Advice on server location/DMZ/NAT

[Cross-posted from support forum after no replies]


Our organization has several sites, linked via VPN. We have an Asterisk (AstLinux) server at head office, in our DMZ (behind NAT). Voice traffic between the sites travels over the VPNs. We have IAX2 trunks from a VoIP provider with PSTN numbers.

Am I correct in thinking that there are two downsides of this set-up?

  1. The VPN processing adds latency

  2. QoS will struggle to identify and prioritize VoIP inside the VPNs

Should I set things up differently? I would try to get the traffic out from the VPNs while leaving the server where it is, but I’ll run into difficulty with routing (I can explain this further if necessary). I’ve tried putting the server outside the VPN with an external IP address, but am having trouble with NAT for phones on the internal network.

What would the recommendation be? Our phones are a mixture of Snom, Atcom, and X-Lite. I don’t mind where in the network I locate the server, and will also happily consider other Asterisk boxes at the larger remote sites, but any advice on what the best approach is likely to be would be very gratefully received.

Many thanks


I have never tested asterisk over a VPN so I can not comment on it. I would assume that the router would not be able to do QoS for the VOIP since it just see’s the VPN as a connection.

Can you describe in more detail your network set up when you had NAT issues ?

Thanks for the reply, Dovid. Our network currently looks something like this (excuse ASCII):



3 x ADSL routers


Load balancer


Switch – Asterisk box


Firewall (NAT) – DMZ


Internal network (with SIP clients)[/code]

How does that look?



I am using softphones over a VPN connection to a central Asterisk server but I don’t have any QoS setup on the VPN links so reliability is variable. I assume that the VPN is established between the firewall and a remote firewall and the ADSL routers just pass this traffic through?