网络工程 - ESI PBX LAN-only VoIP 电话通过 IPSec 隧道转发 - 远程路由器看到数据包但看不到电话，不转发 - 吾爱随笔录

好的，所以我们有一个较旧的 X-Class ESI PBX 系统，一个 ESI IVX 128x FSIII [参见下面的链接]。我们在其中安装了一张 LNC 卡，最多可以使用 12部仅限 LAN 的 VoIP 电话。我们在主站点（使用 PBX，使用 pfSense 路由器，构建 2.3.2-RELEASE amd64）和远程站点（使用电话，使用 Cisco RV220w 路由器）之间有一条 IPSec 隧道。我正在尝试让电话和 PBX 通话，但现在他们不会。这是我发现的：

当插入 PBX 所连接的同一结构时，电话可以正常工作，启动并获取分机信息。PBX 和分机设置可在此处查看，但目前这可能是一个红鲱鱼。
IPSec 隧道设置为允许子网之间的所有连接尝试，并且我已明确将与 PBX 相关的范围内的所有端口通过隧道转发到 PBX (2.201) 的专用 IP。在远程站点的一端，我将电话直接插入路由器端口，路由器看到数据包在接口上移动，但不会为电话分配 IP 或确认设备已连接（客户端列表中没有匹配手机的 MAC）。
我将手机插入 PC 并使用 Wireshark 运行 pcap。我不是 Wireshark 的专家，但在我看来，手机正在使用协议 0x887f 向目标地址 Esi_ff:ff:ff (01:30:4d:ff:ff:ff) 发送广播/单播数据包，其中不是 google 似乎听说过的 EtherType。数据包长度为 82 位，频率为每隔几秒，每次相同的数据包。

IPSec 信息：
本地路由器 (pfSense) 配置：
子网：192.168.2.0/23
防火墙规则：

scrub on bge0 all fragment reassemble
scrub on re0 all fragment reassemble
scrub on re1 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto carp from (self) to any
pass quick proto carp all no state
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = 8080 label "webConfiguratorlockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
block drop in log quick on bge0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log quick on bge0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in log on ! bge0 inet from %%main_site_upstreamSubnet%% to any
block drop in log inet from %%main_site%% to any
block drop in log inet from %%main_site_IPtwo%% to any
block drop in log on ! re0 inet from 192.168.2.0/23 to any
block drop in log inet from 192.168.2.20 to any
block drop in log on ! re1 inet from 10.0.0.0/24 to any
block drop in log inet from 10.0.0.1 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out route-to (bge0 %%main_site_upstream%%) inet from %%main_site%% to ! %%main_site_upstreamSubnet%% flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (bge0 %%main_site_upstream%%) inet from %%main_site_IPtwo%% to ! %%main_site_upstreamSubnet%% flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on re0 proto tcp from any to (re0) port = 8080 flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to any flags S/SA keep state allow-opts label "USER_RULE: warehouse to LAN (IPSec VPN tunnel passthru enable)"
pass in quick on enc0 inet from 192.168.5.0/24 to 192.168.2.0/23 flags S/SA keep state label "USER_RULE"
pass in quick on enc0 inet from 192.168.2.0/23 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE"
pass in log quick on enc0 inet proto tcp from 192.168.2.8 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: email to warehouse (outgoing) pass all"
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to 192.168.2.3 flags S/SA keep state label "USER_RULE: primary dc incoming"
pass in log quick on enc0 inet proto tcp from 192.168.2.3 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: primary dc outgoing"
pass in log quick on enc0 inet proto tcp from 192.168.2.6 to 192.168.5.0/24 flags S/SA keep state label "USER_RULE: backup dc outgoing"
pass in log quick on enc0 inet proto tcp from 192.168.5.0/24 to 192.168.2.6 flags S/SA keep state label "USER_RULE: backup dc incoming"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = ldap flags S/SA keep state label "USER_RULE: NAT email LDAP (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = smtp flags S/SA keep state label "USER_RULE: NAT email smtp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = nntp flags S/SA keep state label "USER_RULE: NAT email nntp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = snmp keep state label "USER_RULE: NAT email snmp (udp) incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = netbios-ns flags S/SA keep state label "USER_RULE: NAT email mpls-in incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = kerberos-sec flags S/SA keep state label "USER_RULE: NAT email IPsec incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = sftp flags S/SA keep state label "USER_RULE: NAT email L2TP incoming (look into this) (ipsec t..."
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = https flags S/SA keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both) (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = https keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both) (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6001 flags S/SA keep state label "USER_RULE: NAT email RPC 6001 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6002 flags S/SA keep state label "USER_RULE: NAT email RPC 6002 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6003 flags S/SA keep state label "USER_RULE: NAT email RPC 6003 (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 196.168.2.8 port = 6004 flags S/SA keep state label "USER_RULE: NAT email RPC 6004 (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.8 port = ntp keep state label "USER_RULE: NAT email ntp incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.8 port = pop3 flags S/SA keep state label "USER_RULE: NAT email pop3 incoming (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.3 port = domain flags S/SA keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.3 port = domain keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto tcp from any to 192.168.2.3 port = ldap flags S/SA keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
pass in quick on enc0 inet proto udp from any to 192.168.2.3 port = ldap keep state label "USER_RULE: NAT dns server forward (ipsec tunnel)"
block drop in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from %%main_site_upstreamSubnet%% to 192.168.2.0/23 port = ms-sql-s flags S/SA label "USER_RULE: drop all sql incoming"
block drop in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from %%main_site_upstreamSubnet%% to 192.168.2.0/23 port = ncube-lm flags S/SA label "USER_RULE: drop all sql-net incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.10 port = http flags S/SA keep state label "USER_RULE: NAT camera server http incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.12 port = http flags S/SA keep state label "USER_RULE: NAT webserv http incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = smtp flags S/SA keep state label "USER_RULE: NAT email smtp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = ntp keep state label "USER_RULE: NAT email ntp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = pop3 flags S/SA keep state label "USER_RULE: NAT email pop3 incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = nntp flags S/SA keep state label "USER_RULE: NAT email nntp incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = snmp keep state label "USER_RULE: NAT email snmp (udp) incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = netbios-ns flags S/SA keep state label "USER_RULE: NAT email mpls-in incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = kerberos-sec flags S/SA keep state label "USER_RULE: NAT email IPsec incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = sftp flags S/SA keep state label "USER_RULE: NAT email L2TP incoming (look into this)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = https flags S/SA keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.8 port = https keep state label "USER_RULE: NAT email ActiveSync (TDP/UDP both)"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.8 port = ldap flags S/SA keep state label "USER_RULE: NAT email LDAP"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6001 flags S/SA keep state label "USER_RULE: NAT email RPC 6001"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6002 flags S/SA keep state label "USER_RULE: NAT email RPC 6002"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6004 flags S/SA keep state label "USER_RULE: NAT email RPC 6004"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 196.168.2.8 port = 6003 flags S/SA keep state label "USER_RULE: NAT email RPC 6003"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto tcp from any to 192.168.2.19 port = 1297 flags S/SA keep state label "USER_RULE: NAT visibar gun incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from any to 192.168.2.19 port = 1297 keep state label "USER_RULE: NAT visibar gun incoming"
pass in quick on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto icmp from %%remote_site%% to %%main_site%% icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in log quick on re0 inet from any to 192.168.2.201 flags S/SA keep state label "USER_RULE: allow to PBX"
pass in log quick on re0 inet from any to 192.168.5.0/24 flags S/SA keep state allow-opts label "USER_RULE: warehouse to LAN (IPSec VPN tunnel passthru enable)"
block drop in quick on re0 inet proto tcp from 192.168.2.0/23 to any port = smtp label "USER_RULE: disallow smtp for subnet"
block drop in quick on re0 inet proto udp from 192.168.2.0/23 to any port = smtp label "USER_RULE: disallow smtp for subnet"
pass in quick on re0 inet from 192.168.2.0/23 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in log quick on re1 inet proto tcp from any to (self) flags S/SA keep state label "USER_RULE"
pass out route-to (bge0 %%main_site_upstream%%) inet proto udp from (self) to %%remote_site%% port = isakmp keep state label "IPsec: warehouse - outbound isakmp"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from %%remote_site%% to (self) port = isakmp keep state label "IPsec: warehouse - inbound isakmp"
pass out route-to (bge0 %%main_site_upstream%%) inet proto udp from (self) to %%remote_site%% port = sae-urn keep state label "IPsec: warehouse - outbound nat-t"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto udp from %%remote_site%% to (self) port = sae-urn keep state label "IPsec: warehouse - inbound nat-t"
pass out route-to (bge0 %%main_site_upstream%%) inet proto esp from (self) to %%remote_site%% keep state label "IPsec: warehouse - outbound esp proto"
pass in on bge0 reply-to (bge0 %%main_site_upstream%%) inet proto esp from %%remote_site%% to (self) keep state label "IPsec: warehouse - inbound esp proto"
anchor "tftp-proxy/*" all
pass in on re0 proto udp from any to any port = sip keep state
pass in on re0 proto udp from any to any port 64000:64999 keep state

NAT规则：

no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on bge0 inet from 127.0.0.0/8 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 192.168.2.0/23 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 10.0.0.0/24 to any port = isakmp -> %%main_site%% static-port
nat on bge0 inet from 127.0.0.0/8 to any -> %%main_site%% port 1024:65535
nat on bge0 inet from 192.168.2.0/23 to any -> %%main_site%% port 1024:65535
nat on bge0 inet from 10.0.0.0/24 to any -> %%main_site%% port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on bge0 inet proto tcp from any to any port = smtp -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = ntp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = pop3 -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = nntp -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = snmp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = netbios-ns -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = kerberos-sec -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = sftp -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = ldap -> 192.168.2.8
rdr on bge0 inet proto tcp from any to any port = https -> 192.168.2.8
rdr on bge0 inet proto udp from any to any port = https -> 192.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6001 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6002 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6003 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to %%main_site%% port = 6004 -> 196.168.2.8
rdr on bge0 inet proto tcp from any to any port = 1297 -> 192.168.2.19
rdr on bge0 inet proto udp from any to any port = 1297 -> 192.168.2.19
rdr on bge0 inet proto tcp from any to %%main_site%% port = http -> 192.168.2.12
rdr on bge0 inet proto tcp from any to %%main_site_IPtwo%% port = http -> 192.168.2.10
rdr on enc0 inet proto tcp from any to 192.168.2.3 port = domain -> 192.168.2.3
rdr on enc0 inet proto udp from any to 192.168.2.3 port = domain -> 192.168.2.3
rdr on enc0 inet proto tcp from any to 192.168.2.3 port = ldap -> 192.168.2.3
rdr on enc0 inet proto udp from any to 192.168.2.3 port = ldap -> 192.168.2.3
rdr on re0 inet proto udp from any to ! (re0) port = sip -> 127.0.0.1 port 5060
rdr-anchor "miniupnpd" all
binat on bge0 inet from 192.168.2.10 to any -> %%main_site_IPtwo%%
binat on enc0 inet from 192.168.2.0/23 to 192.168.5.0/24 -> 192.168.2.0/23

远程站点 (Cisco) 配置：
子网：192.168.5.0/24
默认允许所有出站，我不知道如何像上面那样从 RV220w 导出一个不错的列表，但是这件事并没有太多进展。我很快就会远程并尝试截取一些屏幕截图。

我真的不知道从这里去哪里，但必须有一种方法来完成这项工作，对吧？我可以根据要求提供更多信息。PBX 管理员手册的链接将在评论下方，因为我显然还没有一次发布超过 2 个链接的声誉。