ESI只有VoIP电话转发通过IPSec隧道-远程路由器看到包，而不是电话，不转发

Question

好的，我们有一个较老的X级ESI系统，一个ESIIVX128xFSIII 链接见下文。我们有一个LNC卡安装在它，这允许使用多达12 纯局域网的VoIP手机。我们在主站点之间有一个IPSec隧道(使用PBX，使用pfSense路由器，构建2.3.2版本的amd64)和远程站点(使用电话，使用思科RV220w路由器)。我在试着让手机和PBX通话，但现在他们不会。我发现如下：

• 当插入PBX连接到的同一织物上时，手机工作正常，启动并获取扩展信息。该PBX和扩展设置在这里可以看到，但这可能是一个红鲱鱼目前。
• IPSec隧道被设置为允许子网之间的所有连接尝试，并且我已经通过隧道显式地将与PBX相关的所有端口转发给PBX (2.201)的私有IP。在远程站点的一端，我将手机直接插入路由器端口，路由器看到数据包在接口上移动，但不向电话分配IP或确认设备已连接(客户端列表中没有与电话MAC相匹配的任何内容)。
• 我把手机插到我的电脑上，并与Wireshark一起运行了一个pcap。我不是Wireshark的专家，但在我看来，这款手机使用的是0x887f协议，它似乎是用谷歌似乎听说过的EtherType协议将广播/单播数据包发送到目标地址EtherType (01:30:4d:ff:ff:ff)。数据包长度为82位，频率为每两秒一次，每次数据包相同。

IPSec信息：

本地路由器(pfSense)配置：

子网: 192.168.2.0/23

防火墙规则：

scrub on bge0 all fragment reassemble
scrub on re0 all fragment reassemble
scrub on re1 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto carp from (self) to any
pass quick proto carp all no state
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = 8080 label "webConfiguratorlockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
block drop in log quick on bge0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log quick on bge0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in log on ! bge0 inet from %%main_site_upstreamSubnet%% to any
block drop in log inet from %%main_site%% to any
block drop in log inet from %%main_site_IPtwo%% to any
block drop in log on ! re0 inet from 192.168.2.0/23 to any
block drop in log inet from 192.168.2.20 to any
block drop in log on ! re1 inet from 10.0.0.0/24 to any
block drop in log inet from 10.0.0.1 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out route-to (bge0 %%main_site_upstream%%) inet from %%main_site%% to ! %%main_site_upstreamSubnet%% flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (bge0 %%main_site_upstream%%) inet from %%main_site_IPtwo%% to ! %%main_site_upstreamSubnet%% flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on re0 proto tcp from any to (re0) port = 8080 flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to any flags S/SA keep state allow-opts label "USER_RULE: warehouse to LAN (IPSec VPN tunnel passthru enable)"
pass in quick on enc0 inet from 192.168.5.0/24 to 192.168.2.0/23 flags S/SA keep state label "USER_RULE"
pass in quick on enc0 inet from 192.168.2.0/23 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE"
pass in log quick on enc0 inet proto tcp from 192.168.2.8 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: email to warehouse (outgoing) pass all"
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to 192.168.2.3 flags S/SA keep state label "USER_RULE: primary dc incoming"
pass in log quick on enc0 inet proto tcp from 192.168.2.3 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: primary dc outgoing"
pass in log quick on enc0 inet proto tcp from 192.168.2.6 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: backup dc outgoing"
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to 192.168.2.6 flags S/SA keep state label "USER_RULE: backup dc incoming"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = ldap flags S/SA keep state label "USER_RULE: NAT email LDAP (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = smtp flags S/SA keep state label "USER_RULE: NAT email smtp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = nntp flags S/SA keep state label "USER_RULE: NAT email nntp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = snmp keep state label "USER_RULE: NAT email snmp (udp) incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = netbios-ns flags S/SA keep state label "USER_RULE: NAT email mpls-in incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = kerberos-sec flags S/SA keep state label "USER_RULE: NAT email IPsec incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = sftp flags S/SA keep state label "USER_RULE: NAT email L2TP incoming (look into this) (ipsec t..."
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = https flags S/SA keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both) (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = https keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both) (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6001 flags S/SA keep state label "USER_RULE: NAT email RPC 6001 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6002 flags S/SA keep state label "USER_RULE: NAT email RPC 6002 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6003 flags S/SA keep state label "USER_RULE: NAT email RPC 6003 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6004 flags S/SA keep state label "USER_RULE: NAT email RPC 6004 (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = ntp keep state label "USER_RULE: NAT email ntp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = pop3 flags S/SA keep state label "USER_RULE: NAT email pop3 incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.3 port = domain flags S/SA keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.3 port = domain keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.3 port = ldap flags S/SA keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.3 port = ldap keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
block drop in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from %%main_site_upstreamSubnet%% to 192.168.2.0/23 port = ms-sql-s flags S/SA label "USER_RULE: drop all sql incoming"
block drop in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from %%main_site_upstreamSubnet%% to 192.168.2.0/23 port = ncube-lm flags S/SA label "USER_RULE: drop all sql-net incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.10 port = http flags S/SA keep state label "USER_RULE: NAT camera server http incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.12 port = http flags S/SA keep state label "USER_RULE: NAT webserv http incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = smtp flags S/SA keep state label "USER_RULE: NAT email smtp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = ntp keep state label "USER_RULE: NAT email ntp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = pop3 flags S/SA keep state label "USER_RULE: NAT email pop3 incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = nntp flags S/SA keep state label "USER_RULE: NAT email nntp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = snmp keep state label "USER_RULE: NAT email snmp (udp) incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = netbios-ns flags S/SA keep state label "USER_RULE: NAT email mpls-in incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = kerberos-sec flags S/SA keep state label "USER_RULE: NAT email IPsec incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = sftp flags S/SA keep state label "USER_RULE: NAT email L2TP incoming (look into this)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = https flags S/SA keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = https keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = ldap flags S/SA keep state label "USER_RULE: NAT email LDAP"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6001 flags S/SA keep state label "USER_RULE: NAT email RPC 6001"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6002 flags S/SA keep state label "USER_RULE: NAT email RPC 6002"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6004 flags S/SA keep state label "USER_RULE: NAT email RPC 6004"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6003 flags S/SA keep state label "USER_RULE: NAT email RPC 6003"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.19 port = 1297 flags S/SA keep state label "USER_RULE: NAT visibar gun incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.19 port = 1297 keep state label "USER_RULE: NAT visibar gun incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto icmp from %%remote_site%% to %%main_site%% icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in log quick on re0 inet from any to 192.168.2.201 flags S/SA keep state label "USER_RULE: allow to PBX"
pass in log quick on re0 inet from any to 192.168.5.0/24 flags S/SA keep state allow-opts label "USER_RULE: warehouse to LAN (IPSec VPN tunnel passthru enable)"
block drop in quick on re0 inet proto tcp from 192.168.2.0/23 to any port = smtp label "USER_RULE: disallow smtp for subnet"
block drop in quick on re0 inet proto udp from 192.168.2.0/23 to any port = smtp label "USER_RULE: disallow smtp for subnet"
pass in quick on re0 inet from 192.168.2.0/23 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in log quick on re1 inet proto tcp from any to (self) flags S/SA keep state label "USER_RULE"
pass out route-to (bge0 %%main_site_upstream%%) inet proto udp from (self) to %%remote_site%% port = isakmp keep state label "IPsec: warehouse - outbound isakmp"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from %%remote_site%% to (self) port = isakmp keep state label "IPsec: warehouse - inbound isakmp"
pass out route-to (bge0 %%main_site_upstream%%) inet proto udp from (self) to %%remote_site%% port = sae-urn keep state label "IPsec: warehouse - outbound nat-t"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from %%remote_site%% to (self) port = sae-urn keep state label "IPsec: warehouse - inbound nat-t"
pass out route-to (bge0 %%main_site_upstream%%) inet proto esp from (self) to %%remote_site%% keep state label "IPsec: warehouse - outbound esp proto"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto esp from %%remote_site%% to (self) keep state label "IPsec: warehouse - inbound esp proto"
anchor "tftp-proxy/*" all
pass in on re0 proto udp from any to any port = sip keep state
pass in on re0 proto udp from any to any port 64000:64999 keep state

NAT规则：

no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on bge0 inet from 127.0.0.0/8 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 192.168.2.0/23 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 10.0.0.0/24 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 127.0.0.0/8 to any -> %%main_site%% port 1024:65535
nat on bge0 inet from 192.168.2.0/23 to any -> %%main_site%% port 1024:65535
nat on bge0 inet from 10.0.0.0/24 to any -> %%main_site%% port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on bge0 inet proto tcp from any to any port = smtp -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = ntp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = pop3 -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = nntp -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = snmp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = netbios-ns -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = kerberos-sec -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = sftp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = ldap -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = https -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = https -> 192.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6001 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6002 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6003 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6004 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to any port = 1297 -> 192.168.2.19
rdr on bge0 inet proto udp from any to any port = 1297 -> 192.168.2.19
rdr on bge0 inet proto tcp from any to %%main_site%% port = http -> 192.168.2.12
rdr on bge0 inet proto tcp from any to %%main_site_IPtwo%% port = http -> 192.168.2.10
rdr on enc0 inet proto tcp from any to 192.168.2.3 port = domain -> 192.168.2.3
rdr on enc0 inet proto udp from any to 192.168.2.3 port = domain -> 192.168.2.3
rdr on enc0 inet proto tcp from any to 192.168.2.3 port = ldap -> 192.168.2.3
rdr on enc0 inet proto udp from any to 192.168.2.3 port = ldap -> 192.168.2.3
rdr on re0 inet proto udp from any to ! (re0) port = sip -> 127.0.0.1 port 5060
rdr-anchor "miniupnpd" all
binat on bge0 inet from 192.168.2.10 to any -> %%main_site_IPtwo%%
binat on enc0 inet from 192.168.2.0/23 to 192.168.5.0/24 -> 192.168.2.0/23

远程站点(Cisco)配置：

子网: 192.168.5.0/24

默认允许所有出站，我不知道如何从像上面这样的RV220w导出一个很好的列表，但是这个东西并没有发生什么变化。我很快就会遥控，试着拍几张截图。

我真的不知道从哪里出发，但必须有办法让这件事成功，对吗？我可以根据要求提供更多的信息。链接到PBX管理员手册将在下面的评论，因为我显然还没有声誉还没有张贴超过2个链接在一次。

Answer 1

01:30:4D:ff:ff似乎是一个面向ESI PBX的广播。路由器不会在不同的广播域之间转发广播数据包。我猜电话和PBX系统都需要在同一个广播域。不确定pfsense，但在cisco世界中，您将设置ip助手地址。其他选择是OVA。