Thursday, September 06, 2018

Setting up Mitel VOIP phones using PFSense and Active Directory


At my office we were using a Mitel Phone controller that used streamline adapters for connecting our phones to the VOIP system.  At the best of time the system required a weekly reboot otherwise phones would randomly drop off the system and need to be rebooted.


Mitel Streamline Dongle

So we had a bit of a panic, on a Friday before the long weekend near closing time; Mitel Streamline system decided to die.  


About the Organization:


So we have 2 locations about 500 meters apart lets call one SAP and the other LMC; they are connected by a high speed fiber link.  So what was done is we were asked to pass two different VLANs though the network VLAN 11 for LMC and 210 for SAP.  Our LMC network was already getting the VOIP system though the DHCP on our Active Directory Controller.


Here is some of the info for the single DHCP Server:  192.168.1.0/24 on VLAN 100 and we are using option 43 to pass VLAN 11 to the phones.


To add or modify the Mitel string you need to go to DHCP Server -> Server Name -> IPV4 -> Scope -> Scope Options


Find 043 put a good name and description then add the following String:


id:ipphone.mitel.com;sw_tftp="$YOURSRVIP";call_srv="$YOURSRVIP";vlan=11;dscp=46  


example:

id:ipphone.mitel.com;sw_tftp=10.12.0.10;call_srv=10.12.0.10;vlan=11;dscp=46  


Active Directory Mitel Scope Option
With our two locations we know LMC is setup on a 192.168.1.0/24 network and we have Mitel phones working and being passed though on option 43 on our DHCP Server.

We need to add the phones at SAP to the network and to do that we need to setup another virtual network with a DHCP server so it can pass the Mitel info but still connect to the active directory controller.


Since we use PFSense and Cisco switches adding another virtual network was pretty easy and we are going to use PFSense.  So we added 2 new VLAN to the switches VLAN 210 and 200 and we also added it to the PFSense firewall.


So we are going to setup the following on the SAP network:


Vlan 200 - 192.168.200.0/24 - 210 in the Mitel DHCP Options




Adding vlan 200 to the PFSense Firewall to allow users to connect to the domain and keep using their Mitel phones.  Please note this is a redundant firewall so everything goes though CARP.


Go to Interfaces -> Assignments.  Press the add button and add the new network VLAN (You might want to make sure you've added the vlan to all relevant switches)

VLANS
be sure to add the new network in your interface assignments for carp.

Then go to Firewall -> Virtual IPs



Press the Add Button.  Below is a sample of the settings that might be used in the new network.

VIRTUAL IP Settings
Enable the network interface and set the IP for the PFSense firewall on the network
SAP Network Interface Settings

Now that we have the Gateway and the Interface setup now we can enable the DHCP Server.   Under Services -> DHCP Server.  Select the network you want to enable the DHCP server on and fill out your settings you want for your DHCP Server



DHCP Range


***IMPORTANT***

Here is where we add the option 43 Type is Text and the value for our Mitel phones is the same as what we have for our AD DHCP Option with the exception of the vlan (Unless you are obviously using a different server)

Press the add button and fill out 43 in the number field, should be a text type and copy/paste or type the value listed below for your mitel phone option.

id:ipphone.mitel.com;sw_tftp=10.12.0.10;call_srv=10.12.0.10;vlan=210;dscp=46  


With that done now we can configure our firewall rules for SAP Network so we can talk to our AD controller on the LMC Network so our users can login and use the network resources with the appearance that nothing has changed.  We have 3 different rule sets that we have to setup, the LMC interface (which were already done)


LMC interface:


We have an open rule for an SMTP mail forwarder on port 587
Access for "CatMan" which is allowed to go through to anywhere
A block for any thing from getting to the SuperSecret_Network
A Pass for anything on the LMC_Network to be allowed anywhere

SAP Interface:

A block for any thing from getting to the SuperSecret_Network
A Pass for anything on the SAP_Network to be allowed anywhere


Floating Rule:


This makes the whole thing work properly.  On our selected network interfaces we want to make sure we allow all traffic to the network our domain controller is on.  This lets us get our DNS for our clients from our domain server while they get a different DHCP address from our PFSense firewall and the proper Mitel information for the phones.

Floating Rule that allows the pass from one network to another

List of the floating rules

Now there is obviously more happening with this firewall then meets the eye but this is essentially what you need in a nutshell.  On our LMC network we have our computer clients on Vlan 100 with a subnet of 192.168.1.0/24. The Mitel Phones work using vlan 11.  Our SAP Network on Vlan 200  clients are on a subnet of 192.168.200.0/24 using vlan 210 for the Mitel phones.  


All clients can access network shares and login to the domain with no issue.  Below is a ping test from a machine on the SAP Network to another machine on the LMC Network and it also works from LMC to SAP.

Verification that the network passes though.

Reference Documents Mitel VOIP Phones:
http://edocs.mitel.com/UG/Apps-Solutions/MiCollab%207.2/MiCollab/MiCW%20Help/forms/dhcp_options.html

http://www.mitelforums.com/articles/option-128-missing.php

How to migrate PFSense Over to KEA DHCP Server from ISC DHCP Server

I am a PFSENSE User and I manage PFSENSE for some other organizations and the time has come to make the switch for the DHCP Server over to K...