> Am 09.03.2017 um 22:14 schrieb Michael Knill > <michael.kn...@ipcsolutions.com.au>: > > Cool thanks Darrick. > Sounds like time for a mindset change, especially if I want some growth in my > customer base. > And yes I certainly wont be changing the standard model of Astlinux on the > edge unless I have to. > > Regards > Michael Knill > > -----Original Message----- > From: Darrick Hartman <dhart...@djhsolutions.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Friday, 10 March 2017 at 8:06 am > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Astlinux on the edge > > Michael, > > When our project was developing, the firewall was better than what many small > businesses were using at the time. With the ability to use adaptive ban and > FIREHOL, I would still argue that it is better than the basic systems that > small businesses are using. (even if they have a Cisco, unless it's set up > with the right licenses, it's no better than what's in a properly configured > AstLinux system). If you have someone who has a real firewall with more > advanced intrusion prevention/detection methods, web filtering etc (such as a > Sophos), by all means protect the phone network with the more robust tool BUT > turn off the SIP "helpers". Most of those do nothing to help. > > We run systems in both configurations. As long as you know and understand > what's happening, you shouldn't have a problem. > > Darrick
+1 from me If you can, I would always use AstLinux on the edge. > -----Original Message----- > From: Michael Knill [mailto:michael.kn...@ipcsolutions.com.au] > Sent: Wednesday, March 8, 2017 8:10 PM > To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Astlinux on the edge > > Thanks Lonnie > > So if we are looking at this from an Astlinux architectural perspective, why > have we gone to so much effort to put Asterisk on the edge e.g. no NAT? > Was it only for remote extensions? Is this configuration pretty robust? Will > it work for a SIP Trunk e.g. no registration. I would expect you would need > to port forward that on 5060? > Do you think I should just agree to have my Astlinux appliance behind an IT > providers firewall to keep them happy? > > Lots of testing required. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Thursday, 9 March 2017 at 1:22 am > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Astlinux on the edge > > Michael, > > If you place AstLinux behind a NAT firewall as a PBX ... > > -- No NAT port forwarding to AstLinux (except for possible OpenVPN for remote > IP Phones) and disable any upstream SIP ALG's. > > -- Set "directmedia=no" for all phones and the trunk, all media goes through > Asterisk > > -- Set "qualify=yes" on trunk SIP peer to keep the upstream firewall state > active > > -- Set "nat=force_rport,comedia" on the trunk SIP peer to force NAT handling, > the only peer that does NAT to Asterisk > > -- Set "localnet=192.168.0.0/255.255.0.0' and "localnet=10.0.0.0/255.0.0.0" > to cover any LAN and OpenVPN networks which are not NAT'ed to Asterisk. > > -- When using remote IP Phones over OpenVPN, since asterisk will bind to the > openvpn server tun interface, use the openvpn network (possibly 10.8.0.0/24) > for tunneled SIP endpoints. > > (Readers, if I have missed or mangled any of the above, please correct.) > > Bottom line, an AstLinux PBX behind NAT should be workable for production. > > Lonnie > > > On Mar 7, 2017, at 8:01 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> > wrote: > >> Hi thanks Lonnie. Sorry this went into my junk for some reason. >> >> 1) Yes this is certainly a problem but I have also experienced problems with >> no media on calls being hairpinned through Asterisk from the external trunk. >> This may be solvable with port forwarding however. Maybe I should do some >> testing on this and specify some known and working router/firewall >> configurations. >> 2) I use Open VPN for my external phones so it could be solved this way. >> >> I am currently negotiating with the partner and it looks like they will take >> option 3 below which I think is the best compromise. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Saturday, 4 March 2017 at 2:54 pm >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Astlinux on the edge >> >> Hi Michael, >> >> My guess is "it depends" ... your IT partners go into a auto repair shop >> with a 5 year old residential-grade router, etc. (ie. a mess) then making >> AstLinux the edge device would be a major upgrade, not to mention the added >> voice functionality. >> >> Then again your IT partners go into a dentist's office which were previously >> sold more router than they needed, it may not seem right to put AstLinux in >> front of it. >> >> My guess is you need to plan for both situations. >> >> A couple comments ... >> >> 1) If AstLinux will only serve SIP endpoints on the private side, no roaming >> public endpoints, then being behind NAT is workable, only the trunk is >> effected by NAT. Always disable any upstream SIP ALG's, almost always bad >> news. Keep in mind no upstream port-forwarding is needed for this scenario, >> and always keep the AstLinux firewall enabled for the Adaptive Ban and other >> protections to be kept in place. >> >> 2) Else if roaming public endpoints need to be supported, placing AstLinux >> at the edge will make SIP easier. AstLinux comes with a dmz-dnat plugin, the >> idea is to move a pre-existing router from the WAN to AstLinux's LAN with a >> static IP address and configure the plugin which internally performs a " -j >> DNAT --to-destination $DMZ_IP " *all* traffic not allowed directly into >> AstLinux. WARNING - this plugin was written many years ago and has not been >> tested as thoroughly as I would like to see for production purposes. Though >> if there are issues with the dmz-dnat plugin they could be remedied. >> >> Lonnie >> >> >> On Mar 3, 2017, at 4:50 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi all >>> >>> Im looking to push my Astlinux business this year and this will rely >>> heavily on partners. These partners will usually be IT Service providers >>> that have a number of small business customers and that they want to add >>> voice as a value add product. >>> >>> Now here is where the problem lies. Most of these providers would currently >>> be maintaining the site firewall but as Astlinux is designed to be on the >>> edge, its an issue. So what do you do? >>> 1) Put Astlinux in front of their firewall and open up the necessary >>> ports and protocols. The problem here is that they lose flexibility in what >>> they can do and there is another provider in the mix. Its also a problem if >>> they are retailing the broadband connection for the site with too many >>> dependencies. >>> 2) Put their firewall on an Astlinux DMZ with a public IP Address. >>> They now have more flexibility and I can control Qos. Still issues with >>> being reliant on another provider and additional IP Addresses can be >>> expensive or unobtainable. I assume I can actually do this with Astlinux! >>> 3) Put Astlinux as a DMZ in their firewall with a public IP Address. >>> They now have complete control however QoS would need to be configured on >>> the firewall and additional IP Addresses can be expensive or unobtainable. >>> PS this is the model I have with one of my partners >>> 4) Sit behind the firewall and rely on port forwarding and/or ALG’s. >>> Inviting trouble but possible if you have a known working configuration >>> >>> Im interested to know what others are doing in this space. >>> >>> Regards >>> Michael Knill Michael http://www.mksolutions.info ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
