What a pain!

After some discussion and comparison of plans, and deep consideration for free equipment and service start-up, we decided to put switch our telephone service to VoIP. I pay for enhanced broadband service to support the database, web, and mail servers in the basement, and we figured why not take advantage of that?

We decided on an AT&T package. A few factors to this vendor included the call logging, web-based voice mail access, and the promise of numbers local to our long-distance loved ones (so Mom can call a local number and no one incurs long distance charges).

The idea seemed simple enough, plug the box into your broadband device (cable modem, in my case), and plug your network router into the box, and all should be swell. This doesn't factor in more complex networks, but I figured I should be able to figure it out.

The VoIP box is essentially a NAT router, too. Like the Linksys I have, there's one WAN port and one LAN port; the others are 4-port switches on the LAN side. What's supposed to happen is that you plug this between your single router and the Internet, and it sets up a little private network.

Your network shouldn't need to be reconfigured because the private addresses probably won't collide, and you'll just add one more router and NAT layer. In many cases, this'll probably help defend some users. The VoIP box does have the ability to forward traffic through, so if the normal home user were providing some service that their router allowed through, they'd just have to configure it twice; I suppose adding a static IP to the LAN router on the VoIP network, and then making that IP a DMZ host.

Making it a little vague so you can't as easily hack me, I'll describe my setup.

I plug my cable modem into an eight-port switch, and into that have one server and three firewall routers. There's nothing special about the routers; they're your typical SOHO NAT routers that you can pick up at any store selling computer stuff. Belkin, D-Link, Linksys, NetGear, SMC, and a slew of other manufacturers make 'em. I have three 'cause I've got three servers from which I wish to serve some things, but not others.

It started out that only the Windows servers were behind the firewalls to help avoid compromise in the event of an exploit being discovered and attempted before I could patch them. The Solaris servers were out in the open 'cause they're fairly bullet-proof. I added a firewall and moved one of the Solaris servers behind the firewalls so I could have enhanced access to it from my LAN. I should probably move the other one, too, but haven't bothered; the only successful hack on any of the servers, especially this one, has been through provided service (SSH, specifically) on accounts with a weak password.

The firewalls all connect to another eight-port switch on the "inside", so they're all on the same LAN. Three gateways to the Internet, no waiting... Rather, dedicated gateways for some servers and workstations, and everything on the LAN has access to everything exposed to the Internet, but without the firewalls in the way. The Windows servers, Solaris servers, and all of the desktops on the LAN are protected by these three firewalls.

This gives me another benefit because I've been able to offload services from overworked servers, or to spread out the work among different servers, but allow the multiple servers to share one IP on the Internet; this lets the firewall determine that SSH goes to that box while HTTP goes to the other, although the request came to the same IP. I get the ability to rearrange at my whim, and little or no interruption to the Internet, giving me the ability to "hot swap" gear.

My SOHO service provides five dynamic IPs right out of the box. If you're counting, I've described only four devices on the "external" hub; three firewalls and one exposed server. This should leave me with one dynamic IP to spare. I think five less four is one. Yup; just double-checked on my hand. This means I should be able to plug the new VoIP router into the Internet switch, and get it to participate in my network.

Now we've got some background, so let's see how I set out to get the bugger working on my network.

The setup for the VoIP requires some web work to register and pick a phone number; actually you pick an area code, and the rest is assigned. The AT&T service only provides one area code of service in my area, so I couldn't transfer my phone number; thanks for that. We'd already decided if transfer was tricky we'd just change the number, so I accepted that minor drawback. Web registration in place, the next step is to connect to the AT&T site through the VoIP router, so it can configure it auto-magically.

I plugged in the device and changed its internal IP so it'd play nice on my network. I configured a LINUX workstation to use that IP as its default gateway, and then set out to connect through it to the AT&T website to complete the registration. The box wouldn't connect to the Internet; no WAN address was getting assigned.

I tweaked and checked every cable in the bundled mess (you can imagine what a mess a one-into-three-into-one-into-many cluster of wires must look like; especially since I do use more than one port on some of the routers...like connecting the servers directly to their dedicated gateway). Still no joy.

I plugged the VoIP router into my LAN, and it received an address almost immediately. This led me to believe that there is something amiss with my IP service. I've run into the problem before, usually when replacing an existing router. For some reason my ISP believes I have my five IP addresses. When I worked on this before, with their help, they said that their DHCP server checks to see if I have more active leases than I should; at the time I didn't and they cleaned up their server's database. I haven't had a fifth device plugged into the service, nor have I switched routers in some time. The last time I switched routers and ran into the problem I simply spoofed the new router with the old router's MAC address, and it received the same IP that the old router had before; worked especially slick since the new router was configured to forward the same stuff as the old, so it looked to the Internet just as if my device was off for a short time.

I decided to replace the wireless router, which is the only one that doesn't provide Internet access to other services (any more), and the (now) one wireless PC is off most of the time, so I pulled it. I configured the VoIP WAN interface to spoof the MAC address of the removed router, as before. Instantly, the WAN received an address. I didn't verify, but I suspect it's the same as the removed wireless switch.

Since that router was only there to service the one wireless PC, I plugged it into a LAN port and re-enabled its internal DHCP server to provide WiFi with an extra internal IP range. This isn't ideal, since all of the other machines on the LAN will not be able to see the WiFi systems (and therefore respond to requests from them), but the WiFi systems at least can hit the Internet. I'll have to work on this; probably by providing static routing in the firewall servers to direct traffic to the new network through the WiFi router's WAN address.

Also not currently ideal is that the VoIP router is not participating in the rest of the network. Perhaps this is for the better as I'm unsure what kind of security it has to stop potential intruder; the NAT/firewall settings available are fairly rudimentary. It means I'd have to leave (or reassign) a machine to it's IP range in order to reconfigure or upgrade it. We'll see how often the upgrades need to be done.

It's not essential that the box participate in the full network, but it'd be nice; I had hoped to be able to integrate it into my network, and therein provide access to the box from my desk upstairs. At worst, I'll leave the box connected to the Internet switch (and the phone wiring), and connect nothing to the Ethernet port until I need to; I've got enough spare machines, and the LINUX box is really just running an Ubuntu LiveCD for this purpose, leaving its normal configuration intact, so it's just a matter of switching its plugs.