Re: [asterisk-users] asterisk across a firewall
On Wed, Feb 11, 2009 at 1:56 PM, Gordon Henderson wrote: > On Wed, 11 Feb 2009, Erick Perez wrote: > >> Excuse my ignorance but if i have an asterisk in a LAN, and i have >> users in their homes/internet (dozens), in order to correctly connect >> those users across my firewall, what is the technology that i need to >> buy, called? >> secure border gateway? >> session controller? >> secure gateway? >> the audiocodes site seems to have many names for the same thing...but >> i better ask here and learn before i make a big mistake. >> >> my customer has a dumb firewall (not SIP aware) that will not replace. >> he wants another box to do the magic. > > I have many customers like that, and "working from home" is gaining > momenting where I live... > > So the scenario (if I interpret it correctly): Asterisk at HQ is behind a > NAT firewall with remote users (who themselves may be behing a NAT > firewall) > > HQ needs a static IP address on the outside and plenty of bandwidth. > > The dumb router at HQ needs to port-forward external port 5060 and > 1-2 into the asterisk box (you can limit this range - see > rtp.conf) Most dumb routers can port-forward. > > Asterisk needs to know it's LAN and extneral ip address - sip.conf, > externip= and localnet= > > remote extensions need nat=yes in sip.conf > > and that's basically it. > > If the remote extensions are themselves behind a NAT firewall, then the > easiest way to get them through it is by using a stun server - ether run > your own, or use someone elses... Do not do any port-forwarding at the > remote users sites. > > Yes, you can fiddle about with proxies, gateways, etc. but keep it simple > to start with and I have many installations doing it this way and it "just > works". One day I'm sure I'll trip up, but until then... > > Pitfalls - the same with all VoIP - bandwidth, espeically outgoing b/w > from HQ. Broken NAT gateways, and routers which have SIP ALGs built in > which are also broken. (Turn them off!) > > Routers with broken SIP ALG are the biggest PITA to work round. > > Gordon > > ___ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > Thank you all for the excellent responses. I will do some test here to decide on a method/technology to use. -- Erick Perez Cel +(507) 6675-5083 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk across a firewall
On Wed, 11 Feb 2009, Erick Perez wrote: > Excuse my ignorance but if i have an asterisk in a LAN, and i have > users in their homes/internet (dozens), in order to correctly connect > those users across my firewall, what is the technology that i need to > buy, called? > secure border gateway? > session controller? > secure gateway? > the audiocodes site seems to have many names for the same thing...but > i better ask here and learn before i make a big mistake. > > my customer has a dumb firewall (not SIP aware) that will not replace. > he wants another box to do the magic. I have many customers like that, and "working from home" is gaining momenting where I live... So the scenario (if I interpret it correctly): Asterisk at HQ is behind a NAT firewall with remote users (who themselves may be behing a NAT firewall) HQ needs a static IP address on the outside and plenty of bandwidth. The dumb router at HQ needs to port-forward external port 5060 and 1-2 into the asterisk box (you can limit this range - see rtp.conf) Most dumb routers can port-forward. Asterisk needs to know it's LAN and extneral ip address - sip.conf, externip= and localnet= remote extensions need nat=yes in sip.conf and that's basically it. If the remote extensions are themselves behind a NAT firewall, then the easiest way to get them through it is by using a stun server - ether run your own, or use someone elses... Do not do any port-forwarding at the remote users sites. Yes, you can fiddle about with proxies, gateways, etc. but keep it simple to start with and I have many installations doing it this way and it "just works". One day I'm sure I'll trip up, but until then... Pitfalls - the same with all VoIP - bandwidth, espeically outgoing b/w from HQ. Broken NAT gateways, and routers which have SIP ALGs built in which are also broken. (Turn them off!) Routers with broken SIP ALG are the biggest PITA to work round. Gordon ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk across a firewall
It all depends on how much money you want to spend and how scalable you want your platform to be, as well as your level of comfort with open source technology stacks vs. proprietary vendor gear. You could pull this off with a SIP proxy like Kamailio/OpenSIPS and Mediaproxy if you wanted. And up from there. On Wed, 11 Feb 2009 13:21:06 -0500, Erick Perez wrote: > Excuse my ignorance but if i have an asterisk in a LAN, and i have > users in their homes/internet (dozens), in order to correctly connect > those users across my firewall, what is the technology that i need to > buy, called? > secure border gateway? > session controller? > secure gateway? > the audiocodes site seems to have many names for the same thing...but > i better ask here and learn before i make a big mistake. > > my customer has a dumb firewall (not SIP aware) that will not replace. > he wants another box to do the magic. > > -- > > Erick Perez > Cel +(507) 6675-5083 > > > ___ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk across a firewall
OpenVPN? --Tim - "Erick Perez" wrote: > Excuse my ignorance but if i have an asterisk in a LAN, and i have > users in their homes/internet (dozens), in order to correctly connect > those users across my firewall, what is the technology that i need to > buy, called? > secure border gateway? > session controller? > secure gateway? > the audiocodes site seems to have many names for the same thing...but > i better ask here and learn before i make a big mistake. > > my customer has a dumb firewall (not SIP aware) that will not > replace. > he wants another box to do the magic. > > -- > > Erick Perez > Cel +(507) 6675-5083 > > > ___ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
