persistent NAT?

I just installed a Edge Lite at a customer.  They use a phone system by Vertical.  We have a static IP from the cable company on Eth0.  Eth1 is 10.0.0.1/24

On the LAN is an Open VPN server and a phone server.  They are trying to register soft phones through the Open VPN server to the phone server.  We have a static route set and some port forwards.  

The open VPN server is at 10.0.0.227

The phone server is 10.0.0.220

They are saying this:  

From the phone server side, we see the REGISTER message hit the system and we respond by challenging with a 401 Unauthorized.  The system then gets an ICMP Destination unreachable (host administratively prohibited) back.

On the OpenVPN side, we see the REGISTER go out from the phone’s VPN IP address, 10.10.2.2, to the phone server’s, 10.0.0.220; however the 401 Unauthorized rather than having the phone server’s IP address as the source IP has the Ubiquity’s IP, 10.0.0.1.  When this packet hits the OpenVPN server, the firewall rightfully recognizes that this is not from an established session and blocks the packet.  (as a test we turned off the firewall on the OpenVPN server and this works; but this is not a recommended configuration).  We need the Ubiquity to stop altering packets at layer 3 on LAN to LAN communication.  While the source MAC address should change to the Ubiquity’s, the IP address should not.

Below are my configs.  Can anyone tell me how to get the router to stop altering the packets, as they assert? 

Thanks.

rs# show port-forward
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description UDP1194
forward-to {
address 10.0.0.227
port 1194
}
original-port 1194
protocol udp
}
rule 2 {
description UDP50070
forward-to {
address 10.0.0.220
port 50070
}
original-port 50070
protocol tcp_udp
}
wan-interface eth0
[edit]

s# show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description SSH_SCS
destination {
port 5519
}
log enable
protocol tcp
source {
address 162.42.215.130-162.42.215.186
}
}
rule 22 {
action accept
description Vertical_SSH
destination {
port 5519
}
log enable
protocol tcp
source {
address 216.161.211.35
}
}
rule 23 {
action accept
description gui_from_voa
destination {
port 443
}
log enable
protocol tcp
source {
address 98.191.122.131
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
[edit]

Here is the entire configuration: 

rs:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description SSH_SCS
destination {
port 5519
}
log enable
protocol tcp
source {
address 162.4xxx.xx
}
}
rule 22 {
action accept
description Vertical_SSH
destination {
port 5519
}
log enable
protocol tcp
source {
address 216.xx.ss.ss
}
}
rule 23 {
action accept
description gui_from_voa
destination {
port 443
}
log enable
protocol tcp
source {
address 98.191.x.ss
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 184.ss.ss.ss/30
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.0.0.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description UDP1194
forward-to {
address 10.0.0.227
port 1194
}
original-port 1194
protocol udp
}
rule 2 {
description UDP50070
forward-to {
address 10.0.0.220
port 50070
}
original-port 50070
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
route 10.10.2.0/24 {
next-hop 10.0.0.227 {
description OpenVPN
distance 2
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative disable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.38 {
stop 10.0.0.243
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 5519
protocol-version v2
}
}
system {
gateway-address 184..ss.ss.ss
host-name rrs
login {
user co {
authentication {
encrypted-password ****************
}
level admin
}
user rrs {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "Pa"
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ****************
url http://http.us.debian.org/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ****************
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC