As far as I have understand ORANGE → RED is allowed by default (see the wiki) so I assume that there is no additional rule necessary.
But even if I copy both of your settings, the DECT-Bridge is unable to connect to the ISP. Do you have additional masquerading enabled in Firewall-Options? (I have disabled this setting on alle LAN)
shows me that ORANGE is allowed to reach the RED LAN. Why do I need the rule no. 3?
OK, it seems because there is a needed port redirection. Why does this rule need this port redirection?
Maybe it is better/easier to use the masquerading in the firewall options? Just now there are all disabled.
I’d like to clarify some terms that might be confusing:
NAT (Network Address Translation): Remaps the IP addresses in the source or destination fields of IP packets, maintaining a translation table for consistent mapping and routing.
DNAT (Destination Network Address Translation): Alters the destination IP and optionally the port number of incoming packets. Useful for directing external traffic to specific internal hosts.
SNAT (Source Network Address Translation): Modifies the source IP and optionally the port number of outgoing packets. Used for mapping multiple internal IPs to a single or multiple public IPs. Essential for some protocols like SIP.
Masquerading: A form of SNAT where the source IP is set to the IP of the outgoing network interface. Useful for dynamic IPs.
For your VOIP setup, you’ll need to use DNAT to divert incoming traffic to your DECT-Bridge. This is handled by rule 4. You’ll also need to configure either SNAT (for fixed public IPs) or Masquerading (for dynamic public IPs) for the outbound traffic from the DECT-Bridge to ensure SIP functionality. This would be addressed in rule 3.
If your public IP is fixed, you can use SNAT for better efficiency, though Masquerading will work as well. For specifying SNAT or MASQUERADE, you’ll need to manually configure iptables rules in firewall.local. I believe that when writing a rule using the WUI, it will be done automatically.