The dual Ethernet interface configuration allows WebRTC gateway to be connected to two different networks (e.g. a customer LAN and a customer DMZ network for security purposes).
Overview
The WebRTC gateway includes two Ethernet interfaces:
- An Ethernet interface (Eth0) used to connect the WebRTC gateway to the customer LAN
Direct RTP can be allowed for Rainbow clients on customer LAN.
- An Ethernet interface (Eth1) used when the WebRTC gateway is deployed in a DMZ network connected to WAN and Rainbow Cloud. This configuration requires a firewall on both sides of the DMZ (LAN and WAN)
A proxy can be added in the DMZ network and allowed to control signaling/media flows between WebRTC gateway and Rainbow Cloud.
Configuration
The two Ethernet interfaces are configured on WebRTC gateway using the command mpnetwork.
From a console connected to the WebRTC gateway, you must first log on with your Rainbow account.
The Eth0 Ethernet interface configuration requires the following mandatory options:
- --IP=<IP address of Eth0 Ethernet interface>
- --NETMASK=<IP address of network mask>
- --GATEWAY=<IP address of default gateway>
- --DNS=<IP address of DNS server on WAN>
When the WebRTC Gateway is deployed in a DMZ, the Eth1 Ethernet interface configuration requires the following mandatory options:
- --IP2=<IP address of Eth1 Ethernet interface>
- --NETMASK2=<IP address of network mask>
- --GATEWAY2=<IP address of default gateway>
- --LOCALDNS=<IP address of DNS server(s) on customer LAN>
- --LOCALDOMAIN=<domain name of customer LAN>
- --ROUTES="eth[0|,<equipment IP address, netmask, gateway IP address>"
If a proxy is located in the DMZ, the following options must be configured:
- --PROXYHOST=<IP address of the proxy>
- --PROXYPORT=<port of the proxy>
- --MPROXY=on|tcp|tls|off : this option is used to enable/disable proxy use
To enable/disable direct RTP on LAN, the following option must be configured:
- --RTPONLAN=yes|no
Example of Ethernet interface configuration with proxy:
mpnetwork --IP=192.168.1.10 --NETMASK=255.255.255.0 --GATEWAY=192.168.1.254 --DNS=192.168.1.100
--IP2=10.10.0.10 --NETMASK2=255.255.255.0 --GATEWAY2=10.10.0.254 --LOCALDNS=192.168.1.100
--LOCALDOMAIN=labale.bzh
--ROUTES="eth0,192.168.2.0,255.255.255.0,192.168.1.254;eth0,172.16.2.0,255.255.255.0,192.168.1.254;
eth0,172.16.3.0,255.255.255.0,192.168.1.254"
--PROXYHOST=10.10.0.100 --PROXYPORT=3128 --MPROXY=on/tcp/tls
- The options for Eth1 Ethernet interface cannot be entered empty.
- Several DNS can be configured for LAN and WAN.
- ROUTES must be configured to manage all traffic between WebRTC gateway and telephone equipment (PBX, IP deskphones, IP Media Gateways, ...). This requires to declare in ROUTES:
- All telephone equipment
- The VPN accesses if configured for home working
- The Rainbow clients when direct RTP on LAN is enabled
- For DMZ configuration:
- The firewall on WAN side must enable all traffic between WebRTC gateway and Rainbow Cloud.
- The firewall on LAN side must enable all traffic between WebRTC gateway and telephone equipment (PBX, IP deskphones, ...).
For details, see sections 4.6.1 "WebRTC gateway to Rainbow Cloud" and 4.6.2 "WebRTC Gateway flows to PBX and local devices/clients" on document "Rainbow Network Requirements" (access path: Check Rainbow Network Requirements).
- Do not change IP route manually, nor iptables
- Do not change default gateway
- Do not change DNS
Topologies
Topology without proxy + direct RTP on LAN disabled
Topology without proxy + direct RTP on LAN enabled
Topology with proxy disabled + direct RTP on LAN disabled
Topology with proxy disabled + direct RTP on LAN enabled
Topology with proxy enabled + direct RTP on LAN disabled
Topology with proxy enabled + direct RTP on LAN enabled
The following topology applies to Rainbow clients for computer (desktop or web).
The following topology applies to Rainbow clients for mobile.