UCM Nat Loopback


#1

Hi,

I am trying something a little different with a new network I am building out.
Since the UCM has routing features and this is a very small network, I decided to try the UCM as the primary router in the network.
Everything has already been configured and setup and it has been working pretty well except for one minor thing.
Some info on the design.
ISP router is bridged to allow the external IP to be assigned to the WAN port of the UCM.
UCM is powered via a POE cable on the LAN port.
UCM is handling DHCP but there is a server in the network that handles DNS and the UCM is set as a secondary DNS. So the 4 clients PCs have their primary DNS as 192.168.100.2 (internal server) and secondary DNS as 192.168.100.1 (UCM).

All the internal services are setup and configured properly.
From within the network I can see CCTV and other services no problem.

The only issue is that if i am connected to the local wifi, I can’t access any internet services using the public IP.

Eg my CCTV… I can connect to the CCTV feed from anywhere outside the office, using the public IP. But if connect to the local WiFi, I can no longer connect to the CCTV using the external IP.

This problem is called NAT loopback or NAT Hairpinning. Does anyone know how to resolve that with the UCM gateways/routers?

Thanks,


#2

Use a Firewall Router that is dedicated and not the telephone system.

Sorry standard answer… :slight_smile:


#3

Come nuh man… Where is your adventurous spirit lol
I’ve done that for all the previous systems, this is an opportunity to reduce the client’s cost and improve efficiency in the network infrastructure.

There is one wired phone and 2 dect cordless. The UCM has hardly any work to do lol

Besides it has the routing functions… Might as well try it out to see how it handles a little work load.

Any other suggestions? Lol


#4

Catch packet on Lan then wan and see what is going from devices from AP.


#5

Ok… I’ll run that test in the morning and see what’s happening.


#6

It is not adventure, but preservation; your choice of course.

The issue is not about the load of the devices connected to the UCM, but rather the SIP attacks that are soon to come when the UCM is exposed to the Internet directly. Even if you filter the allowable IPs, the fact of the matter is that the UCM still has to examine each and every packet to make a decision about allowing or not. This consumes CPU cycles and should the attacks become frequent enough, it may effectively become a denial of service attack as it could cause such a consumption of resources that the ability of the UCM to effectively transport calls could come about.

The UCM router function is basic. It does not support hairpin type functionality to my knowledge. It really only has just the very basic functions.

I have been down this road personally and the amount of time spent discovering the issue and then trying to address it with the UCM was far more in time, effort spent and client satisfaction than doing it once and doing it right with a decent router in front. I have no PBX of any make directly exposed as result.

But, if you like the adventurous side, feel free and good luck. You might be lucky, but watch the CPU utilization and make sure you have the security functions in the UCM enabled and set to send you emails.


#7

I agree with @lpneblett UCM is really weak in such cases.
I use router only when wan is to ITSP restricted access and customer want have DHCP on LAN phone.

But if you want try then check.

You should not “save” on router as you will pay more when it go down, both Internet and PBX.


#8

@lpneblett @Marcin thanks for the info.
great discussion… i’ll run it for a two months to see how it handles and then make the switch over to the proper router.

thanks guys.