Top

Configuring a Mediatrix Unit as a NAT/Firewall Between the LAN and the Internet

This use case describes the configuration of an office where the Mediatrix unit is located directly on the internet and there are other devices in the LAN needing to access the internet.

These configuration notes are specially designed for the Mediatrix G7 and S7 Series as well as for the Sentinel 100 and 400 units, which feature Gigabit Ethernet interfaces and a built-in 4-port Ethernet switch.

This diagram represents a network configuration in which the Mediatrix unit is connected to both Internet (i.e. WAN) and other devices in the local network (i.e. LAN).




Top

Information to Know Before Starting

Before starting to use these configuration notes, complete the following table to make sure you have the required information to complete the different steps.

IMPORTANT: If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will bedisplayed.
Note: The Mediatrix unit must be reinitialised to its factory default settings to make sure the configuration can be successfully executed.
Information Value Used in Step
The IP address to access the management interface of your Mediatrix unit.
By default
  • the LAN interface (eth2 on most Mediatrix units) is set with the IP 192.168.0.10/24
  • the WAN interface is configured for an automatic IPv4 assignation through DHCP.
Logging on to the Mediatrix Unit Web Interface
Internet connection details:
  • Connection type (Static, DHCP/PPPoE)
  • If Static IP:
    • Static internet IP address
    • Default Router IP address
  • If PPPoE:
    • PPPoE service name
    • PPPoE user name and password
Configuring the Uplink Network Interface to a static IP address
IP address of each DNS server Configuring the Domain Name Server (DNS)
IP address of each SNTP server (optional) Configuring the SNTP Server to a Static IP Address

Top

Important-Enabling Access of Other Devices through NAT

When setting the Source Address, the Destination Address, and the New Address, make sure you type them exactly as shown:

  • They are case sensitive (the first letter must be uppercase).
  • For the Source Address and Destination Address fields, the Lan1/ value represents all devices on the network interface subnet.
  • In the New Address field, Lan1 and Uplink represent the IP address of the corresponding interface.

Top

Getting Started

Logging on to the Mediatrix Unit Web Interface

Before you begin
The computer IP address must be in the same TCP/IP network as the Mediatrix unit.
About this task
For better performances, it is recommended to use the latest available version of Microsoft Internet Explorer, Google Chrome, or Mozilla Firefox.
Note: You may not be able to log on to the Mediatrix unit Web interface if you are using older browser versions.
Procedure
  1. In your Web browser, enter the IP address at which the Web interface of your Mediatrix unit can be reached.
    • If your network has an IPv4 DHCP server, connect the primary Ethernet port of the Mediatrix unit to the network (ETH1 port), use the provided DHCP server IP address.
    • You can also connect your computer to the secondary Ethernet port of the Mediatrix unit (ETH2), use the 192.168.0.10 IP address. However, the computer must also own an IP address in the 192.168.0.0/24 network.
  2. Enter admin as your username and administrator as the password.
    Note: You can also use public as a username and leave the password field empty; it has the full administration rights by default.
  3. Click Login.
Results
The Information page of the Web interface is displayed.

Top

Changing the Login Password

Before you begin
You must have administrator rights.
Context
For security reasons, it is a best practice to change the Default Login Password for the admin and public accounts.
Steps
  1. Go to Management/Access Control.
  2. Change the passwords for the admin and public users.
    Note: The password is case sensitive. As a general rule, passwords should be at least eight characters, with a mix of lowercase letters, uppercase letters, numbers, and symbols.
  3. Click Apply.
Result



Top

Securing SNMP Interface

Steps
  1. Go to Management/SNMP.
  2. In the SNMP Configuration table, set the following parameters:
    1. Set Enable SNMP V1 to Disable.
    2. Set Enable SNMP V2 to Disable.
    3. Set the Privacy Protocol.
    4. In the Privacy Password field, enter a password of your choosing.
  3. Click Apply.
Result



Top

Configuring the Uplink Network Interface to a static IP address

Before you begin
Your Internet Service Provider must provide the following information:
  • The assigned static IP address and its network mask (also known as CIDR)
  • The IP address of the network gateway

If your Internet Service Provider is using another method, such as DHCP or PPPoE, refer to the DGW Configuration Guide - Network Interfaces document published on the Media5 Documentation Portal.

Steps
  1. Go to Network/Interfaces.
  2. In the Network Interface Configuration table, from the Link selection list located next to Uplink, leave the default value, i.e. eth1.
  3. From the Type selection list, select IpStatic (IPv4 Static).
  4. In the Static IP Address field, set the assigned static IP address followed by the subnet CIDR prefix (for example: 203.0.113.0/24, 198.51.100.0/27, 10.1.2.3/8, etc.).
  5. From the Static Default Router field, enter the IP address of the default gateway supplied by your internet service provider.
  6. From the Activation selection list, select Enable.
  7. Click Apply to apply all changes to the configuration.
    Note: Once the changes are applied, the connection with the unit might be lost. You may need to reconnect to the Web page using the new address.
Result
The unit can be reached (via the Web) through the Uplink static IP address.


Top

Configuring the Domain Name Server (DNS)

Before you begin
Although it is possible to use public DNS servers you should always ask your internet service provider to provide at least the primary and secondary DNS servers.
Steps
  1. Go to Network/Host.
  2. In the DNS Configuration table, form the Configuration Source selection list, select Static.
  3. For each DNS used, enter the IP address of the DNS.
  4. Click Apply.
Result



Top

Configuring the SNTP Server to a Static IP Address

Before you begin
Make sure there is an SNTP server available.
Steps
  1. Go to Network/Host.
  2. In the SNTP Configuration table, from the Configuration Source selection list, select Static.
  3. Provide an IP address or domain name and port numbers for each SNTP server you are using.
    Note: The best practice is to use the servers supplied by your Internet Service Provider, then complement with servers from a different network close to your geographical area. For example: time.nist.gov (USA), ntp4.sptime.se (Sweden), time1.isu.net.sa (Saudi Arabia), ntp.nict.jp (Japan), time.google.com (Worldwide), pool.ntp.org or one of their regional server pools (see https://www.ntppool.org/ for more information).
  4. If necessary, change the value of the Synchronisation Period.
  5. If necessary, change the value of the Synchronisation Period on Error.
  6. Click Apply.
Result
The SNTP host name and port will be displayed in the Host Status table under Network/Status.


Top

Enabling the NAT Service

Steps
  1. Go to System/Services.
  2. In the User Service table, on the same line as Network Address Translation (NAT), set the Startup Type to Auto.
  3. Click .
Result



Top
Top

Adding a NAT Rule to Allow the Devices Connect Directly to the Mediatrix Unit

Steps
  1. Go to Network/NAT.
  2. In the Source Network Address Translation Rules field, click .
  3. From the Activation selection list, choose Enable.
  4. In the Source Address field, enter Lan1/ (The uppercase "L" and trailing slash are important).
  5. In the Destination Address field, enter Lan1/ (The uppercase "L" and trailing slash are important).
  6. In the New Address field, enter Lan1 (Here without the trailing slash).
  7. Click Save & Apply.
Result
The NAT rule 1 that was created will allow LAN devices to directly connect to the Mediatrix device.


Top

Adding a NAT Rule to Allow the LAN Devices Connect to the Internet

Steps
  1. Go to Network/Interfaces.
  2. In the Source Network Address Translation Rules field, click .
  3. From the Activation selection list, choose Enable.
  4. In the Source Address field, enter Uplink (The uppercase "U" is important, without any trailing slash).
  5. In the Destination Address field, leave the field empty.
Result
The NAT rule 2 that was created will allow LAN devices to connect to the internet.


Top

Configuring your LAN Devices to Access Internet Through the Mediatrix Unit

Context
Configuring your LAN devices to access internet through the Mediatrix unit can be done two ways:
Steps
  1. By configuring a DHCP server on the Mediatrix unit (see the Tehcnical Bulletin - Configuring the DHCP Server document published on the Media5 Documentation Portal), or
  2. Manually by consulting each device manual to setup the following:
    1. IP address (in the 192.168.0.xxx range by default).
    2. Subnet Mask (255.255.255.0 or /24).
    3. Default Gateway (the IP address of the Mediatrix unit, by default 192.168.0.10).
    4. DNS servers and SNTP servers if needed.

Top

Performing a Configuration Backup to the Unit File Management System

Steps
  1. Go to Management/Backup and Restore.
  2. In the File Name field, indicate the name of your backup.
    Note: The file name is case sensitive. As a best practice, add the .xml extension. Make sure to indicate the firmware version the backup was made from because a backup file can not be restored on an older firmware version than the one it was taken from.
    Note: Remember, if you have several units with several configurations and plan to reuse the configuration on another unit, the name must be explicit. Indicate the date of your backup, the interfaces used, the device model, etc.
  3. From the Transfer Protocol selection list, select File.
  4. From the Content selection list, choose the elements you wish to include to the backup.
  5. If you wish to use encryption for backup operations, complete the Privacy Parameters.
    Note: Media5 corp strongly recommends to use a privacy algorithm (encryption) to protect certificates and passwords.
  6. Click Apply and Backup Now.
Result
The configuration will be saved in the unit file management system. The backup file will appear at the end of the list of the File page, under Management/File.


Top

Optional Port Forwarding

Port Forwarding

The Port Forwarding feature allows a connection from a remote device (for example, computers on the Internet) to a specific computer or device within a private local-area network (LAN) behind the Mediatrix unit.

To allow remote users access a local IP-enable PBX, or intranet server, it is possible to map a TCP/IP port on the Mediatrix unit WAN interface and forward its packets to the wanted IP/port combination on the LAN.

A typical scenario would be to map port 8080 on the Mediatrix unit WAN interface to a Web server on the LAN side, with the new address 192.168.0.99:80 for example.


Top

Setting Port Forwarding

Steps
  1. Go to Network/NAT.
  2. In the Destination Network Address Translation Rules table, click .
  3. Set the following parameters:
    1. Set Activation to Enable.
    2. Leave Source Address field blank.
    3. Set Destination Address to Uplink.
    4. Set the Protocol to reflect your desired configuration.
    5. Set the Destination Port to the desired port you want to forward to.
    6. Set the New Address to the desired location.
  4. Click Save & Apply.
  5. Repeat the steps 2 to 4 for additional routes.
Result



Top

Optional Local Firewal Configuration

Local Firewall Configuration and Activation

By default, the Local Firewall service is in Automatic mode and configured with a default policy to accept all traffic.

There are different approaches to security, but in this section we will give a simple example that will restrict a range of ports from 1 to 5000 to everyone except the LAN. Note: Our range stops at 5000, as the later ports are used for telephony 5004 (RTP), 5006 (SRTP), 5060 (SIP), 5061 (TLS), 16000-16xxx (Endpoint persistent connections), etc.


Top

Allocating Port Range 1 to 5000 to LAN Only

Steps
  1. Go to Network/Local Firewall
  2. In the Local Firewall Rules table, click .
    Note: The first rule is to allow traffic for LAN devices.
  3. From the Activation selection list, choose Enable.
  4. In the Source Address field, enter Lan1/ (the uppercase "L" and trailing slash are important).
  5. From the Protocol selection list choose All.
  6. In the Action selection list, choose Accept.
  7. In the Local Firewall Rules table, click .
    Note: The second rule is block traffic to system ports by TCP.
  8. From the Activation selection list, choose Enable.
  9. From the Protocol selection list choose TCP.
  10. In the Destination Port field, enter 1-5000.
  11. In the Action selection list, choose Drop.
  12. In the Local Firewall Rules table, click .
    Note: The second rule is block traffic to system ports by UDP.
  13. From the Activation selection list, choose Enable.
  14. From the Protocol selection list choose UDP.
  15. In the Destination Port field, enter 1-5000.
  16. In the Action selection list, choose Drop.
  17. Click Save & Apply.
Result
Destination Ports 1 to 5000 are used only by Lan1/


Top

Documentation

For more details, refer to the following documents published on the Media5 Documentation Portal.


Top

Copyright Notice

Copyright © 2023 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.