Re: [asterisk-users] Which router/firewall would you use for a virtual-PBX Asterisk installation?
Oh, don't worry about us going cheap on security. We use A2Billing (along with some Fail2Ban configuration for bad logins) to limit the number and cost of calls that can go out through a compromised SIP account, so that when, not *if*, a customer's SIP account gets compromised, the attacker gets cut off at the knees before they can even get out the door. We've even added bogus connection charges on international calls that get removed before we bill our customers, to speed up the process and reduce our losses even further. Our customers are even happy that these billing limits are in place. No, this is all about playing nice with our load balancing software and protecting databases and backend servers that have no business being available to the public. But mostly it's about the load balancer (IPTables on said servers can take care of "visible to the public). I just want to make sure that the router we use will play nice with Asterisk, since we've already seen network hardware that looks good on paper, but fails miserably in practice. In fact, we see it so often with individual customers' crap routers causing voice quality issues, that by default we don't trust simple math. So here I am, asking everyone what router they use, and whether you're happy with the results when there's 100 simultaneous SIP calls in progress. I want to know what happens when the rubber hits the road. On 2015-11-20 14:22, Telium Technical Support wrote: Well router and firewall are very different...it depends on what you are trying to accomplish. If you are trying to secure an Asterisk-based call center, get a real security product. Look here for details: http://www.voip-info.org/wiki/view/Asterisk+security This covers firewall, Asterisk lock-down, and Asterisk specific security. The average break-in/fraud cost is $25,000 per day. (watch the Astricon videos for more details). So going cheap on security isn't a smart move for a commercial installation. If you just want a router/switch, figure out the simultaneous call capacity x codec demands in bps, and there is your backplane switching speed requirements. Even with 100 simultaneous calls at g711, a lower end Cisco (3xx) router/switch will have no problem. -M- -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Ernie Dunbar Sent: Friday, November 20, 2015 3:25 PM To: Asterisk Users Subject: [asterisk-users] Which router/firewall would you use for a virtual-PBX Asterisk installation? Hi everyone. We've got a fairly large base of customers who use our Asterisk server for phone service in a virtual PBX kind of way, where the server is security hardened and exposed to the internet for them to connect to remotely with SIP and IAX. It's certainly not the sort of affair where we're running it as a PBX just within the building. As a result, we see network traffic coming through eth0 between 512 Kbps and about 3.0 Mbps, depending on the time of day. We haven't so far been using a hardware firewall/router on our server network, but it's becoming increasingly clear that we need to. We have enough experience to know that Asterisk is pretty sensitive when it comes to network hardware in our situation - we've had to replace one otherwise perfectly good 100 Mbps network switch because it simply wasn't able to keep up with the amount of streaming audio we put through it, and it badly affected voice quality. We have other traffic flowing through our server network too, including a significant amount of e-mail and web traffic, although that's not quite as sensitive to the quality of our network hardware. If you've got these large requirements for Asterisk, I'd love to hear what you use for a router, and whether that router has met your needs. It would also be nice to hear about what kinds of routers to avoid that you may have tried in the past and found lacking. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Which router/firewall would you use for a virtual-PBX Asterisk installation?
If you are focused on routing, we've used 4 Cisco SG300-28p in router mode - economical way to handle vlans etc for ~100 POE phone sets, (with GB interconnects). At the edge Cisco ASA-55xx work well, and we've done a few deployments with Mikrotik routers that are quite inexpensive and performed impresively for their cost. >From a security standpoint, consider what happened last summer when hackers found an exploit in the FreePBX web interface. They rewrote the PBX dialplan, disabled CDR's, and made unlimited calls to premium rate numbers. This was a real wakeup call for FreePBX users who though Fail2Ban was a security system, or CDR's could be used to catch compromised accounts. Digium warns everyone that fail2ban is not a security system: http://forums.asterisk.org/viewtopic.php?p=159984 If you don't want a security system on your PBX, see if your ITSP will limit your account to $X/day, restrict routes, etc. There are also some great Astricon videos online where they invite speakers to talk about security. You'll see that fail2ban + A2Billing doesn't keep out anyone except the script kiddies. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Ernie Dunbar Sent: Monday, November 23, 2015 2:17 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Which router/firewall would you use for a virtual-PBX Asterisk installation? Oh, don't worry about us going cheap on security. We use A2Billing (along with some Fail2Ban configuration for bad logins) to limit the number and cost of calls that can go out through a compromised SIP account, so that when, not *if*, a customer's SIP account gets compromised, the attacker gets cut off at the knees before they can even get out the door. We've even added bogus connection charges on international calls that get removed before we bill our customers, to speed up the process and reduce our losses even further. Our customers are even happy that these billing limits are in place. No, this is all about playing nice with our load balancing software and protecting databases and backend servers that have no business being available to the public. But mostly it's about the load balancer (IPTables on said servers can take care of "visible to the public). I just want to make sure that the router we use will play nice with Asterisk, since we've already seen network hardware that looks good on paper, but fails miserably in practice. In fact, we see it so often with individual customers' crap routers causing voice quality issues, that by default we don't trust simple math. So here I am, asking everyone what router they use, and whether you're happy with the results when there's 100 simultaneous SIP calls in progress. I want to know what happens when the rubber hits the road. On 2015-11-20 14:22, Telium Technical Support wrote: > Well router and firewall are very different...it depends on what you > are > trying to accomplish. > > If you are trying to secure an Asterisk-based call center, get a real > security product. Look here for details: > http://www.voip-info.org/wiki/view/Asterisk+security > > This covers firewall, Asterisk lock-down, and Asterisk specific > security. > The average break-in/fraud cost is $25,000 per day. (watch the > Astricon > videos for more details). So going cheap on security isn't a smart > move for > a commercial installation. > > If you just want a router/switch, figure out the simultaneous call > capacity > x codec demands in bps, and there is your backplane switching speed > requirements. Even with 100 simultaneous calls at g711, a lower end > Cisco > (3xx) router/switch will have no problem. > > -M- > > -Original Message- > From: asterisk-users-boun...@lists.digium.com > [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Ernie > Dunbar > Sent: Friday, November 20, 2015 3:25 PM > To: Asterisk Users > Subject: [asterisk-users] Which router/firewall would you use for a > virtual-PBX Asterisk installation? > > Hi everyone. > > We've got a fairly large base of customers who use our Asterisk server > for phone service in a virtual PBX kind of way, where the server is > security hardened and exposed to the internet for them to connect to > remotely with SIP and IAX. It's certainly not the sort of affair where > we're running it as a PBX just within the building. As a result, we see > network traffic coming through eth0 between 512 Kbps and about 3.0 > Mbps, > depending on the time of day. > > We haven't so far been using a hardware firewall/router on our server > network, but it's becoming increasingly clear that we need to. We have > enough experience to know that Asterisk is pretty sensitive when it > comes to network hardware in our situation - we've had to replace one > otherwise perfectly good 100 Mbps network switch because it simply > wasn't able to keep up with
[asterisk-users] How exactly does asterisk know what IP to send RTP traffic to?
Hello, I have a somewhat confusing use case. We use a mobile voip app and our users connect to our PBX via a public IP of our firewall which port forwards to asterisk (TLS and SRTP ports). Works fine. Sometimes however, our users are also connected to our VPN (LT2P/Ipsec) which is served by the same firewall that our PBX sits behind at the datacenter. In this case, most often the calls go through but there is no audio. I believe that asterisk “thinks” in this case that the IP of the clients, to send RTP traffic to ,t is the firewall’s IP, rather than the IP that the VPN server assigned the client device. Does asterisk send RTP traffic to the IP which is in the IP headers of the SIP REGISTER , or can a client “specify” it’s truly reachable IP ? I hope this makes sense. Regards, Kevin Long -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How exactly does asterisk know what IP to send RTP traffic to?
HI Kevin Is your VPN set as a localnet? The externip only tends to cope with the firewall address. If you put the VPNs in the localnet lists then it won't use NAT to find them. In answer to your question, the SIP session description in the call setup has the IP for media for both parties, which is where Asterisk / client will send RTP to respectively . You can look at this using tcpdump. c= is what you are looking for. Some formal examples https://tools.ietf.org/html/rfc4317 Cheers Duncan On 24 Nov 2015, at 10:01, Kevin Long wrote: Hello, I have a somewhat confusing use case. We use a mobile voip app and our users connect to our PBX via a public IP of our firewall which port forwards to asterisk (TLS and SRTP ports). Works fine. Sometimes however, our users are also connected to our VPN (LT2P/Ipsec) which is served by the same firewall that our PBX sits behind at the datacenter. In this case, most often the calls go through but there is no audio. I believe that asterisk “thinks” in this case that the IP of the clients, to send RTP traffic to ,t is the firewall’s IP, rather than the IP that the VPN server assigned the client device. Does asterisk send RTP traffic to the IP which is in the IP headers of the SIP REGISTER , or can a client “specify” it’s truly reachable IP ? I hope this makes sense. Regards, Kevin Long -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
