@fuznutz04 said in Site to Site VPN - not passing audio traffic properly:

This one was interesting to get to the bottom of. @JaredBusch With the VPN tunnel enabled, the phone system was trying to send RTP to the phone on the internal IP. There is a setting in FreePBX on the extension level called "RTP Symmetric". Normally, this is set to yes. I changed it to no and the audio started flowing normally. However, I didn't like this solution. So, as a test, (and what I should have done from the beginning) I blocked all outbound traffic FROM my phone system, to any local network. (10.x, 172.16, 192.168, etc) This immediately solved the issue. I did not yet do a packet capture AFTER the fact to confirm, but I am assuming that blocking the PBX's ability to get to an internal private IP, forces the system to renegotiate and send the RTP to the correct public IP.

Definitely an odd issue.

nice you found a solution - I'm curious why it happens in the first place? Are some of the original phone's packet data still containing the original IP? And if so, why?
Are you using encrypted RTP?

@scottalanmiller said in Internet connection sharing:

@fuznutz04 said in Internet connection sharing:

@scottalanmiller said in Internet connection sharing:

I think that the key thing here might be in interpretation of the language.

"We have another business in the building" could mean that they own two companies and those two "companies" are sharing a connection. We might use that terminology for two divisions that do different things but legally can share a connection no problem.

Or it might be some random business that just happens to be in the same building that is trying to not pay for their own Internet, in which case this is a big problem.

Everyone is assuming the second, but I had read it assuming it was the first. But both are just assumptions, to know what the best options are and what is an option really requires understanding that.

Wow, I am terrible at following up with posts in a timely manner....

Yes, it is the first. So you assumed correctly. So I think we are all set with just breaking out the connection via a switch after the modem.

Thanks!

If it was me and it was two companies that I controlled, I'd use an EdgeRouter Lite, it has one WAN in and two LAN out. That way I'd have central control. Make that control owned by the "parent" organization. Then have each place have their own switches after that point. But only one router.

This is also how I would do it. There would only be one company in control of the one router.

Not sure anyone mentioned HostiFi. You can get a free account for a single site.

https://hostifi.net

The esp-group encryption also, but it at least still does MD5 hash.

jbusch@jared# set vpn ipsec esp-group Test proposal 1 encryption 3des aes128 aes128gcm128 aes256 aes256gcm128 [edit] jbusch@jared# set vpn ipsec esp-group Test proposal 1 hash md5 sha1 sha256 sha384 sha512 [edit]

@gjacobse said in Ubiquiti released EdgeOS 1.9.7:

@scottalanmiller said in Ubiquiti released EdgeOS 1.9.7:

Just got my EdgeRouter for home hooked up after years of it disconnected.

Welcome back to the world of Internet.....

And to good Internet equipment, as well!

Edgerouters can now handle custom dynamic dns providers without the need of the script - here is the guide with Cloudflare as the example: https://help.ubnt.com/hc/en-us/articles/204976324

Seems like the ERL is probably right for you most of the time.

@fuznutz04 said in Edge Router lockup:

Yeah, really strange behavior with no evidence to look at.

Time to set logs to go to a remote server.

@fuznutz04 said in WINs/DNS on Edge Router:

@JaredBusch

Excellent. So then the only entries needed would be any device that has a static IP address.

Yes.

EdgeOS is getting better all the time.

Yes.