for them.

OP mentioned PPPoE.
Which would mean they would need 2 DSL accounts.
OP already said they didn't want to pay for that.

It's #1 on his list of 2

 

[sinisterDei]

What kind of DSL modem you got there?

The (shudder) Netopia products that AT&T likes to use for their DSL connections can run in a mode where they handle the PPPoE handshake and simply bridge the WAN information to its little built-in four port switch. In that case, you'd plug your WRV210 into one port and pick an IP on the 255.255.255.248 subnet that they should provide you, and they'd plug their router in (or possibly simply plug their PBX in directly) and pick some other IP on that network.

I do small biz IT consulting, as well as VOIP implementations (asterisk based). I can tell you this; they don't want to be behind your router because many routers (NAT, I'm looking at you) will seriously screw with the SIP protocol in use by most VOIP handsets and trunks. When we put in a data+voice solution for a client, we do what Mackintire suggested: we put a switch between the ISP modem and our firewall/router, and then plug the phone system in directly. In the case where the client doesn't want to do this, we won't guarantee certain parts of the VOIP implementation, such as remote off-site handsets.

 

[athlon1.2]

If it's a PPPoE DSL and the ISP offers multiple static IP there should be an option to have the router handle the PPPoE session and then assign your public IP addresses to the devices. You might have to switch the modem for the exact model the ISP supports.

sinisterDei, I have to disagree. VoIP can work with NAT just fine.

 

[systemx]

Thanks for the replies guys.
sinisterDei, Bell Canada up here provides 2wire modem/router combo that would do the similar thing (bridges the WAN info into the 4 port switch).. i'd like to avoid this however, as it is a 'residential' piece of equipment.
i guess they'll just have to pay for the separate PPPOE login then

 

[sinisterDei]

sinisterDei, I have to disagree. VoIP can work with NAT just fine.

Of course it can. It's just another layer of complication, though, and completely understandable that a VOIP provider might wish to avoid being run through NAT on a device outside of their control. Because while NAT and VOIP *can* get along, they certainly don't *always* get along, or even most of the time get along in my experience.

When we deploy solutions, we typically us SonicWALL firewalls. They have a specific option for enabling consistent NAT for VOIP situations, and I have every confidence that VOIP PBX will work just fine behind a SonicWALL, so if the client buys both from us and wanted it set up that way (say only one static IP) I would have no problem with it. However, the same cannot be said for the random Linksys/Dlink/Cisco/Adtran/Whatever our clients might already own, especially if we're not given access to manage the device. So if a client has an existing router, and insists on putting that router between our PBX and the internet, we simply won't guarantee everything will work as expected.

 

[damacus]

Of course it can. It's just another layer of complication, though, and completely understandable that a VOIP provider might wish to avoid being run through NAT on a device outside of their control. Because while NAT and VOIP *can* get along, they certainly don't *always* get along, or even most of the time get along in my experience.

When we deploy solutions, we typically us SonicWALL firewalls. They have a specific option for enabling consistent NAT for VOIP situations, and I have every confidence that VOIP PBX will work just fine behind a SonicWALL, so if the client buys both from us and wanted it set up that way (say only one static IP) I would have no problem with it. However, the same cannot be said for the random Linksys/Dlink/Cisco/Adtran/Whatever our clients might already own, especially if we're not given access to manage the device. So if a client has an existing router, and insists on putting that router between our PBX and the internet, we simply won't guarantee everything will work as expected.

Yeah, this is all very true. If you can't assign a dedicated IP to your VOIP box and have to NAT it with your regular traffic, you're either going to be ripping huge holes in your firewall, or you'll have to ensure you have a stateful firewall that is application-aware and has support for tracking SIP, RTSP, etc.

Back to the original poster.. either tell them that they gotta pay to play, or work with them on getting the firewalling right, assuming your firewall will support what it needs to. Their request makes sense, but it comes down to a business decision whether you a) incur additional recurring expenses for service + having a second router to maintain, b) integrate the solution with your current single router/service line, c) upgrade your primary router to properly handle the situation.