Re: [Astlinux-users] Ubiquiti Unifi
Thanks all for responding. Sorry I changed my email setup so I missed these responses. Yes I have decided to not continue trying to get things working with Unifi Gateways and Astlinux until they have Wireguard Site to Site VPN. Yes the GL.Inet boxes seem to work quite well however I'm thinking I will try the Teltonika RUT300 as we already have these as part of our product portfolio: https://teltonika-networks.com/products/routers/rut300 Im also using Netgate 1100 (pfSense) which also work great. Awesome to have a number of options. Regards Michael Knill From: Ionel Chila via Astlinux-users Sent: Friday, 8 March 2024 12:56 AM To: AstLinux Users Mailing List Cc: Ionel Chila Subject: Re: [Astlinux-users] Ubiquiti Unifi I use Unifi UDM-SE for VPN with Gl.inet routers and WireGuard. Works very consistent and reliable. > On Mar 7, 2024, at 6:20 AM, Michael Keuter wrote: > > Hi Michael, > > I only used StrongSwan with the AVM Fritzbox router/DSL modem models, which > are widely used in Germany. You'll have to create a textfile, which has to be > imported into the Fritzbox via the WebGUI. > > Luckily the newer Fritzbox models now support WireGuard. Never used Unifi for > VPN. I thought you wanted to use Gl.inet routers … > > Michael > > http://www.mksolutions.info > >> Am 07.03.2024 um 12:52 schrieb Lonnie Abelbeck : >> >> Hi Michael, >> >> Unifi access points and switches have played well with others over the years. >> >> Unifi routing products, while based on linux, never had a good track record >> of interoperability, particularly with VPNs. >> >> It would seem straightforward for Unifi to support sourcing manual Wireguard >> configs in addition to the pretty GUI Wireguard configs ... maybe someday. >> >> Personally, I would not even try to get AstLinux Strongswan to work with >> Unifi's IPsec. >> >> Lonnie >> >> >> >>> On Mar 7, 2024, at 12:17 AM, Michael Knill >>> wrote: >>> >>> Noone >>> >>> Regards >>> Michael Knill >>> From: Michael Knill >>> Sent: Friday, 23 February 2024 2:50 PM >>> To: AstLinux List (astlinux-users@lists.sourceforge.net) >>> >>> Subject: [Astlinux-users] Ubiquiti Unifi >>> >>> Im kicking and screaming all the way, but I will probably be moving to the >>> Ubiquiti Unifi ecosystem (we already use their WAP’s). >>> As part of this, I will be implementing some of their gateways (routers) >>> which I really need to connect via VPN to Astlinux in the cloud. >>> They now support Wireguard but only as a client or server and not as a site >>> to site VPN which they support Open VPN and IPsec only. In the Wireguard >>> client configuration they emulate a mobile client so all traffic is from >>> the gateway address (NAT). >>> >>> So just wondering if Im going to be able to get this working with OpenVPN >>> as per below: >>> >>> >>> >>> Looks like it only support Pre-Shared Key and not certificates? >>> >>> Could probably use Strongswan with IPsec but would rather not unless >>> someone has got this working or something similar. >>> >>> Regards >>> >>> Michael Knill >>> Managing Director >>> >>> D: +61 2 6189 1360 >>> P: +61 2 6140 4656 >>> E: michael.kn...@ipcsolutions.com.au >>> W: ipcsolutions.com.au >>> >>> >>> Smarter Business Communications > > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Ubiquiti Unifi
Noone Regards Michael Knill From: Michael Knill Sent: Friday, 23 February 2024 2:50 PM To: AstLinux List (astlinux-users@lists.sourceforge.net) Subject: [Astlinux-users] Ubiquiti Unifi Im kicking and screaming all the way, but I will probably be moving to the Ubiquiti Unifi ecosystem (we already use their WAP’s). As part of this, I will be implementing some of their gateways (routers) which I really need to connect via VPN to Astlinux in the cloud. They now support Wireguard but only as a client or server and not as a site to site VPN which they support Open VPN and IPsec only. In the Wireguard client configuration they emulate a mobile client so all traffic is from the gateway address (NAT). So just wondering if Im going to be able to get this working with OpenVPN as per below: [cid:image002.png@01DA.E9951590] Looks like it only support Pre-Shared Key and not certificates? Could probably use Strongswan with IPsec but would rather not unless someone has got this working or something similar. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Ubiquiti Unifi
Im kicking and screaming all the way, but I will probably be moving to the Ubiquiti Unifi ecosystem (we already use their WAP’s). As part of this, I will be implementing some of their gateways (routers) which I really need to connect via VPN to Astlinux in the cloud. They now support Wireguard but only as a client or server and not as a site to site VPN which they support Open VPN and IPsec only. In the Wireguard client configuration they emulate a mobile client so all traffic is from the gateway address (NAT). So just wondering if Im going to be able to get this working with OpenVPN as per below: [cid:image002.png@01DA.E9951590] Looks like it only support Pre-Shared Key and not certificates? Could probably use Strongswan with IPsec but would rather not unless someone has got this working or something similar. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy
Whoops I was wrong. It doesn’t seem that we’re generating two certs rather we are just adding multiple domains to the same cert. The commands we use are (after adding the DNS entries): acme-client --issue --dns dns_acmedns -d .myportal.tel -d .ipcaccess.net acme-client --deploy --deploy-hook astlinux -d .myportal.tel -d .ipcaccess.net I think we will just leave it to see if it happens again. Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 23 February 2024 at 8:50 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy > I recall having a case where acme.sh generated two certs and the deploy > script was called for the second cert, but asterisk was not done starting up > and something similar happened. To be more clear, "asterisk was not done starting up" from deploying the first certificate and then tried to deploy again for the second certificate. Lonnie > On Feb 22, 2024, at 3:37 PM, Lonnie Abelbeck > wrote: > > Hi Michael, > > I had my Jetway NF9HG-2930 die a year or so ago, I know Michael Keuter had a > couple NF9HG-2930s die. Though in my case it would not power up anymore. > > This case does seem to be different. > > Hmmm, is your ACME only a single domain (cert)? > > I recall having a case where acme.sh generated two certs and the deploy > script was called for the second cert, but asterisk was not done starting up > and something similar happened. > > Lonnie > > > > > >> On Feb 22, 2024, at 2:39 PM, Michael Knill >> wrote: >> >> Running version 1.5.0 on Jetway NF9HG-2930. >> >> --- >> Feb 22 23:00:42 30390_Ortho-ACT_CM1 daemon.err lighttpd[30995]: >> (server.c.2029) server stopped by UID = 0 PID = 7065 >> Feb 22 23:00:43 30390_Ortho-ACT_CM1 daemon.err lighttpd[7087]: >> (server.c.1436) server started (lighttpd/1.4.51) >> Feb 22 23:00:43 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME >> certificates deployed for HTTPS and 'lighttpd' restarted >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME >> certificates deployed for SIP-TLS and 'asterisk' restart when convenient >> requested >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: >> ERROR[31178]: astobj2_container.c:492 in ao2_iterator_init: FRACK!, Failed >> assertion user_data is NULL (0) >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: >> ERROR[31178]: :0 in : Got 11 backtrace records # 0: >> /usr/sbin/asterisk(__ao2_ref+0x5de) [0x46213e] # 1: >> /usr/sbin/asterisk(ao2_iterator_init+0x2f) [0x464a1f] # 2: >> /usr/lib/asterisk/modules/app_queue.so(+0xef4d) [0x14f159681f4d] # 3: >> /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: >> /usr/sbin/asterisk() [0x573c60] # 6: >> /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: >> /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: >> ERROR[31178]: app_queue.c:2823 in extension_state_cb: FRACK!, Failed >> assertion user_data is NULL (0) >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: >> ERROR[31178]: :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk() >> [0x461502] # 1: /usr/sbin/asterisk(__ao2_iterator_next+0x1d8) [0x464e28] # >> 2: /usr/lib/asterisk/modules/app_queue.so(+0xef9c) [0x14f159681f9c] # 3: >> /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: >> /usr/sbin/asterisk() [0x573c60] # 6: >> /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: >> /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x5a0c5a] # 9: >> >> ……. more of the same ……... >> >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: asterisk[31178]: >> segfault at 58 ip 004f4da0 sp 14f15a55ba58 error 4 in >> asterisk[43d000+1d6000] >> Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: Code: c0 74 1f 85 f6 >> 74 1b 89 f2 48 39 d0 72 14 48 8b 47 68 48 63 f6 48 8b 44 f0 f8 c3 0f 1f 80 >> 00 00 00 00 31 c0 c3 0f 1f 44 00 00 <48> 8b 47 58 c3 66 66 2e 0f 1f 84 00 00 >> 00 00 00 49 89 f9 41 b8 af >> Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Asterisk exited >> on signal 11. >> Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Automatically >> restarting Asterisk. >> Feb 22 23:00:46 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME >> certificates deployed for XMPP and 'prosody' restarted >> --- >> >> Im thinking of putting this one in the cloud as this box
Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy
Yes good question but we certainly need multiple certs. We basically have a domain for the customer portal and a domain for management access which may not be the same address e.g. management via VPN. Thanks I will add this to the next release. Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 23 February 2024 at 8:45 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy A 60 second delay should do it, but I would question why you need two certs. In my case I was testing something and switched to using only one cert. Lonnie > On Feb 22, 2024, at 3:41 PM, Michael Knill > wrote: > > Ah interesting I do have two certs. Should I add a delay before the second > deploy script? > > Regards > Michael Knill > > > From: Lonnie Abelbeck > Date: Friday, 23 February 2024 at 8:38 am > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy > > Hi Michael, > > I had my Jetway NF9HG-2930 die a year or so ago, I know Michael Keuter had a > couple NF9HG-2930s die. Though in my case it would not power up anymore. > > This case does seem to be different. > > Hmmm, is your ACME only a single domain (cert)? > > I recall having a case where acme.sh generated two certs and the deploy > script was called for the second cert, but asterisk was not done starting up > and something similar happened. > > Lonnie > > > > > > > On Feb 22, 2024, at 2:39 PM, Michael Knill > > wrote: > > > > Running version 1.5.0 on Jetway NF9HG-2930. > > > > --- > > Feb 22 23:00:42 30390_Ortho-ACT_CM1 daemon.err lighttpd[30995]: > > (server.c.2029) server stopped by UID = 0 PID = 7065 > > Feb 22 23:00:43 30390_Ortho-ACT_CM1 daemon.err lighttpd[7087]: > > (server.c.1436) server started (lighttpd/1.4.51) > > Feb 22 23:00:43 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > > certificates deployed for HTTPS and 'lighttpd' restarted > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > > certificates deployed for SIP-TLS and 'asterisk' restart when convenient > > requested > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: > > ERROR[31178]: astobj2_container.c:492 in ao2_iterator_init: FRACK!, Failed > > assertion user_data is NULL (0) > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: > > ERROR[31178]: :0 in : Got 11 backtrace records # 0: > > /usr/sbin/asterisk(__ao2_ref+0x5de) [0x46213e] # 1: > > /usr/sbin/asterisk(ao2_iterator_init+0x2f) [0x464a1f] # 2: > > /usr/lib/asterisk/modules/app_queue.so(+0xef4d) [0x14f159681f4d] # 3: > > /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: > > /usr/sbin/asterisk() [0x573c60] # 6: > > /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: > > /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: > > ERROR[31178]: app_queue.c:2823 in extension_state_cb: FRACK!, Failed > > assertion user_data is NULL (0) > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: > > ERROR[31178]: :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk() > > [0x461502] # 1: /usr/sbin/asterisk(__ao2_iterator_next+0x1d8) [0x464e28] # > > 2: /usr/lib/asterisk/modules/app_queue.so(+0xef9c) [0x14f159681f9c] # 3: > > /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: > > /usr/sbin/asterisk() [0x573c60] # 6: > > /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: > > /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x5a0c5a] # 9: > > > > ……. more of the same ……... > > > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: asterisk[31178]: > > segfault at 58 ip 004f4da0 sp 14f15a55ba58 error 4 in > > asterisk[43d000+1d6000] > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: Code: c0 74 1f 85 f6 > > 74 1b 89 f2 48 39 d0 72 14 48 8b 47 68 48 63 f6 48 8b 44 f0 f8 c3 0f 1f 80 > > 00 00 00 00 31 c0 c3 0f 1f 44 00 00 <48> 8b 47 58 c3 66 66 2e 0f 1f 84 00 > > 00 00 00 00 49 89 f9 41 b8 af > > Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Asterisk > > exited on signal 11. > > Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Automatically > > restarting Asterisk. > > Feb 22 23:00:46 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > > certificates deployed for XMPP and 'prosody' restarted > > --- > > > > Im thinking of putting
Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy
Ah interesting I do have two certs. Should I add a delay before the second deploy script? Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 23 February 2024 at 8:38 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Asterisk appeared to crash after ACME deploy Hi Michael, I had my Jetway NF9HG-2930 die a year or so ago, I know Michael Keuter had a couple NF9HG-2930s die. Though in my case it would not power up anymore. This case does seem to be different. Hmmm, is your ACME only a single domain (cert)? I recall having a case where acme.sh generated two certs and the deploy script was called for the second cert, but asterisk was not done starting up and something similar happened. Lonnie > On Feb 22, 2024, at 2:39 PM, Michael Knill > wrote: > > Running version 1.5.0 on Jetway NF9HG-2930. > > --- > Feb 22 23:00:42 30390_Ortho-ACT_CM1 daemon.err lighttpd[30995]: > (server.c.2029) server stopped by UID = 0 PID = 7065 > Feb 22 23:00:43 30390_Ortho-ACT_CM1 daemon.err lighttpd[7087]: > (server.c.1436) server started (lighttpd/1.4.51) > Feb 22 23:00:43 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > certificates deployed for HTTPS and 'lighttpd' restarted > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > certificates deployed for SIP-TLS and 'asterisk' restart when convenient > requested > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: > astobj2_container.c:492 in ao2_iterator_init: FRACK!, Failed assertion > user_data is NULL (0) > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: > :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk(__ao2_ref+0x5de) > [0x46213e] # 1: /usr/sbin/asterisk(ao2_iterator_init+0x2f) [0x464a1f] # 2: > /usr/lib/asterisk/modules/app_queue.so(+0xef4d) [0x14f159681f4d] # 3: > /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: > /usr/sbin/asterisk() [0x573c60] # 6: > /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: > /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: > app_queue.c:2823 in extension_state_cb: FRACK!, Failed assertion user_data is > NULL (0) > Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: > :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk() [0x461502] # 1: > /usr/sbin/asterisk(__ao2_iterator_next+0x1d8) [0x464e28] # 2: > /usr/lib/asterisk/modules/app_queue.so(+0xef9c) [0x14f159681f9c] # 3: > /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: > /usr/sbin/asterisk() [0x573c60] # 6: > /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: > /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x5a0c5a] # 9: > > ……. more of the same ……... > > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: asterisk[31178]: > segfault at 58 ip 004f4da0 sp 14f15a55ba58 error 4 in > asterisk[43d000+1d6000] > Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: Code: c0 74 1f 85 f6 74 > 1b 89 f2 48 39 d0 72 14 48 8b 47 68 48 63 f6 48 8b 44 f0 f8 c3 0f 1f 80 00 00 > 00 00 31 c0 c3 0f 1f 44 00 00 <48> 8b 47 58 c3 66 66 2e 0f 1f 84 00 00 00 00 > 00 49 89 f9 41 b8 af > Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Asterisk exited > on signal 11. > Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Automatically > restarting Asterisk. > Feb 22 23:00:46 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME > certificates deployed for XMPP and 'prosody' restarted > --- > > Im thinking of putting this one in the cloud as this box has been there for a > while, but wondering if this is a bug or something else? I cant recall seeing > it before. > > Thanks > Michael Knill > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Asterisk appeared to crash after ACME deploy
Running version 1.5.0 on Jetway NF9HG-2930. --- Feb 22 23:00:42 30390_Ortho-ACT_CM1 daemon.err lighttpd[30995]: (server.c.2029) server stopped by UID = 0 PID = 7065 Feb 22 23:00:43 30390_Ortho-ACT_CM1 daemon.err lighttpd[7087]: (server.c.1436) server started (lighttpd/1.4.51) Feb 22 23:00:43 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME certificates deployed for HTTPS and 'lighttpd' restarted Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME certificates deployed for SIP-TLS and 'asterisk' restart when convenient requested Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: astobj2_container.c:492 in ao2_iterator_init: FRACK!, Failed assertion user_data is NULL (0) Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk(__ao2_ref+0x5de) [0x46213e] # 1: /usr/sbin/asterisk(ao2_iterator_init+0x2f) [0x464a1f] # 2: /usr/lib/asterisk/modules/app_queue.so(+0xef4d) [0x14f159681f4d] # 3: /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: /usr/sbin/asterisk() [0x573c60] # 6: /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: app_queue.c:2823 in extension_state_cb: FRACK!, Failed assertion user_data is NULL (0) Feb 22 23:00:44 30390_Ortho-ACT_CM1 local0.err asterisk[31159]: ERROR[31178]: :0 in : Got 11 backtrace records # 0: /usr/sbin/asterisk() [0x461502] # 1: /usr/sbin/asterisk(__ao2_iterator_next+0x1d8) [0x464e28] # 2: /usr/lib/asterisk/modules/app_queue.so(+0xef9c) [0x14f159681f9c] # 3: /usr/sbin/asterisk() [0x51849e] # 4: /usr/sbin/asterisk() [0x5206a4] # 5: /usr/sbin/asterisk() [0x573c60] # 6: /usr/sbin/asterisk(ast_taskprocessor_execute+0x16f) [0x591f0f] # 7: /usr/sbin/asterisk() [0x591fb0] # 8: /usr/sbin/asterisk() [0x5a0c5a] # 9: ……. more of the same ……... Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: asterisk[31178]: segfault at 58 ip 004f4da0 sp 14f15a55ba58 error 4 in asterisk[43d000+1d6000] Feb 22 23:00:44 30390_Ortho-ACT_CM1 user.info kernel: Code: c0 74 1f 85 f6 74 1b 89 f2 48 39 d0 72 14 48 8b 47 68 48 63 f6 48 8b 44 f0 f8 c3 0f 1f 80 00 00 00 00 31 c0 c3 0f 1f 44 00 00 <48> 8b 47 58 c3 66 66 2e 0f 1f 84 00 00 00 00 00 49 89 f9 41 b8 af Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Asterisk exited on signal 11. Feb 22 23:00:45 30390_Ortho-ACT_CM1 user.info safe_asterisk: Automatically restarting Asterisk. Feb 22 23:00:46 30390_Ortho-ACT_CM1 user.notice acme-client: New ACME certificates deployed for XMPP and 'prosody' restarted --- Im thinking of putting this one in the cloud as this box has been there for a while, but wondering if this is a bug or something else? I cant recall seeing it before. Thanks Michael Knill ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] A weird thing happened
Hi Group Happy New Year to all. Here’s a weird thing! I had Asterisk crash at EXACTLY the same time and date (23:00:40 on December 30, 2023) on two separate systems! They are both Qotom Q190G4U. At 23:00 Cron runs the ACME Update script. Im not too concerned but certainly weird. Regards Michael Knill ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] dyndns-host-open plugin update time
Ah I have found the problem. We deleted one of the dyndns-host-open domains from our DNS but not from Astlinux which meant that ALL domains in dyndns-host-open.conf failed for that box? I must admit that this is not particularly optimal. Is this standard behaviour? Regards Michael Knill From: Michael Keuter Date: Thursday, 7 December 2023 at 7:37 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] dyndns-host-open plugin update time The default time is 900 seconds. You can edit it in the config file. Make sure it is enabled (at the top). Sent from a mobile device. Michael Keuter Am 07.12.2023 um 06:25 schrieb Michael Knill : Hi Group Just wondering how long it takes the dyndns-host-open plugin to update. I have been waiting for well over a day now and some sites can see the two servers with nslookup but have not updated iptables. Any ideas? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] dyndns-host-open plugin update time
Hi Group Just wondering how long it takes the dyndns-host-open plugin to update. I have been waiting for well over a day now and some sites can see the two servers with nslookup but have not updated iptables. Any ideas? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] GL.iNet. How good is it?
Thanks all for replying. Looks like it’s a go then. I will use the Brume 2 Aluminium as a gateway but have also considered using the Mango to provide network monitoring and remote access only. You can also use a PoE to USB 5v splitter so you don’t even need a power supply. Such a nice solution. Send out a PoE switch, phones and gateway to a partner or directly to a customer preconfigured to VPN into their Astlinux system in the cloud for a plug and play solution. The solution provides monitoring of network connectivity and remote access to all devices. So much more than what a standard cloud provider can do. Thanks all. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 16 November 2023 at 11:44 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] GL.iNet. How good is it? I have always heard good things about the GL.iNet products, but never personally tested one. Are you considering the older (inexpensive) Mango/Shadow or the newer Brume 2 gateway ? Their continued firmware support looks good. [1] GL.iNet embraced WireGuard early on, which was a perfect match for their lower-end CPUs. Lonnie [1] https://dl.gl-inet.com/ > On Nov 16, 2023, at 5:01 AM, Michael Keuter wrote: > > Hi Michael, > > I have a few of them privately as travelrouter (Creta + Beryl), and 2 of them > at customers (Creta), but only for remote VPN use. > I have tested them not with AstLinux yet. They are running stable, and they > are based on OpenWRT (but an older version). > > Michael > > http://www.mksolutions.info > >> Am 16.11.2023 um 10:12 schrieb Michael Knill >> : >> >> Hi All >> I am looking to start using these as my telephony gateway VPN router device >> e.g. phones within a clients network using this gateway to connect via >> Wireguard VPN to the cloud Astlinux system. >> It looks perfect and initial playing has been positive. You can even cloud >> manage it which is a bonus. >> Just checking if anyone has had any experience with GL.iNet products and >> this is not too good to be true. >> Regards >> Michael Knill > > > > > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] GL.iNet. How good is it?
Hi All I am looking to start using these as my telephony gateway VPN router device e.g. phones within a clients network using this gateway to connect via Wireguard VPN to the cloud Astlinux system. It looks perfect and initial playing has been positive. You can even cloud manage it which is a bonus. Just checking if anyone has had any experience with GL.iNet products and this is not too good to be true. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Stopping logging of Crontab
Thanks Lonnie Very much appreciated. Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 29 September 2023 at 4:43 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Stopping logging of Crontab Hi Michael, Looking at the /etc/init.d/crond init script, here [1] If the line "crond" was changed to "crond -L /var/log/crond.log" it would disable syslog and use that file ... but may need rotating if it gets large. If the line "crond" was changed to "crond -L /dev/null" it would disable syslog and disable logging (ie. to /dev/null). BTW, I manually tested both cases to be certain. Lonnie [1] https://github.com/astlinux-project/astlinux/blob/09e87eff8bca82bf4afab8dbe09560737dd80d5c/project/astlinux/target_skeleton/etc/init.d/crond#L38 > On Sep 27, 2023, at 8:01 PM, Michael Knill > wrote: > > Hi group > > Replying to this email again. I do understand below but just wondering if > there is any way to turn off Cron logging totally or send to a separate log > file? > > Regards > Michael Knill > > > From: Lonnie Abelbeck > Date: Friday, 31 March 2023 at 1:01 am > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] Stopping logging of Crontab > > Hi Michael, > > The (busybox) crond daemon has a syslog level setting which defaults to 8, > the least verbose log level. So no help there. > > Using the filter for the Status Tab, is a reasonable idea. > > > Personally, when executing shell commands on a regular interval of > seconds/minutes, I prefer to use a bash shell script and the sleep builtin. > (Using the sleep builtin keeps from spawning a new process whenever 'sleep' > is called). > > The simplest example of this is the 'msmtpqueue' bash script [1] > > Basic code setup and loop: > -- > #!/bin/bash > > LOCKFILE="/var/lock/foobar.lock" > > # Robust 'bash' method of creating/testing for a lockfile > if ! ( set -o noclobber; echo "$$" > "$LOCKFILE" ) 2>/dev/null; then > echo "foobar: already running, lockfile \"$LOCKFILE\" exists, process id: > $(cat "$LOCKFILE")." > return 9 > fi > > # Load 'sleep' builtin if it exists > if [ -f /usr/lib/bash/sleep ]; then > enable -f /usr/lib/bash/sleep sleep > fi > > #seconds to wait > wait=300 > > trap 'rm -f "$LOCKFILE"; exit $?' INT TERM EXIT > > while true; do > # do stuff > > sleep $wait > done > > rm -f "$LOCKFILE" > trap - INT TERM EXIT > -- > > Look at the actual code [1] for finer details. Another fairly simple > example, asterisk-sip-monitor [2] which adds a PID file that can be removed > to exit the script. > > Lonnie > > [1] > https://github.com/astlinux-project/astlinux/blob/master/package/msmtp/msmtpqueue.sh > > [2] > https://github.com/astlinux-project/astlinux/blob/master/package/asterisk/asterisk-sip-monitor > > > > > > > On Mar 29, 2023, at 11:39 PM, Michael Knill > > wrote: > > > > Short of putting in a filter for the Status Tab, is there any way to stop > > Crontab logging to Syslog. > > I now have a process that is run every 10 minutes and its annoying that it > > logs to Syslog each time. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: michael.kn...@ipcsolutions.com.au > > W: ipcsolutions.com.au > > > > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Stopping logging of Crontab
Hi group Replying to this email again. I do understand below but just wondering if there is any way to turn off Cron logging totally or send to a separate log file? Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 31 March 2023 at 1:01 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Stopping logging of Crontab Hi Michael, The (busybox) crond daemon has a syslog level setting which defaults to 8, the least verbose log level. So no help there. Using the filter for the Status Tab, is a reasonable idea. Personally, when executing shell commands on a regular interval of seconds/minutes, I prefer to use a bash shell script and the sleep builtin. (Using the sleep builtin keeps from spawning a new process whenever 'sleep' is called). The simplest example of this is the 'msmtpqueue' bash script [1] Basic code setup and loop: -- #!/bin/bash LOCKFILE="/var/lock/foobar.lock" # Robust 'bash' method of creating/testing for a lockfile if ! ( set -o noclobber; echo "$$" > "$LOCKFILE" ) 2>/dev/null; then echo "foobar: already running, lockfile \"$LOCKFILE\" exists, process id: $(cat "$LOCKFILE")." return 9 fi # Load 'sleep' builtin if it exists if [ -f /usr/lib/bash/sleep ]; then enable -f /usr/lib/bash/sleep sleep fi #seconds to wait wait=300 trap 'rm -f "$LOCKFILE"; exit $?' INT TERM EXIT while true; do # do stuff sleep $wait done rm -f "$LOCKFILE" trap - INT TERM EXIT -- Look at the actual code [1] for finer details. Another fairly simple example, asterisk-sip-monitor [2] which adds a PID file that can be removed to exit the script. Lonnie [1] https://github.com/astlinux-project/astlinux/blob/master/package/msmtp/msmtpqueue.sh [2] https://github.com/astlinux-project/astlinux/blob/master/package/asterisk/asterisk-sip-monitor > On Mar 29, 2023, at 11:39 PM, Michael Knill > wrote: > > Short of putting in a filter for the Status Tab, is there any way to stop > Crontab logging to Syslog. > I now have a process that is run every 10 minutes and its annoying that it > logs to Syslog each time. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Accessing devices behind Astlinux
Phew spent most of the day thinking about this but have come up a plan moving forward. I have decided that we will continue to use SSH and SOCKS as we have been successfully doing so with a couple of improvements: 1. OpenSSH supports ProxyJump which you can use in ~/.ssh/config or as a -J directive. This will automatically pass your SSH tunnel through a hardened proxy server which you can set up individual users and then restrict SSH access from your Astlinux servers to this Jump server only. It seems to work well from my limited testing and Astlinux can be a Jump server. 2. As Lonnie mentioned we will script the addition and removal of SSH keys from devices from a trusted device (my laptop probably) Thanks guys for your help. Regards Michael Knill From: Michael Keuter Date: Saturday, 19 August 2023 at 2:20 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Accessing devices behind Astlinux Here is also an interesting video regarding jump servers: https://www.youtube.com/watch?v=KIeBC7NIzj4 Michael http://www.mksolutions.info > Am 18.08.2023 um 17:44 schrieb Michael Keuter : > > Nice video, very interesting. > > BTW: on macOS you can install Proxychain via Homebrew with: > > brew install proxychains-ng > > and call it with "proxychain4 firefox". > >> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck : >> >> Hi Michael, >> >> I don't have any personal experience to share, but Tom Lawrence has a >> related video [1] >> >> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains >> >> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN >> tunnel as his example does. >> >> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it >> local and secure from the internet, limit remote AstLinux SSH access via its >> firewall and Jump Server ssh key. >> >> >> Alternatively, some sort of automation to keep the remote AstLinux SSH keys >> updated from one hardened location. >> >> Lonnie >> >> [1] https://www.youtube.com/watch?v=jqudlmfG0zA >> >> >> >>> On Aug 18, 2023, at 2:17 AM, Michael Knill >>> wrote: >>> >>> Hi All >>> >>> Here is the issue: >>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. >>> It works well however it is becoming increasingly difficult in managing >>> local authentication to do this such as using SSH Keys. >>> We are going to be bringing on additional staff and I don’t want to have to >>> go into every system to add credentials or keys every time we bring on a >>> new staffmember. >>> >>> Just wondering if there are any options for external authentication of SSH >>> rather than local on Astlinux e.g. using RADIUS >>> Could there be any other options e.g. HTTPS proxy? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Accessing devices behind Astlinux
Thanks guys. Very interesting info. We are already using SSH Key only and SOCKS to access devices behind Astlinux which works well. I didn’t know about proxychains though which will be MUCH better than having to keep changing the proxy config on Firefox. I have considered using a jump server in our management network but there was always the concern that if it was compromised then attackers are a step closer to being able to access all our systems and possibly the devices behind them. There are certainly a few things that you can do however to mitigate this including encrypting drives (and backups) and having multiple layers of security. Certainly some more ideas to think about. Thanks again. Regards Michael Knill From: Michael Keuter Date: Saturday, 19 August 2023 at 2:20 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Accessing devices behind Astlinux Here is also an interesting video regarding jump servers: https://www.youtube.com/watch?v=KIeBC7NIzj4 Michael http://www.mksolutions.info > Am 18.08.2023 um 17:44 schrieb Michael Keuter : > > Nice video, very interesting. > > BTW: on macOS you can install Proxychain via Homebrew with: > > brew install proxychains-ng > > and call it with "proxychain4 firefox". > >> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck : >> >> Hi Michael, >> >> I don't have any personal experience to share, but Tom Lawrence has a >> related video [1] >> >> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains >> >> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN >> tunnel as his example does. >> >> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it >> local and secure from the internet, limit remote AstLinux SSH access via its >> firewall and Jump Server ssh key. >> >> >> Alternatively, some sort of automation to keep the remote AstLinux SSH keys >> updated from one hardened location. >> >> Lonnie >> >> [1] https://www.youtube.com/watch?v=jqudlmfG0zA >> >> >> >>> On Aug 18, 2023, at 2:17 AM, Michael Knill >>> wrote: >>> >>> Hi All >>> >>> Here is the issue: >>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. >>> It works well however it is becoming increasingly difficult in managing >>> local authentication to do this such as using SSH Keys. >>> We are going to be bringing on additional staff and I don’t want to have to >>> go into every system to add credentials or keys every time we bring on a >>> new staffmember. >>> >>> Just wondering if there are any options for external authentication of SSH >>> rather than local on Astlinux e.g. using RADIUS >>> Could there be any other options e.g. HTTPS proxy? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Accessing devices behind Astlinux
Hi All Here is the issue: We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys. We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember. Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS Could there be any other options e.g. HTTPS proxy? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Looking to implement DNS-TLS
Thanks Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 11 August 2023 at 10:19 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Looking to implement DNS-TLS Sounds like you have a use case to implement the the /mnt/kd/dnsmasq.static trick/workaround. Lonnie > On Aug 10, 2023, at 6:38 PM, Michael Knill > wrote: > > Hi Lonnie > > Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin > for the firewall. > You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) > that it should only be implemented if it was not working. But DNS not working > would be a bad thing and although I have a static entry for access in the > firewall it would prevent access for all other addresses and ports using the > dyndns-host-open plugin. > > Yes I suspect it would be rare but the impact would be high if it happened. > > Regards > Michael Knill > > > From: Lonnie Abelbeck > Date: Thursday, 10 August 2023 at 11:26 pm > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] Looking to implement DNS-TLS > > Hi Michael, > > Not sure what you mean by "dyn-dns plugin"? Plugin to what? > > In this day and age, certificates that depend on the system to have a valid > time are quite common. > > If you are using Network tab -> "Dynamic DNS Update:", the update will use > HTTPS (via curl) to secure your credentials, which will require a valid > system time. Note the "Dynamic DNS Update:" (set external DNS record) has > nothing to do with "DNS-TLS" (retrieve DNS). > > The AstLinux system clock is maintained via one or more of: > > 1) CMOS flash with battery RTC (bare metal) > > 2) Virtual Machine host provides date/time (VM) > > 3) Time is set on startup using chrony using Network tab -> "Network Time > Settings:" > > > While I have not had any practical issues over the years using "DNS-TLS", you > can either use a manual IPv4 address in "Network Time Settings:" or use the > /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the > clock is valid at startup. > > Lonnie > > [1] > https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues > > > > > > On Aug 10, 2023, at 1:28 AM, Michael Knill > > wrote: > > > > Hi Group > > > > I’m currently using the dyn-dns plugin and wanting to extend it for > > additional Astlinux access. > > I’m concerned that DNS traffic is currently not being encrypted so I want > > to use DNS-TLS. > > > > I have two questions: > >• As you have mentioned in the notes, as it relies on reasonably > > correct time which needs DNS to be set correctly, I am concerned that we > > will not be able to access the system with dyn-dns if this occurs. Should I > > implement the workaround for this in /mnt/kd/dnsmasq.static always? > >• I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. > > I assume this is not possible with the DNS Proxy and DNSSEC? I do realise > > that Anycast DNS is very close to 100% uptime but I’m just cautious. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: michael.kn...@ipcsolutions.com.au > > W: ipcsolutions.com.au > > > > > > Smarter Business Communications > > > > ___ > > Astlinux-users mailing list > > Astlinux-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > > pay...@krisk.org. > > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Looking to implement DNS-TLS
Hi Lonnie Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall. You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin. Yes I suspect it would be rare but the impact would be high if it happened. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 10 August 2023 at 11:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Looking to implement DNS-TLS Hi Michael, Not sure what you mean by "dyn-dns plugin"? Plugin to what? In this day and age, certificates that depend on the system to have a valid time are quite common. If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time. Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS). The AstLinux system clock is maintained via one or more of: 1) CMOS flash with battery RTC (bare metal) 2) Virtual Machine host provides date/time (VM) 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:" While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup. Lonnie [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues > On Aug 10, 2023, at 1:28 AM, Michael Knill > wrote: > > Hi Group > > I’m currently using the dyn-dns plugin and wanting to extend it for > additional Astlinux access. > I’m concerned that DNS traffic is currently not being encrypted so I want to > use DNS-TLS. > > I have two questions: >• As you have mentioned in the notes, as it relies on reasonably > correct time which needs DNS to be set correctly, I am concerned that we will > not be able to access the system with dyn-dns if this occurs. Should I > implement the workaround for this in /mnt/kd/dnsmasq.static always? >• I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I > assume this is not possible with the DNS Proxy and DNSSEC? I do realise that > Anycast DNS is very close to 100% uptime but I’m just cautious. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Looking to implement DNS-TLS
Hi Group I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access. I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS. I have two questions: 1. As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always? 2. I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] What is .wh.__dir_opaque
Thanks Lonnie. I will remove to keep things clean. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 3 August 2023 at 10:42 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] What is .wh.__dir_opaque Hi Michael, AstLinux version 1.3.8 and older used a unionfs driver (kernel based) that used "whiteout" files added to the filesystem (ex. .wh.__dir_opaque) to note added/removed directories, among other things. AstLinux version 1.3.10 and newer uses a different unionfs driver (FUSE based), so the old whiteout files (ex. .wh.__dir_opaque) are no longer used/needed. These whiteout files are of zero size, so the simplest is to ignore them. If you want to remove the old whiteout files, you can. Lonnie > On Aug 3, 2023, at 4:59 AM, Michael Knill > wrote: > > Hi Group > > Im getting ‘.wh.__dir_opaque’ files in a number of directories on an old > Astlinux system that I have recently upgraded. > Just wondering what they are and whether I should delete them? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] What is .wh.__dir_opaque
Hi Group Im getting ‘.wh.__dir_opaque’ files in a number of directories on an old Astlinux system that I have recently upgraded. Just wondering what they are and whether I should delete them? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Hi Group I can now confirm that removing the adaptive jitterbuffer from voicemail (and other modules in the call flow prior to voicemail) fixed this problem. I will be trying to find out why but will leave as disabled until confirmed working again. Thanks all for your help. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 7:19 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Another update: I actually think I have fixed the problem. I removed the adaptive jitterbuffer from voicemail in the dialplan and I was able to make it happen again after over 30 attempts. I put it back and it cut off the first call. Will implement out in the wild and see if it fixes the problem. Will let you know how I go. PS sorry for all the emails. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 5:51 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Scratch the last email. Had it that only one of them dropped out and the other kept working. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 5:04 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Another update: In my testing I had two phone calls going simultaneously (one from my mobile and one from my deskphone) and they both dropped out at virtually the same time. [Jun 22 16:58:13] WARNING[8830][C-00c4]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:13] WARNING[8830][C-00c4]: app.c:2010 __ast_play_and_record: Error writing frame -- Recording was 0 seconds long but needs to be at least 1 - abandoning …. [Jun 22 16:58:30] WARNING[8806][C-00c3]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:30] WARNING[8806][C-00c3]: app.c:2010 __ast_play_and_record: Error writing frame Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 3:13 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Update: Using tcpdump I managed to do a packet capture as the problem is unfortunately occurring frequently enough to make this possible. After looking at the pcap with Wireshark, the RTP stream looked fine and I could not find any empty RTP frames e.g. all had payload entries and were the same size. They were all G.711 PCMA encoded as well. Surely it cant be a disk write issue otherwise I would probably be seeing other issues and its usually intermittent? Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 2:24 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Another update: I actually think I have fixed the problem. I removed the adaptive jitterbuffer from voicemail in the dialplan and I was able to make it happen again after over 30 attempts. I put it back and it cut off the first call. Will implement out in the wild and see if it fixes the problem. Will let you know how I go. PS sorry for all the emails. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 5:51 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Scratch the last email. Had it that only one of them dropped out and the other kept working. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 5:04 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Another update: In my testing I had two phone calls going simultaneously (one from my mobile and one from my deskphone) and they both dropped out at virtually the same time. [Jun 22 16:58:13] WARNING[8830][C-00c4]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:13] WARNING[8830][C-00c4]: app.c:2010 __ast_play_and_record: Error writing frame -- Recording was 0 seconds long but needs to be at least 1 - abandoning …. [Jun 22 16:58:30] WARNING[8806][C-00c3]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:30] WARNING[8806][C-00c3]: app.c:2010 __ast_play_and_record: Error writing frame Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 3:13 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Update: Using tcpdump I managed to do a packet capture as the problem is unfortunately occurring frequently enough to make this possible. After looking at the pcap with Wireshark, the RTP stream looked fine and I could not find any empty RTP frames e.g. all had payload entries and were the same size. They were all G.711 PCMA encoded as well. Surely it cant be a disk write issue otherwise I would probably be seeing other issues and its usually intermittent? Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 2:24 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Scratch the last email. Had it that only one of them dropped out and the other kept working. Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 5:04 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Another update: In my testing I had two phone calls going simultaneously (one from my mobile and one from my deskphone) and they both dropped out at virtually the same time. [Jun 22 16:58:13] WARNING[8830][C-00c4]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:13] WARNING[8830][C-00c4]: app.c:2010 __ast_play_and_record: Error writing frame -- Recording was 0 seconds long but needs to be at least 1 - abandoning …. [Jun 22 16:58:30] WARNING[8806][C-00c3]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:30] WARNING[8806][C-00c3]: app.c:2010 __ast_play_and_record: Error writing frame Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 3:13 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Update: Using tcpdump I managed to do a packet capture as the problem is unfortunately occurring frequently enough to make this possible. After looking at the pcap with Wireshark, the RTP stream looked fine and I could not find any empty RTP frames e.g. all had payload entries and were the same size. They were all G.711 PCMA encoded as well. Surely it cant be a disk write issue otherwise I would probably be seeing other issues and its usually intermittent? Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 2:24 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to > it dropping out: > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame > write failed > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing > frame > > Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: > [general] > format = wav > maxsecs = 180 > minsecs = 1 > maxmsg = 1000 > maxgreet = 60 > maxsilence = 0 &
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Another update: In my testing I had two phone calls going simultaneously (one from my mobile and one from my deskphone) and they both dropped out at virtually the same time. [Jun 22 16:58:13] WARNING[8830][C-00c4]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:13] WARNING[8830][C-00c4]: app.c:2010 __ast_play_and_record: Error writing frame -- Recording was 0 seconds long but needs to be at least 1 - abandoning …. [Jun 22 16:58:30] WARNING[8806][C-00c3]: file.c:293 ast_writestream: Translated frame write failed [Jun 22 16:58:30] WARNING[8806][C-00c3]: app.c:2010 __ast_play_and_record: Error writing frame Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 3:13 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Update: Using tcpdump I managed to do a packet capture as the problem is unfortunately occurring frequently enough to make this possible. After looking at the pcap with Wireshark, the RTP stream looked fine and I could not find any empty RTP frames e.g. all had payload entries and were the same size. They were all G.711 PCMA encoded as well. Surely it cant be a disk write issue otherwise I would probably be seeing other issues and its usually intermittent? Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 2:24 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to > it dropping out: > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame > write failed > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing > frame > > Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: > [general] > format = wav > maxsecs = 180 > minsecs = 1 > maxmsg = 1000 > maxgreet = 60 > maxsilence = 0 > minpassword = 4 > silencethreshold = 128 > maxlogins = 3 > nextaftercmd = yes > sendvoicemail = yes > review = yes > operator = yes > forcename = yes > forcegreetings = yes > tempgreetwarn = yes > callback = DialPlan1 > exitcontext = voicemail-exit > externpass
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Update: Using tcpdump I managed to do a packet capture as the problem is unfortunately occurring frequently enough to make this possible. After looking at the pcap with Wireshark, the RTP stream looked fine and I could not find any empty RTP frames e.g. all had payload entries and were the same size. They were all G.711 PCMA encoded as well. Surely it cant be a disk write issue otherwise I would probably be seeing other issues and its usually intermittent? Regards Michael Knill From: Michael Knill Date: Thursday, 22 June 2023 at 2:24 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to > it dropping out: > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame > write failed > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing > frame > > Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: > [general] > format = wav > maxsecs = 180 > minsecs = 1 > maxmsg = 1000 > maxgreet = 60 > maxsilence = 0 > minpassword = 4 > silencethreshold = 128 > maxlogins = 3 > nextaftercmd = yes > sendvoicemail = yes > review = yes > operator = yes > forcename = yes > forcegreetings = yes > tempgreetwarn = yes > callback = DialPlan1 > exitcontext = voicemail-exit > externpass = /mnt/kd/scripts/vm_password_sync > externnotify = php /mnt/kd/scripts/voicemailnotify.php > > I have tried Astlinux 1.5.0 and it still happens. I cant seem to find any > related bugs. > > Any ideas? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-user
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Hmm the problem is still there after these changes and I have now stopped my upgrades until its fixed. After posting on the forum, jcolp has responded with: The two cases for format_wav to return an error for writing is: 1. It was given a frame with no data in it 2. An error occurred when writing it to the disk The first case would require probably orchestrating things and going through the complete media flow to determine where/how a frame with no data appeared. Any ideas where I would start my troubleshooting? Regards Michael Knill From: Michael Knill Date: Wednesday, 14 June 2023 at 6:16 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to > it dropping out: > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame > write failed > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing > frame > > Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: > [general] > format = wav > maxsecs = 180 > minsecs = 1 > maxmsg = 1000 > maxgreet = 60 > maxsilence = 0 > minpassword = 4 > silencethreshold = 128 > maxlogins = 3 > nextaftercmd = yes > sendvoicemail = yes > review = yes > operator = yes > forcename = yes > forcegreetings = yes > tempgreetwarn = yes > callback = DialPlan1 > exitcontext = voicemail-exit > externpass = /mnt/kd/scripts/vm_password_sync > externnotify = php /mnt/kd/scripts/voicemailnotify.php > > I have tried Astlinux 1.5.0 and it still happens. I cant seem to find any > related bugs. > > Any ideas? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Running ipsec behind Astlinux
Thanks Lonnie very much for your response. Yes I had some suspicions that this was the issue however I tried to drop off one and reconnect the other unsuccessfully. Unfortunately its not us configuring the client so not sure if they are using NATT ☹ but I think with the information provided we will be able to get this sorted. Yes I never use IPsec. Thanks again. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 22 June 2023 at 12:10 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Running ipsec behind Astlinux Hi Michael, First, answering your followup question: > (Actually if this works...) Do I need any firewall rules for this? I did have > AH, ESP and UDP500/4500 NAT’d previously. No you don't, the AIF ipsec-vpn plugin automatically opens ports for an AstLinux IPsec VPN endpoint as well as supporting forwarding NAT'ed IPsec traffic. Since you don't have the AstLinux IPsec VPN enabled, the described "hack" is to to enable the plugin to support forwarding NAT'ed IPsec traffic. > Interestingly I had a Cisco router working behind it fine but we couldn’t get > the second VPN up. Ahhh, that explains a lot. Note that NAT works with UDP and TCP by using the inbound/outbound 'port' and inbound/outbound IP address to create a connection tracking hash table. Clients behind NAT can use multiple UDP/TCP connections to the same public server since they will each use different ports via NAT at the edge. Now with IPsec using ESP, a raw IP protocol, there are no ports for the NAT connection tracking to use for uniqueness. As a result, only one IPsec ESP client connection can be established to the same public server behind NAT. A second IPsec ESP client connection will fail as long as the NAT table has an active, previous IPsec ESP client connection. The solution to this is to configure the IPsec server and client to use IPsec NATT (NAT Transversal) where the IPsec payload uses 4500/UDP instead of ESP. In both cases IPsec IKE uses 500/UDP to negotiate the connection. In summary (as I see it): 1) If your goal is to establish more than one IPsec ESP client connection to the *same* public server, the AIF ipsec-vpn plugin "hack" will not help you. 2) If you can use IPsec NATT (NAT Transversal), the AIF ipsec-vpn plugin "hack" is not needed, that should work with most any NAT router. Lonnie Or, just use WireGuard :-) > On Jun 21, 2023, at 1:01 AM, Michael Knill > wrote: > > Thanks Lonnie. I will give it a try. > Interestingly I had a Cisco router working behind it fine but we couldn’t get > the second VPN up. We changed it out for a TP-Link router so the customer > could manage themselves and that didn’t work at all. > > Regards > Michael Knill > > > From: Lonnie Abelbeck > Date: Tuesday, 20 June 2023 at 11:44 pm > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] Running ipsec behind Astlinux > > Hi Michael, > > Good question... > > It sounds like AstLinux needs to perform IPsec pass-through while the > AstLinux IPsec VPN is not enabled. > > As a quick "hack", using the Network tab ... > > Firewall Plugins: [ ipsec-vpn ] - { Configure Plugin } > > Ignore the "*** Do Not Edit Below Here ***" note and set ENABLED=1 in the > lower section, per this diff: > > -- diff -- > # AstLinux specific mappings, either edit your /mnt/kd/rc.conf file > # or, use Network tab -> [IPsec Configuration] from the web interface. > # > -- > # Indent script section so script variables won't be merged > > - ENABLED=0 > + ENABLED=1 >IPSEC_ALLOWED_HOSTS="0/0" >IPSEC_VPN_NETS="" >IPSEC_NAT_TRAVERSAL=0 >vpntype_ipsec=0 > -- diff -- > > "Save Changes" and "Restart Firewall" to apply the change. > > Please report back if this solves your issue. > > BTW, alternatively, if the internal IPsec client was configured to use NAT > Traversal, that should also work without AstLinux firewall tweaks. > > Lonnie > > > > > On Jun 20, 2023, at 3:19 AM, Michael Knill > > wrote: > > > > Hi Group > > > > I have an ipsec VPN device behind Astlinux and it cannot connect. When I > > stick the device behind a 4G enabled Mikrotik router then it works fine. > > What could be the problem? Are there any additional rules I need to add? > > > > This is certainly very annoying and hopefully I can fix it before it uses > > up all my 4G data. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: m
Re: [Astlinux-users] Running ipsec behind Astlinux
Actually if this works, is there any reason why I could not have this implemented for all my systems? Do I need any firewall rules for this? I did have AH, ESP and UDP500/4500 NAT’d previously. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 20 June 2023 at 11:44 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Running ipsec behind Astlinux Hi Michael, Good question... It sounds like AstLinux needs to perform IPsec pass-through while the AstLinux IPsec VPN is not enabled. As a quick "hack", using the Network tab ... Firewall Plugins: [ ipsec-vpn ] - { Configure Plugin } Ignore the "*** Do Not Edit Below Here ***" note and set ENABLED=1 in the lower section, per this diff: -- diff -- # AstLinux specific mappings, either edit your /mnt/kd/rc.conf file # or, use Network tab -> [IPsec Configuration] from the web interface. # -- # Indent script section so script variables won't be merged - ENABLED=0 + ENABLED=1 IPSEC_ALLOWED_HOSTS="0/0" IPSEC_VPN_NETS="" IPSEC_NAT_TRAVERSAL=0 vpntype_ipsec=0 -- diff -- "Save Changes" and "Restart Firewall" to apply the change. Please report back if this solves your issue. BTW, alternatively, if the internal IPsec client was configured to use NAT Traversal, that should also work without AstLinux firewall tweaks. Lonnie > On Jun 20, 2023, at 3:19 AM, Michael Knill > wrote: > > Hi Group > > I have an ipsec VPN device behind Astlinux and it cannot connect. When I > stick the device behind a 4G enabled Mikrotik router then it works fine. > What could be the problem? Are there any additional rules I need to add? > > This is certainly very annoying and hopefully I can fix it before it uses up > all my 4G data. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Running ipsec behind Astlinux
Thanks Lonnie. I will give it a try. Interestingly I had a Cisco router working behind it fine but we couldn’t get the second VPN up. We changed it out for a TP-Link router so the customer could manage themselves and that didn’t work at all. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 20 June 2023 at 11:44 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Running ipsec behind Astlinux Hi Michael, Good question... It sounds like AstLinux needs to perform IPsec pass-through while the AstLinux IPsec VPN is not enabled. As a quick "hack", using the Network tab ... Firewall Plugins: [ ipsec-vpn ] - { Configure Plugin } Ignore the "*** Do Not Edit Below Here ***" note and set ENABLED=1 in the lower section, per this diff: -- diff -- # AstLinux specific mappings, either edit your /mnt/kd/rc.conf file # or, use Network tab -> [IPsec Configuration] from the web interface. # -- # Indent script section so script variables won't be merged - ENABLED=0 + ENABLED=1 IPSEC_ALLOWED_HOSTS="0/0" IPSEC_VPN_NETS="" IPSEC_NAT_TRAVERSAL=0 vpntype_ipsec=0 -- diff -- "Save Changes" and "Restart Firewall" to apply the change. Please report back if this solves your issue. BTW, alternatively, if the internal IPsec client was configured to use NAT Traversal, that should also work without AstLinux firewall tweaks. Lonnie > On Jun 20, 2023, at 3:19 AM, Michael Knill > wrote: > > Hi Group > > I have an ipsec VPN device behind Astlinux and it cannot connect. When I > stick the device behind a 4G enabled Mikrotik router then it works fine. > What could be the problem? Are there any additional rules I need to add? > > This is certainly very annoying and hopefully I can fix it before it uses up > all my 4G data. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Running ipsec behind Astlinux
Hi Group I have an ipsec VPN device behind Astlinux and it cannot connect. When I stick the device behind a 4G enabled Mikrotik router then it works fine. What could be the problem? Are there any additional rules I need to add? This is certainly very annoying and hopefully I can fix it before it uses up all my 4G data. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Hi Lonnie Thanks for this. So the testing I performed was to call into the system from my mobile to a number that goes directly to voicemail without a greeting. If the call stayed up for a couple of seconds then I would hang up and call again. Whenever I got the Warning messages, the call actually dropped. Another log line I didnt add was: -- Recording was 0 seconds long but needs to be at least 1 – abandoning I also posted on the Asterisk forum and someone mentioned that a solution to the problem could be setting “transmit_silence=yes” in asterisk.conf which I tried and it significantly reduced (possibly eliminated) the problem. I will try setting this at a couple of our problem sites to see if it fixes the problem and let you know how I go. Regards Michael Knill From: Lonnie Abelbeck Date: Tuesday, 13 June 2023 at 10:26 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7 Hi Michael, I looked through the Asterisk code, this is basic core code, but some 'code stirring' has occurred between 13 and 16. If you can replicate it in the lab, does Astlinux 1.5.0 / 13se work as expected with your voicemail.conf? Does the error occur only on long (longer) voicemails? Does the error occur intermittently or all the time? Any pattern? Lonnie > On Jun 13, 2023, at 5:52 AM, Michael Knill > wrote: > > Hi Group > > Im trying to find out why I am getting voicemail errors on Asterisk 16 on > Astlinux 1.4.7 and hoping someone may have an idea where I should start > investigating. Im getting reports and example voicemails where the person has > been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. > Im intermittently getting the following which from testing happens prior to > it dropping out: > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame > write failed > Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: > WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing > frame > > Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: > [general] > format = wav > maxsecs = 180 > minsecs = 1 > maxmsg = 1000 > maxgreet = 60 > maxsilence = 0 > minpassword = 4 > silencethreshold = 128 > maxlogins = 3 > nextaftercmd = yes > sendvoicemail = yes > review = yes > operator = yes > forcename = yes > forcegreetings = yes > tempgreetwarn = yes > callback = DialPlan1 > exitcontext = voicemail-exit > externpass = /mnt/kd/scripts/vm_password_sync > externnotify = php /mnt/kd/scripts/voicemailnotify.php > > I have tried Astlinux 1.5.0 and it still happens. I cant seem to find any > related bugs. > > Any ideas? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Problems with voicemail and Asterisk 16 on Astlinux 1.4.7
Hi Group Im trying to find out why I am getting voicemail errors on Asterisk 16 on Astlinux 1.4.7 and hoping someone may have an idea where I should start investigating. Im getting reports and example voicemails where the person has been cut off mid recording only on Asterisk 16 on Astlinux 1.4.7. Im intermittently getting the following which from testing happens prior to it dropping out: Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: WARNING[1533][C-04bc]: file.c:293 in ast_writestream: Translated frame write failed Jun 13 13:18:47 25160-Clinic88-CM1 local0.warn asterisk[1203]: WARNING[1533][C-04bc]: app.c:2010 in __ast_play_and_record: Error writing frame Nothing on 1.3.10 using Asterisk 13. Both have the same voicemail config: [general] format = wav maxsecs = 180 minsecs = 1 maxmsg = 1000 maxgreet = 60 maxsilence = 0 minpassword = 4 silencethreshold = 128 maxlogins = 3 nextaftercmd = yes sendvoicemail = yes review = yes operator = yes forcename = yes forcegreetings = yes tempgreetwarn = yes callback = DialPlan1 exitcontext = voicemail-exit externpass = /mnt/kd/scripts/vm_password_sync externnotify = php /mnt/kd/scripts/voicemailnotify.php I have tried Astlinux 1.5.0 and it still happens. I cant seem to find any related bugs. Any ideas? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Astlinux reliability
System Uptime: 989 days, 1:29 Its on an APU2 in a hospital environment so never had a power failure. Yes I should have upgraded it long ago but pretty cool! Regards Michael Knill ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Stopping logging of Crontab
Ah thanks Lonnie That looks a better way of doing it. Regards Michael Knill From: Lonnie Abelbeck Date: Friday, 31 March 2023 at 1:01 am To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] Stopping logging of Crontab Hi Michael, The (busybox) crond daemon has a syslog level setting which defaults to 8, the least verbose log level. So no help there. Using the filter for the Status Tab, is a reasonable idea. Personally, when executing shell commands on a regular interval of seconds/minutes, I prefer to use a bash shell script and the sleep builtin. (Using the sleep builtin keeps from spawning a new process whenever 'sleep' is called). The simplest example of this is the 'msmtpqueue' bash script [1] Basic code setup and loop: -- #!/bin/bash LOCKFILE="/var/lock/foobar.lock" # Robust 'bash' method of creating/testing for a lockfile if ! ( set -o noclobber; echo "$$" > "$LOCKFILE" ) 2>/dev/null; then echo "foobar: already running, lockfile \"$LOCKFILE\" exists, process id: $(cat "$LOCKFILE")." return 9 fi # Load 'sleep' builtin if it exists if [ -f /usr/lib/bash/sleep ]; then enable -f /usr/lib/bash/sleep sleep fi #seconds to wait wait=300 trap 'rm -f "$LOCKFILE"; exit $?' INT TERM EXIT while true; do # do stuff sleep $wait done rm -f "$LOCKFILE" trap - INT TERM EXIT -- Look at the actual code [1] for finer details. Another fairly simple example, asterisk-sip-monitor [2] which adds a PID file that can be removed to exit the script. Lonnie [1] https://github.com/astlinux-project/astlinux/blob/master/package/msmtp/msmtpqueue.sh [2] https://github.com/astlinux-project/astlinux/blob/master/package/asterisk/asterisk-sip-monitor > On Mar 29, 2023, at 11:39 PM, Michael Knill > wrote: > > Short of putting in a filter for the Status Tab, is there any way to stop > Crontab logging to Syslog. > I now have a process that is run every 10 minutes and its annoying that it > logs to Syslog each time. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Stopping logging of Crontab
Short of putting in a filter for the Status Tab, is there any way to stop Crontab logging to Syslog. I now have a process that is run every 10 minutes and its annoying that it logs to Syslog each time. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] LDAP Authentication on Astlinux
Yay we have Stretto now authenticating to OpenLDAP in Astlinux. Regards Michael Knill From: Michael Knill Date: Thursday, 23 March 2023 at 3:51 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] LDAP Authentication on Astlinux Hi Lonnie Yes thoroughly actually. We may be getting there slowly. Not knowing a great deal about LDAP and slapd is making progress slow. Our main problem appears to be LDAPS currently as LDAP seems to work. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 23 March 2023 at 12:29 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] LDAP Authentication on Astlinux Hi Michael, Have you read this ... LDAP Server Configuration https://doc.astlinux-project.org/userdoc:tt-ldap-server You need ACME certs for LDAPS. I know nothing about modern Bria, hope they support LDAPS properly. It has been a long time since we implemented LDAP, you will most likely have to figure out the details. Good luck. :-) Lonnie > On Mar 22, 2023, at 7:36 PM, Michael Knill > wrote: > > Hi All > > I need to set up LDAPS authentication on Astlinux for Stretto Authentication > (Bria) and just wondering how I would do this. > I have set up LDAP fine for just telephone numbers but not passwords. > Sorry that I am an LDAP noob. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] LDAP Authentication on Astlinux
Hi Lonnie Yes thoroughly actually. We may be getting there slowly. Not knowing a great deal about LDAP and slapd is making progress slow. Our main problem appears to be LDAPS currently as LDAP seems to work. Regards Michael Knill From: Lonnie Abelbeck Date: Thursday, 23 March 2023 at 12:29 pm To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] LDAP Authentication on Astlinux Hi Michael, Have you read this ... LDAP Server Configuration https://doc.astlinux-project.org/userdoc:tt-ldap-server You need ACME certs for LDAPS. I know nothing about modern Bria, hope they support LDAPS properly. It has been a long time since we implemented LDAP, you will most likely have to figure out the details. Good luck. :-) Lonnie > On Mar 22, 2023, at 7:36 PM, Michael Knill > wrote: > > Hi All > > I need to set up LDAPS authentication on Astlinux for Stretto Authentication > (Bria) and just wondering how I would do this. > I have set up LDAP fine for just telephone numbers but not passwords. > Sorry that I am an LDAP noob. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] LDAP Authentication on Astlinux
Hi All I need to set up LDAPS authentication on Astlinux for Stretto Authentication (Bria) and just wondering how I would do this. I have set up LDAP fine for just telephone numbers but not passwords. Sorry that I am an LDAP noob. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Streaming music player
Whoops that's embarrassing. Glad I asked. Thanks guys. Regards Michael Knill On 23/2/2023, 12:20 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: > On Feb 22, 2023, at 2:36 AM, Michael Keuter <mailto:li...@mksolutions.info>> wrote: > > > >> Am 22.02.2023 um 02:29 schrieb Michael Knill >> > <mailto:michael.kn...@ipcsolutions.com.au>>: >> >> Hi Guys >> >> Everything I read mentions that mpg123 is required for this but it does not >> appear to be in Astlinux. >> Could I just add the binary to /mnt/kd/bin do you think? >> >> Regards >> >> Michael Knill >> Managing Director > > Hi Michael, > > you can easily use "sox" instead of "mpg123" for streaming. Like: > > > wget -q -O - $URL | sox -t mp3 $FOPTS - -t raw -r 8000 -c 1 - > > > Michael > http://www.mksolutions.info <http://www.mksolutions.info> Agreed, sox supports more encoding types than mpg123, IIRC. This wiki entry has some good tidbits... External Music on Hold Source https://doc.astlinux-project.org/userdoc:tt_external_moh_source <https://doc.astlinux-project.org/userdoc:tt_external_moh_source> Lonnie ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net <mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org <mailto:pay...@krisk.org>. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Streaming music player
Hi Guys Everything I read mentions that mpg123 is required for this but it does not appear to be in Astlinux. Could I just add the binary to /mnt/kd/bin do you think? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Using Bria with XMPP & vCards
Hi Group I'm looking to use Counterpath Bria with Astlinux and wanting to provide a system directory. It appears that this is only possible using XMPP rosters and vCard which I believe Prosody in Astlinux supports. I have absolutely no idea how to set this up and am wondering if anyone has done so before? Note this is not just creating an XMPP only roster which are added to sharedgroups.conf, but also includes telephone numbers and other contact information. Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Large number of Firewall entries
Hi All Added this script in custom-rules.conf and it seems to work well: - ipset create -exist udp_sip_hosts hash:net ipset flush udp_sip_hosts ip_addresses=$(grep "host" /mnt/kd/asterisk/sip_peers.conf | sed "s/host=//") echo "$ip_addresses" | sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist udp_sip_hosts \1/p" | ipset restore iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT - Regards Michael Knill On 3/1/2023, 2:03 pm, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Michael, Controlling the client is not ideal. Not sure if it is worth the trouble, but rather than removing the IP address, you could mark it with a unique prefix, like: #block#1.2.3.4 Then add another sed one-liner for a different set-name that gets added in a new unique chain which gets added as -I to the INPUT chain, like the adaptive ban plugin does. This order will make a -j DROP for udp 5060 act before the conntrack states. Lonnie > On Jan 2, 2023, at 6:16 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Thanks Lonnie. Sorry you had to roll your sleeves up. :-)¡ > > Yes that makes perfect sense and it did what you said when tested. I really > should have known this but it caught me out. I did stop SIP traffic going out > but it was the remote peer's OPTIONS pings that was holding it up. > We will test parsing sip_peers.conf looking at host= to pick up all the IP > Addresses on the system and add them to the ipset. > > One thing I was thinking is that if we are sending OPTIONS pings to all these > peers from the softswitch then theoretically we should not need to create any > firewall rules as the session will already be set up in conntrack. I tested > it by turning off OPTIONS pings at both ends, waiting for conntrack to time > out and then turn on OPTIONS pings at the peer end. It did not work until I > turned on OPTIONS pings at the softswitch end whereby I could make and > receive calls again. > > Is this a bit risky do you think? Can you think of any breaking scenarios? > > Regards > Michael Knill > > > > On 3/1/2023, 9:07 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>>> wrote: > > > Hi Michael, > > > I rolled up my sleeves, and gave this a test in my lab: > > > -- snip /etc/arno-iptables-firewall/custom-rules -- > > > ipset_ext_input_allow() > { > local proto="$1" port="$2" set="$3" file="$4" > > > if [ ! -f "$file" ]; then > echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file" > return > fi > > > echo "[CUSTOM RULE] IPSet Pass EXT->Local for Proto: $proto, Port: $port, > Set: $set, IPsetFile: $file" > > > ipset create -exist $set hash:net > ipset flush $set > > > sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set} \1/p" > "$file" | ipset restore > > > ip4tables -A EXT_INPUT_CHAIN -m set --match-set $set src -p $proto --dport > $port -j ACCEPT > } > ipset_ext_input_allow udp 5060 udp_sip_hosts /tmp/sip-whitelist.netset > > > -- > > > -- /tmp/sip-whitelist.netset -- > ## > 1.2.3.4 #test > #10.10.50.1 > 10.10.50.55 > #10.10.0.0/16 > > > -- > > > It worked as expected. Restarting the firewall "arno-iptables-firewall > restart" applies the current IPv4 .netset file. > > > > >> If I then remove the address and restart the firewall, the address is >> removed from the list (ipset list confirms this) but the address is still >> open in the firewall. I cannot remove it unless I reboot the system. > > > What you are seeing is the iptables conntrack state table, eventually the UDP > state will expire after 120 seconds (unless traffic resets the state) > > > Source Port (#'s) Destination Port Protocol Packets Bytes TTL > 10.10.50.1 5060 10.10.50.64 5060 UDP 24 13856 1:29 > > > After the TTL counts down to 0 then the conntrack state disappears. The > iptables conntrack state table makes the firewall much more efficient. This > behavior has always existed. > > > So in your testing, if you wait 2 minutes after you remove an IP and apply > the change, the IP will be blocked for UDP 5060 traffic. > > > If you are getting a constant stream of UDP 5060 traffic from that IP then > you would need to take additional measures to block further traffic. For > example, if you allowed a remote SIP endpoint t
Re: [Astlinux-users] Large number of Firewall entries
I decided that I will just write them all in to be on the safe side. It should still work if they are not there but should be more reliable if they are. Regards Michael Knill On 3/1/2023, 2:23 pm, "Michael Knill" mailto:michael.kn...@ipcsolutions.com.au>> wrote: Thanks Lonnie Although this is handy, I'm not really worried about addresses that wont time out until the peer is stopped at the other end. The main reason for my questions below is whether I even bother about creating the ipset and firewall rule at all and what scenarios in which it could be problematic? I could certainly just do it and it would not hurt anything, in fact the address could be missing and it still works fine as it has opened up the conntrack session with the OPTIONS ping. Interestingly I'm asking this question even though I have a number of Astlinux systems that already don't have a rule for UDP5060 that have been working fine for years. Regards Michael Knill On 3/1/2023, 2:03 pm, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com <mailto:li...@lonnie.abelbeck.com>>> wrote: Michael, Controlling the client is not ideal. Not sure if it is worth the trouble, but rather than removing the IP address, you could mark it with a unique prefix, like: #block#1.2.3.4 Then add another sed one-liner for a different set-name that gets added in a new unique chain which gets added as -I to the INPUT chain, like the adaptive ban plugin does. This order will make a -j DROP for udp 5060 act before the conntrack states. Lonnie > On Jan 2, 2023, at 6:16 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au> > <mailto:michael.kn...@ipcsolutions.com.au > <mailto:michael.kn...@ipcsolutions.com.au>>> wrote: > > Thanks Lonnie. Sorry you had to roll your sleeves up. :-)¡ > > Yes that makes perfect sense and it did what you said when tested. I really > should have known this but it caught me out. I did stop SIP traffic going out > but it was the remote peer's OPTIONS pings that was holding it up. > We will test parsing sip_peers.conf looking at host= to pick up all the IP > Addresses on the system and add them to the ipset. > > One thing I was thinking is that if we are sending OPTIONS pings to all these > peers from the softswitch then theoretically we should not need to create any > firewall rules as the session will already be set up in conntrack. I tested > it by turning off OPTIONS pings at both ends, waiting for conntrack to time > out and then turn on OPTIONS pings at the peer end. It did not work until I > turned on OPTIONS pings at the softswitch end whereby I could make and > receive calls again. > > Is this a bit risky do you think? Can you think of any breaking scenarios? > > Regards > Michael Knill > > > > On 3/1/2023, 9:07 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>>>> wrote: > > > Hi Michael, > > > I rolled up my sleeves, and gave this a test in my lab: > > > -- snip /etc/arno-iptables-firewall/custom-rules -- > > > ipset_ext_input_allow() > { > local proto="$1" port="$2" set="$3" file="$4" > > > if [ ! -f "$file" ]; then > echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file" > return > fi > > > echo "[CUSTOM RULE] IPSet Pass EXT->Local for Proto: $proto, Port: $port, > Set: $set, IPsetFile: $file" > > > ipset create -exist $set hash:net > ipset flush $set > > > sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set} \1/p" > "$file" | ipset restore > > > ip4tables -A EXT_INPUT_CHAIN -m set --match-set $set src -p $proto --dport > $port -j ACCEPT > } > ipset_ext_input_allow udp 5060 udp_sip_hosts /tmp/sip-whitelist.netset > > > -- > > > -- /tmp/sip-whitelist.netset -- > ## > 1.2.3.4 #test > #10.10.50.1 > 10.10.50.55 > #10.10.0.0/16 > > > -- > > > It worked as expected. Restarting the firewall "arno-iptables-firewall > restart" applies the current IPv4 .netset file. > > > > >> If I then remove the address and restart the firewall, the address is >> removed from the list (ipset list confirms this) but the address is still >> open in the firewall. I cannot remove it unless I reboot the system. > > > What you are seeing is t
Re: [Astlinux-users] Large number of Firewall entries
Thanks Lonnie Although this is handy, I'm not really worried about addresses that wont time out until the peer is stopped at the other end. The main reason for my questions below is whether I even bother about creating the ipset and firewall rule at all and what scenarios in which it could be problematic? I could certainly just do it and it would not hurt anything, in fact the address could be missing and it still works fine as it has opened up the conntrack session with the OPTIONS ping. Interestingly I'm asking this question even though I have a number of Astlinux systems that already don't have a rule for UDP5060 that have been working fine for years. Regards Michael Knill On 3/1/2023, 2:03 pm, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Michael, Controlling the client is not ideal. Not sure if it is worth the trouble, but rather than removing the IP address, you could mark it with a unique prefix, like: #block#1.2.3.4 Then add another sed one-liner for a different set-name that gets added in a new unique chain which gets added as -I to the INPUT chain, like the adaptive ban plugin does. This order will make a -j DROP for udp 5060 act before the conntrack states. Lonnie > On Jan 2, 2023, at 6:16 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Thanks Lonnie. Sorry you had to roll your sleeves up. :-)¡ > > Yes that makes perfect sense and it did what you said when tested. I really > should have known this but it caught me out. I did stop SIP traffic going out > but it was the remote peer's OPTIONS pings that was holding it up. > We will test parsing sip_peers.conf looking at host= to pick up all the IP > Addresses on the system and add them to the ipset. > > One thing I was thinking is that if we are sending OPTIONS pings to all these > peers from the softswitch then theoretically we should not need to create any > firewall rules as the session will already be set up in conntrack. I tested > it by turning off OPTIONS pings at both ends, waiting for conntrack to time > out and then turn on OPTIONS pings at the peer end. It did not work until I > turned on OPTIONS pings at the softswitch end whereby I could make and > receive calls again. > > Is this a bit risky do you think? Can you think of any breaking scenarios? > > Regards > Michael Knill > > > > On 3/1/2023, 9:07 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>>> wrote: > > > Hi Michael, > > > I rolled up my sleeves, and gave this a test in my lab: > > > -- snip /etc/arno-iptables-firewall/custom-rules -- > > > ipset_ext_input_allow() > { > local proto="$1" port="$2" set="$3" file="$4" > > > if [ ! -f "$file" ]; then > echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file" > return > fi > > > echo "[CUSTOM RULE] IPSet Pass EXT->Local for Proto: $proto, Port: $port, > Set: $set, IPsetFile: $file" > > > ipset create -exist $set hash:net > ipset flush $set > > > sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set} \1/p" > "$file" | ipset restore > > > ip4tables -A EXT_INPUT_CHAIN -m set --match-set $set src -p $proto --dport > $port -j ACCEPT > } > ipset_ext_input_allow udp 5060 udp_sip_hosts /tmp/sip-whitelist.netset > > > -- > > > -- /tmp/sip-whitelist.netset -- > ## > 1.2.3.4 #test > #10.10.50.1 > 10.10.50.55 > #10.10.0.0/16 > > > -- > > > It worked as expected. Restarting the firewall "arno-iptables-firewall > restart" applies the current IPv4 .netset file. > > > > >> If I then remove the address and restart the firewall, the address is >> removed from the list (ipset list confirms this) but the address is still >> open in the firewall. I cannot remove it unless I reboot the system. > > > What you are seeing is the iptables conntrack state table, eventually the UDP > state will expire after 120 seconds (unless traffic resets the state) > > > Source Port (#'s) Destination Port Protocol Packets Bytes TTL > 10.10.50.1 5060 10.10.50.64 5060 UDP 24 13856 1:29 > > > After the TTL counts down to 0 then the conntrack state disappears. The > iptables conntrack state table makes the firewall much more efficient. This > behavior has always existed. > > > So in your testing, if you wait 2 minutes after you remove an IP and apply > the change, the IP will be blocked for UDP 5060 traffic. > > > If you are get
Re: [Astlinux-users] Large number of Firewall entries
Thanks Lonnie. Sorry you had to roll your sleeves up. Yes that makes perfect sense and it did what you said when tested. I really should have known this but it caught me out. I did stop SIP traffic going out but it was the remote peer's OPTIONS pings that was holding it up. We will test parsing sip_peers.conf looking at host= to pick up all the IP Addresses on the system and add them to the ipset. One thing I was thinking is that if we are sending OPTIONS pings to all these peers from the softswitch then theoretically we should not need to create any firewall rules as the session will already be set up in conntrack. I tested it by turning off OPTIONS pings at both ends, waiting for conntrack to time out and then turn on OPTIONS pings at the peer end. It did not work until I turned on OPTIONS pings at the softswitch end whereby I could make and receive calls again. Is this a bit risky do you think? Can you think of any breaking scenarios? Regards Michael Knill On 3/1/2023, 9:07 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Hi Michael, I rolled up my sleeves, and gave this a test in my lab: -- snip /etc/arno-iptables-firewall/custom-rules -- ipset_ext_input_allow() { local proto="$1" port="$2" set="$3" file="$4" if [ ! -f "$file" ]; then echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file" return fi echo "[CUSTOM RULE] IPSet Pass EXT->Local for Proto: $proto, Port: $port, Set: $set, IPsetFile: $file" ipset create -exist $set hash:net ipset flush $set sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set} \1/p" "$file" | ipset restore ip4tables -A EXT_INPUT_CHAIN -m set --match-set $set src -p $proto --dport $port -j ACCEPT } ipset_ext_input_allow udp 5060 udp_sip_hosts /tmp/sip-whitelist.netset -- -- /tmp/sip-whitelist.netset -- ## 1.2.3.4 #test #10.10.50.1 10.10.50.55 #10.10.0.0/16 -- It worked as expected. Restarting the firewall "arno-iptables-firewall restart" applies the current IPv4 .netset file. > If I then remove the address and restart the firewall, the address is removed > from the list (ipset list confirms this) but the address is still open in the > firewall. I cannot remove it unless I reboot the system. What you are seeing is the iptables conntrack state table, eventually the UDP state will expire after 120 seconds (unless traffic resets the state) Source Port (#'s) Destination Port Protocol Packets Bytes TTL 10.10.50.1 5060 10.10.50.64 5060 UDP 24 13856 1:29 After the TTL counts down to 0 then the conntrack state disappears. The iptables conntrack state table makes the firewall much more efficient. This behavior has always existed. So in your testing, if you wait 2 minutes after you remove an IP and apply the change, the IP will be blocked for UDP 5060 traffic. If you are getting a constant stream of UDP 5060 traffic from that IP then you would need to take additional measures to block further traffic. For example, if you allowed a remote SIP endpoint to register more often than 120 seconds, removing the IP from the "allowed" ipset would not "block" it until the conntrack state disappears. Make sense? Lonnie > On Jan 2, 2023, at 2:26 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Hi Lonnie > > Thanks for this. Unfortunately I still need to reboot the system for it to > reread the netset rules if I remove an ipset entry. > Here is my custom-rules.conf: > > ipset create -exist udp_sip_hosts hash:net > ipset flush udp_sip_hosts > ipset add -exist udp_sip_hosts > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > > > If I add another IP Address to the list as below and restart the firewall it > works fine and I see it when I do an ipset list: > ipset add -exist udp_sip_hosts <1st ip address> > ipset add -exist udp_sip_hosts <2nd ip address> > > If I then remove the address and restart the firewall, the address is removed > from the list (ipset list confirms this) but the address is still open in the > firewall. I cannot remove it unless I reboot the system. > Obviously not workable I'm afraid. > > Regards > Michael Knill > > > > On 3/1/2023, 3:22 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>>> wrote: > > > Hi Michael, > > > Referring to the "apply_ipset_netset()" function (here [1]) > > > Add "-exist" to the "create" and "add" (man-page [2]) commands. > > > Note that you can create the ipset from a text file w
Re: [Astlinux-users] Large number of Firewall entries
Hi Lonnie Thanks for this. Unfortunately I still need to reboot the system for it to reread the netset rules if I remove an ipset entry. Here is my custom-rules.conf: ipset create -exist udp_sip_hosts hash:net ipset flush udp_sip_hosts ipset add -exist udp_sip_hosts iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT If I add another IP Address to the list as below and restart the firewall it works fine and I see it when I do an ipset list: ipset add -exist udp_sip_hosts <1st ip address> ipset add -exist udp_sip_hosts <2nd ip address> If I then remove the address and restart the firewall, the address is removed from the list (ipset list confirms this) but the address is still open in the firewall. I cannot remove it unless I reboot the system. Obviously not workable I'm afraid. Regards Michael Knill On 3/1/2023, 3:22 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Hi Michael, Referring to the "apply_ipset_netset()" function (here [1]) Add "-exist" to the "create" and "add" (man-page [2]) commands. Note that you can create the ipset from a text file within the /etc/arno-iptables-firewall/custom-rules script. Edit your text file and reload the firewall. Using "ipset create -exist ..." will not fail if the ipset already exists. "ipset flush ..." will clear any pre-existing ipset. Tip -> I would probably use "hash:net" instead of "hash:ip" so you could use CIDRs if you wanted. custom-rules script snippet -- ipset create -exist udp_sip_hosts hash:net ipset flush udp_sip_hosts ## either a one-liner from a text file "sip-whitelist.netset" sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist udp_sip_hosts \1/p" sip-whitelist.netset | ipset restore ## Or, loop getting IPv4s from a text file "sip-whitelist.netset" ipset add -exist udp_sip_hosts ## done-loop iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -- Lonnie [1] https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> [2] https://ipset.netfilter.org/ipset.man.html <https://ipset.netfilter.org/ipset.man.html> > On Jan 1, 2023, at 11:44 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Hi All > Merry Christmas and Happy New Year. > > Just rejuvenating this thread as I am building our new softswitch and playing > with ipset as you offered below. > We have done the following: > > Using CLI: > ipset create udp_sip_hosts hash:ip > ipset add udp_sip_hosts > > In custom-rules.conf > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > > It all seems to work fine but I obviously am an iptables noob as I have no > idea what to do when I make changes to the ipset as it does not change even > after a firewall restart. > I'm sure there is something I need to do which will get iptables to reread > the ipset? > > Thanks guys. > > Regards > Michael Knill > > > > On 27/9/2021, 10:54 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>>> wrote: > > > Michael, > > > The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so > parsing sip.conf using 'sed' or such should be reasonably straightforward. > > > BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset > (ex. udp_sip_hosts), you can very efficiently match all of them with only one > rule: > -- > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > -- > That would allow you to rebuild only the "udp_sip_hosts" ipset when the > sip.conf got changed, without rebuilding the firewall. Though requires some > 'ipset' command knowledge, though not complex at all. > > > Example 'ipset' usage in AstLinux: > https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 > > <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> > > <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> > > <https://g
Re: [Astlinux-users] Large number of Firewall entries
Hi All Merry Christmas and Happy New Year. Just rejuvenating this thread as I am building our new softswitch and playing with ipset as you offered below. We have done the following: Using CLI: ipset create udp_sip_hosts hash:ip ipset add udp_sip_hosts In custom-rules.conf iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT It all seems to work fine but I obviously am an iptables noob as I have no idea what to do when I make changes to the ipset as it does not change even after a firewall restart. I'm sure there is something I need to do which will get iptables to reread the ipset? Thanks guys. Regards Michael Knill On 27/9/2021, 10:54 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Michael, The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so parsing sip.conf using 'sed' or such should be reasonably straightforward. BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset (ex. udp_sip_hosts), you can very efficiently match all of them with only one rule: -- iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -- That would allow you to rebuild only the "udp_sip_hosts" ipset when the sip.conf got changed, without rebuilding the firewall. Though requires some 'ipset' command knowledge, though not complex at all. Example 'ipset' usage in AstLinux: https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> If you only use IPv4 a lot of the example can be simplified. Lonnie > On Sep 26, 2021, at 7:17 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Thanks Lonnie. > > Actually now that I think about it, is there any reason why the custom rule > could not parse sip.conf for host= and open up all Public IP's? > It would mean that you would need to restart the firewall every time you > modified sip.conf but I'm sure we could build this into our portal very > simply. > > Regards > Michael Knill > > On 27/9/21, 9:47 am, "Lonnie Abelbeck" <mailto:li...@lonnie.abelbeck.com>> wrote: > > Hi Michael, > > With 300 rules and the same across all your boxes, I would use > /mnt/kd/arno-iptables-firewall/custom-rules to define these. > > Very similar to the deny_ext_local() example I posted recently, but the > reverse ... pass_ext_local() using -j ACCEPT > > Without testing, something like ... > -- > pass_ext_local() > { > local proto="$1" host="$2" port="$3" > > echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: > $port" > iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT > } > ## uncomment to enable ## > #pass_ext_local udp 1.2.3.4 5060 > #pass_ext_local tcp 1.2.3.0/24 5061 > -- > > If you only use udp/5060, you could simplify things, maybe only one "echo" > statement and a variable defining all 300 IPs. Generic shell scripting. > > Again untested ... > -- > pass_ext_local_udp_sip() > { > local host proto="udp" port="5060" IFS > local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 > 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" > > echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" > unset IFS > for host in $sip_hosts; do > iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT > done > } > pass_ext_local_udp_sip > -- > > Alternatively, you could define the sip_hosts variable with a file if desired. > > Lonnie > > > > > >> On Sep 26, 2021, at 5:32 PM, Michael Knill >> > <mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Hi Group >> >> I'm looking to have a large number of firewall entries in Astlinux e.g. 300. >> They would be all the same e.g. I want to open port 5060 from multiple sites. >> Is there an easier/neater way to do this other than lots of firewall entries >> in the Firewall Tab? >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> <mailto:michael.kn...@ipcsolutions.com.au> >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing lis
Re: [Astlinux-users] Turning of DHCP logging
Thanks Lonnie. Not sure why I'm not getting it for other IPoE broadband services though? Regards Michael Knill On 3/11/2022, 12:01 am, "Lonnie Abelbeck" wrote: Michael, BTW the "daemon.err udhcpc" are not actually error logs, just informational logs in this case. The .err only log marking was a bug/feature in Busybox log messages. [1] Lonnie [1] https://github.com/mirror/busybox/commit/253c4e787a799a3e1f92957ed791b5222f8d2f64 > On Nov 1, 2022, at 9:57 PM, Michael Knill wrote: > > Hi Lonnie > > Yes that would be nice. My lease time is 300s. > Still not sure why I'm getting those errors though. > > Regards > Michael Knill > > > > On 2/11/2022, 11:56 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: > > > Addendum: > For my cable modem, only one "sending discover" is needed for this udhcpc session: > -- > Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: started, v1.30.1 > Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: sending discover > Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: sending select for 98.xx.xx.xx > Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: lease of 98.xx.xx.xx obtained, lease time 86400 > -- > My IP address is somewhat "sticky" associated with my external interface MAC address. If the MAC address changed or 24 hours of no activity then it may take a little longer and more "sending discover" messages to grab an IP. > > > Lonnie > > > > >> On Nov 1, 2022, at 7:28 PM, Lonnie Abelbeck mailto:li...@lonnie.abelbeck.com>> wrote: >> >>> It does not have this error from the same provider on other broadband types. >> >> Which "broadband types" are you talking about, is IPoE a cable modem or something else? >> >> Lonnie >> >> >> >> >>> On Nov 1, 2022, at 4:44 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: >>> >>> Thanks Lonnie. Yes there does seem to be a problem as I do get the standard lease obtained logs: >>> Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: sending renew to 103.55.93.1 >>> Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: lease of 103.55.93.92 obtained, lease time 300 >>> >>> It does not have this error from the same provider on other broadband types. Do you have any idea what it could be? >>> >>> Regards >>> Michael Knill >>> >>> >>> >>> On 2/11/2022, 8:12 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com <mailto:li...@lonnie.abelbeck.com>>> wrote: >>> >>> >>> Normally you would see 3 or 4 of those logs before DHCP client was successful. >>> >>> >>> After many "sending discover" udhcpc will drop to the background and continue. Possibly DHCP is acquired after 30 seconds or so? >>> >>> >>> For local networks, this is not normal. You can't disable the logs as there should not be an endless stream of them. >>> >>> >>> Lonnie >>> >>> >>> >>> >>> >>> >>>> On Nov 1, 2022, at 3:10 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au><mailto:michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au>>> wrote: >>>> >>>> Hi Group >>>> >>>> This is a new service that we have not used before. They use IPoE and so I have configured the WAN to be DHCP. >>>> It all appears to be working but I am getting lots of logs: >>>> Nov 2 06:55:46 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:55:48 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:55:50 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:55:52 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:55:54 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:55:56 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover >>>> Nov 2 06:56:18 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover
Re: [Astlinux-users] Turning of DHCP logging
Hi Lonnie Yes that would be nice. My lease time is 300s. Still not sure why I'm getting those errors though. Regards Michael Knill On 2/11/2022, 11:56 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Addendum: For my cable modem, only one "sending discover" is needed for this udhcpc session: -- Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: started, v1.30.1 Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: sending discover Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: sending select for 98.xx.xx.xx Oct 27 15:26:45 gw-lan daemon.err udhcpc[595]: lease of 98.xx.xx.xx obtained, lease time 86400 -- My IP address is somewhat "sticky" associated with my external interface MAC address. If the MAC address changed or 24 hours of no activity then it may take a little longer and more "sending discover" messages to grab an IP. Lonnie > On Nov 1, 2022, at 7:28 PM, Lonnie Abelbeck <mailto:li...@lonnie.abelbeck.com>> wrote: > >> It does not have this error from the same provider on other broadband types. > > Which "broadband types" are you talking about, is IPoE a cable modem or > something else? > > Lonnie > > > > >> On Nov 1, 2022, at 4:44 PM, Michael Knill > <mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Thanks Lonnie. Yes there does seem to be a problem as I do get the standard >> lease obtained logs: >> Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: sending renew to >> 103.55.93.1 >> Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: lease of >> 103.55.93.92 obtained, lease time 300 >> >> It does not have this error from the same provider on other broadband types. >> Do you have any idea what it could be? >> >> Regards >> Michael Knill >> >> >> >> On 2/11/2022, 8:12 am, "Lonnie Abelbeck" > <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com >> <mailto:li...@lonnie.abelbeck.com>>> wrote: >> >> >> Normally you would see 3 or 4 of those logs before DHCP client was >> successful. >> >> >> After many "sending discover" udhcpc will drop to the background and >> continue. Possibly DHCP is acquired after 30 seconds or so? >> >> >> For local networks, this is not normal. You can't disable the logs as there >> should not be an endless stream of them. >> >> >> Lonnie >> >> >> >> >> >> >>> On Nov 1, 2022, at 3:10 PM, Michael Knill >>> >> <mailto:michael.kn...@ipcsolutions.com.au><mailto:michael.kn...@ipcsolutions.com.au >>> <mailto:michael.kn...@ipcsolutions.com.au>>> wrote: >>> >>> Hi Group >>> >>> This is a new service that we have not used before. They use IPoE and so I >>> have configured the WAN to be DHCP. >>> It all appears to be working but I am getting lots of logs: >>> Nov 2 06:55:46 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:55:48 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:55:50 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:55:52 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:55:54 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:55:56 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:56:18 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:56:20 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> Nov 2 06:56:22 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending >>> discover >>> >>> Is this normal? Can I turn them off? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director >>> >>> D: +61 2 6189 1360 >>> P: +61 2 6140 4656 >>> E: michael.kn...@ipcsolutions.com.au >>> <mailto:michael.kn...@ipcsolutions.com.au> >>> <mailto:michael.kn...@ipcsolutions.com.au >>> <mailto:michael.kn...@ipcsolutions.com.au>> >>> W: ipcsolutions.com.au >>> >>> >>> Smarter Business Communications >>> >>> ___ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> <mailto:Astlinux-users@lists.sourceforge.
Re: [Astlinux-users] Turning of DHCP logging
Thanks Lonnie. Yes there does seem to be a problem as I do get the standard lease obtained logs: Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: sending renew to 103.55.93.1 Nov 2 06:54:54 30590-Canb_Comm-CM1 daemon.err udhcpc[358]: lease of 103.55.93.92 obtained, lease time 300 It does not have this error from the same provider on other broadband types. Do you have any idea what it could be? Regards Michael Knill On 2/11/2022, 8:12 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Normally you would see 3 or 4 of those logs before DHCP client was successful. After many "sending discover" udhcpc will drop to the background and continue. Possibly DHCP is acquired after 30 seconds or so? For local networks, this is not normal. You can't disable the logs as there should not be an endless stream of them. Lonnie > On Nov 1, 2022, at 3:10 PM, Michael Knill <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Hi Group > > This is a new service that we have not used before. They use IPoE and so I > have configured the WAN to be DHCP. > It all appears to be working but I am getting lots of logs: > Nov 2 06:55:46 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:55:48 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:55:50 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:55:52 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:55:54 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:55:56 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:56:18 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:56:20 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > Nov 2 06:56:22 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover > > Is this normal? Can I turn them off? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > <mailto:michael.kn...@ipcsolutions.com.au> > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > <mailto:Astlinux-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/astlinux-users > <https://lists.sourceforge.net/lists/listinfo/astlinux-users> > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org <mailto:pay...@krisk.org>. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net <mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org <mailto:pay...@krisk.org>. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Turning of DHCP logging
Hi Group This is a new service that we have not used before. They use IPoE and so I have configured the WAN to be DHCP. It all appears to be working but I am getting lots of logs: Nov 2 06:55:46 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:55:48 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:55:50 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:55:52 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:55:54 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:55:56 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:56:18 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:56:20 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Nov 2 06:56:22 30590-Canb_Comm-CM1 daemon.err udhcpc[24542]: sending discover Is this normal? Can I turn them off? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Wireguard significantly delays Astlinux bootup when using hostname for peer
Hi Group When using Wireguard with hostnames, I have noticed that if there is no DNS available, Wireguard prevents Astlinux from booting up for a very long period of time as it sits and waits for the resolution of the hostname it has in the peer configuration. Is there a way to prevent this from happening as its very problematic? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Using VMware Templates
Thanks guys for your input. Regards Michael Knill On 7/8/2022, 2:41 am, "Lonnie Abelbeck" wrote: Good catch David, it is good practice to always remove the /etc/udev/rules.d/70-persistent-net.rules file (if it exists) when creating a template AstLinux system. Though for the VM case, the standard udev rules do not generate /etc/udev/rules.d/70-persistent-net.rules for virtual interfaces. But for bare-metal you will need to remove the /etc/udev/rules.d/70-persistent-net.rules file for a template system. As you know David, for very special cases where you have a VM with a mix of virtual NICs and PCIe passthrough real NICs the /etc/udev/rules.d/70-persistent-net.rules file will be created, but without the virtual interfaces. Regardless, as you suggested, remove /etc/udev/rules.d/70-persistent-net.rules for template systems. Lonnie > On Aug 6, 2022, at 9:47 AM, David Kerr wrote: > > Lonnie, > What about /etc/udev/rules.d/70-persistent-net.rules does it need to be regenerated too? > > David. > > On Sat, Aug 6, 2022 at 9:57 AM Lonnie Abelbeck wrote: > Hi Michael, > > You are missing an important set of keys: > -- > Server SSH Keys – 'rm /mnt/kd/ssh/ssh_host_*' are removed so host server keys are regenerated > -- > > BTW, the ssh/ssh_host_* are for the sshd server, the ssh_root_keys/ are for outbound 'root' user ssh keys. > > As you mentioned (implied), everything in /mnt/kd/ssl/* should be removed (including dirs). > > As for the Zabbix keys, AstLinux does not generate those ... possibly Zabbix does with the proper configuration path to /mnt/kd/ssl/... > > Off hand, I can't think of any other secure identity bits and shouldn't be propagated from VM to VM. > > > Lonnie > > > > From: Michael Knill > > Reply to: AstLinux List > > Date: Saturday, 6 August 2022 at 12:38 pm > > To: AstLinux List > > Subject: [Astlinux-users] Using VMware Templates > > > > Hi Group > > > > I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. > > > > I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. > > > > • Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly > > • HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue > > • Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated > > • Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated > > • Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) > > • OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway > > • Tarsnap – tarsnap directory is removed in the template so it needs to be generated > > > > Can you think of anything else I require? > > Thanks all. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: michael.kn...@ipcsolutions.com.au > > W: ipcsolutions.com.au > > > > > > Smarter Business Communications > > > > ___ > > Astlinux-users mailing list > > Astlinux-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/as
Re: [Astlinux-users] Using VMware Templates
Whoops typo: * Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) Regards Michael Knill From: Michael Knill Reply to: AstLinux List Date: Saturday, 6 August 2022 at 12:38 pm To: AstLinux List Subject: [Astlinux-users] Using VMware Templates Hi Group I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. * Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly * HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue * Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated * Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated * Zabbix Key – wireguard/ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) * OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway * Tarsnap – tarsnap directory is removed in the template so it needs to be generated Can you think of anything else I require? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Using VMware Templates
Hi Group I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. * Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly * HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue * Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated * Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated * Zabbix Key – wireguard/ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) * OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway * Tarsnap – tarsnap directory is removed in the template so it needs to be generated Can you think of anything else I require? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Storage performance
Hi Lonnie Its a great IaaS solution. Here is a good explanation from one of our cloud providers https://www.serversaustralia.com.au/products/virtual-data-centre Thanks for the info here. Yes htop is nice. I only have 1.4 in build so not much disk traffic so will need to check later. From what I saw in our build environment I think we will be fine. Regards Michael Knill On 21/7/2022, 9:11 am, "Lonnie Abelbeck" wrote: Hi Michael, Out of curiosity, what do you mean by "Virtual DC" ? I'm not familiar with that term. If you are using AstLinux 1.4.3 or later, the kernel /proc/[pid]/io stats are enabled. So, look for "read_bytes" and "write_bytes" in the output of the 'init' process: -- cat /proc/1/io -- For Asterisk, this should work: -- cat /proc/$(pgrep -f '^asterisk')/io -- See how quickly "read_bytes" and "write_bytes" increase over a set period of time. Next convert into IOP by guessing an average block size. Note: some of this Disk IO is to RAM based tmpfs, but would give you a worst case scenario. Additionally, 'htop' supports IO_RATE column (DISK R/W) that can monitor IO. Lonnie > On Jul 20, 2022, at 2:29 PM, Michael Knill wrote: > > Hi Group > > I am virtualising most Astlinux installs and now moving to Virtual DC’s where I have more control of the type of resources I allocate. One of these is the type of storage and usually in the form of IOP’s. > For example I can purchase storage ranging from 100 IOP’s to 25,000 IOP’s. Now although the difference in price is not huge, it does add up and I want to try to minimise costs where possible. > I have been using 250 IOP’s and I have not seen any problems but just wondering if this is too low? Even though am writing logs to KD, I assumed that the Astlinux architecture was still pretty light on in regards to disk writes. > > Thanks > Mike > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Storage performance
Hi Group I am virtualising most Astlinux installs and now moving to Virtual DC’s where I have more control of the type of resources I allocate. One of these is the type of storage and usually in the form of IOP’s. For example I can purchase storage ranging from 100 IOP’s to 25,000 IOP’s. Now although the difference in price is not huge, it does add up and I want to try to minimise costs where possible. I have been using 250 IOP’s and I have not seen any problems but just wondering if this is too low? Even though am writing logs to KD, I assumed that the Astlinux architecture was still pretty light on in regards to disk writes. Thanks Mike ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Doing an OS upgrade without network connectivity
Thanks Lonnie. Yeah that's way too hard. I will wait for them to open up the firewall. Regards Michael Knill On 26/6/2022, 1:20 am, "Lonnie Abelbeck" wrote: Hi Michael, Do you have physical access? If "yes" a local attached USB drive can be used as a "local repo". Below is an example, using an PC Engines APU2 "genx86_64-serial" image. == Insert FAT formatted USB drive. pbx4 ~ # fdisk -l -- ... Device Boot StartEnd Sectors Size Id Type /dev/sdb1 * 63 524159 524097 255.9M 6 FAT16 -- pbx4 ~ # mkdir /tmp/disk pbx4 ~ # mount -t vfat /dev/sdb1 /tmp/disk ## Only needed to create a local repo on the USB drive, could be performed outside of AstLinux if desired. ## Requires public network access. pbx4 ~ # mkdir -p /tmp/disk/ast13se-firmware-1.x/genx86_64-serial pbx4 ~ # cd /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/ pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/ver pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1 ## End of create a local repo on the USB drive ## Now assume the USB drive was pre-configured and skip the above "create a local repo" commands. ## Check the local repo files: pbx4 ~ # cd pbx4 ~ # find /tmp/disk/ast13se-firmware-1.x/ /tmp/disk/ast13se-firmware-1.x/ /tmp/disk/ast13se-firmware-1.x/genx86_64-serial /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/ver /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1 ## Upgrade using the local (pre-configured) USB drive: pbx4 ~ # upgrade-run-image check file:///tmp/disk/ast13se-firmware-1.x Current version is: astlinux-1.4-5507-f21c6b, Newest available version is: astlinux-1.4.6 pbx4 ~ # upgrade-run-image upgrade file:///tmp/disk/ast13se-firmware-1.x Successful upgrade to: astlinux-1.4.6 [after reboot] pbx4 ~ # cd pbx4 ~ # umount /tmp/disk pbx4 ~ # reboot ; exit == And yes, this local repo method can be used for Runnix as well. Lonnie Tip -> For AstLinux 1.4.2 or later: If you have a exFAT formatted drive use "mount -t exfat ..." instead of "mount -t vfat ..." above. > On Jun 24, 2022, at 8:52 PM, Michael Knill wrote: > > Is this easy to do? > I have a site where they are tough with security and I cant reach the download server currently. > > Along with my previous question, a Runnix upgrade without network connectivity may be handy too. > > Regards > > Michael Knill > Managing Director ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Runnix version and upgrade
Thanks Lonnie. I think we will set up our own repo for Runnix. Regards Michael Knill On 25/6/2022, 11:51 pm, "Lonnie Abelbeck" wrote: Hi Michael, (comments inline) > On Jun 24, 2022, at 8:07 PM, Michael Knill wrote: > > A couple of questions regarding Runnix: > • I did a Runnix upgrade and it went to 0.6.11. Is this ok on Astlinux 1.3.10? Should be fine. Test by upgrading to Runnix 0.6.11 and "reboot" from the CLI ... it should boot AstLinux. AstLinux 1.3.10 uses x86_64 Linux 3.16.85, Runnix 0.6.11 is based on x86_64 Linux 4.19.242. Over the years we have changed Runnix from 32-bit (0.4.x) to 32-bit PAE (0.5.x) to 64-bit (0.6.x) The "upgrade-RUNNIX-image" automatically uses the proper Runnix series. You can force the Runnix repo URL, the AstLinux 1.3.10 and later default is: -- upgrade-RUNNIX-image check https://astlinux-project.org/mirror/runnix6 -- > • Can I upgrade to a specific Runnix version or is there no point? You could with a private Runnix repo, but there is no reason to do so that I am aware of. Note that any Runnix upgrades would need to be done via the CLI, the Web Interface uses the default Runnix repo URL. > • Can I manage my own repository of Runnix? Yes, (see above) ... just as with the AstLinux repo file format, for example: -- On an external reachable HTTPS server "HOST/PATH" -- mkdir runnix6 cd runnix6 curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz.sha1 curl -LO https://astlinux-project.org/mirror/runnix6/ver -- Then in AstLinux: -- upgrade-RUNNIX-image check https://HOST/PATH/runnix6 -- Adjust as desired. Lonnie ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Doing an OS upgrade without network connectivity
Is this easy to do? I have a site where they are tough with security and I cant reach the download server currently. Along with my previous question, a Runnix upgrade without network connectivity may be handy too. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Runnix version and upgrade
Hi Group A couple of questions regarding Runnix: 1. I did a Runnix upgrade and it went to 0.6.11. Is this ok on Astlinux 1.3.10? 2. Can I upgrade to a specific Runnix version or is there no point? 3. Can I manage my own repository of Runnix? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Can't access astlinux GUI
We have lots of systems running in a KVM with no issues at all however the host is not managed by us so cant help with the setup I'm afraid. Yes Vultr is the easiest to set up by far although in AU it hasn't been particularly stable from a network perspective. Linode is also pretty good. Regards Michael Knill On 17/5/22, 6:41 am, "Lonnie Abelbeck" wrote: Hi Hamid, I know of a person who ran AstLinux VM ISO on bare-metal using QEMU/KVM ... it worked OK for him but took a lot of testing and internet searches to get it working. And keeping QEMU and all related packages up to date is very important. You will have to do your own testing and internet searches. If your OVH VPS already runs on a hypervisor, running KVM on top of that is not ideal, and provided the VT-x/EPT CPU flags get passed through. Did we mention Vultr starts at $5/month USD and you can deploy the latest AstLinux VM ISO in about 60 seconds. :-) If you have a bare-metal server ESXi or Proxmox are good choices where the AstLinux VM ISO can be installed. Lonnie > On May 16, 2022, at 1:08 PM, Hamid Awad wrote: > > Hello, > I can give you access to my virtualization enviroment so you can do anything you need and There’s vnc as well > > Regards, > > > Original message > From: Michael Keuter > Date: Mon, 16 May 2022, 19:00 > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] Can't access astlinux GUI > We (AstLinux Team) documented only three Cloud scenarios, that we have tested ourselves. > I cannot speak for installations on OVH. On Vultr it is quite easy to install. > > > Am 16.05.2022 um 18:37 schrieb Hamid Awad : > > > > > > There’re talked about 3 cloud company. > > Any way I read all the the docs in the link (https://doc.astlinux-project.org/userdoc:documentation#cloud_hosted_guest_vm_s > > ) to understand the idea and applied it in my environment > > I installed astlinux the remove the ISO CD and let astlinux boot from hd > > No thing happens > > Same issue > > NOTE : I used Kimchi (Virtualization Management) > > https://github.com/kimchi-project/wok @ ubuntu 16.04 server > > > > Regards, > > > > From: Michael Keuter > > Sent: Monday, May 16, 2022 12:59 PM > > To: Hamid Awad > > Subject: Re: [Astlinux-users] Can't access astlinux GUI > > > > https://doc.astlinux-project.org/userdoc:documentation#cloud_hosted_guest_vm_s > > > > > Am 16.05.2022 um 12:52 schrieb Hamid Awad : > > > > > > Hi again, > > > > > > In fact I managd dedicated server from ovh with virtualization (kvm) > > > > > > Can you tell me what can I do > > > > > > Regards > > > > > > > > > Original message > > > From: Michael Keuter > > > Date: Mon, 16 May 2022, 11:29 > > > To: AstLinux Users Mailing List > > > Subject: Re: [Astlinux-users] Can't access astlinux GUI > > > Hi Hamid, > > > > > > normally you should get a DHCP address from your provider. > > > I had a same issue with another provider in Germany (static IP didn't help either), I filed a support request, > > > and within a few hours they re-provisioned the server and I got an IP address via DHCP. > > > > > > Otherwise in "rc.conf": > > > > > > > > > ## External Interface > > > EXTIF="eth0" > > > > > > ## If EXTIP is set, a 'static' config is used instead of the default, > > > ## which is DHCP client on $EXTIF. If you are using a T1/E1 > > > ## EXTGW is also the PtP address. You can enter as many DNS servers as > > > ## you wish. They will be added in order. > > > #EXTIP="192.168.25.2" > > > #EXTNM="255.255.255.0" > > > #EXTGW="192.168.25.1" > > > #DNS="192.168.1.1 192.168.1.2 192.168.1.3" > > > > > > > > > > Am 16.05.2022 um 08:48 schrieb Hamid Awad : > > > > > > > > VPS from ovh > > > > > > > > How can I turne dhcp off > > > > > > > > > > > > Original message > > > > From: Lonnie Abelbeck > > > > Date: Mon, 16 May 2022, 04:03
Re: [Astlinux-users] Adding a Wireguard null route with higher metric
Ah thanks Lonnie. Yes this is when I'm using one-way peers. Problem is that yes Asterisk does bail quickly but then complains about it in the logs. Two-way endpoints are out of the question unfortunately. Do you think there is any way to fool it e.g. add a dummy endpoint or would this break stuff or be very inefficient? I'm thinking to reduce the problem I will only use VPN when I need to e.g. when behind NAT, failover, dynamic address etc. and use direct trunk all other times. Regards Michael Knill On 15/5/22, 11:34 pm, "Lonnie Abelbeck" wrote: Hi Michael, That is what WireGuard does if there is no "Endpoint" and the peer route is down. Simple examples ... Example #1 -- wg.conf snip (no Endpoint) -- [Peer] ## hpe-ms|pbx-pve PublicKey = ... AllowedIPs = 10.4.0.15/32 -- # fping 10.4.0.15 10.4.0.15: error while sending ping: Destination address required 10.4.0.15 is unreachable Note: fping returns immediately Example #2 -- wg.conf snip (with Endpoint) -- [Peer] ## hpe-ms|pbx-pve PublicKey = ... Endpoint = 10.10.10.15:51820 AllowedIPs = 10.4.0.15/32 -- # fping 10.4.0.15 10.4.0.15 is unreachable Note: fping returns after a few seconds of trying So, if you have one-way established WireGuard peers, this is working as efficiently as possible. This allows Asterisk to bail quickly. Alternatively if you have two-way established WireGuard peers, each end's peer can contain a "Endpoint" which will try to establish the tunnel and only return "unreachable" if it can't. Lonnie > On May 14, 2022, at 10:07 PM, Michael Knill wrote: > > I use Wireguard VPN’s extensively and our softswitch has many peers connected to it. > One issue that is very annoying is that if a VPN route drops out of the routing table, rather than just Unreachable, Asterisk complains as below: > [May 14 07:20:37] WARNING[2082]: chan_sip.c:3781 __sip_xmit: sip_xmit of 0x2b61f424e7a0 (len 509) to 172.29.1.252:5060 returned -1: Destination address required > [May 14 07:20:38] WARNING[2082]: chan_sip.c:3781 __sip_xmit: sip_xmit of 0x2b61f458c940 (len 507) to 172.29.1.13:5060 returned -1: Destination address required > You also get the same when you try to ping it. > > Can you think of any way to resolve this. I tried a null route and that didn't work. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Adding a Wireguard null route with higher metric
I use Wireguard VPN’s extensively and our softswitch has many peers connected to it. One issue that is very annoying is that if a VPN route drops out of the routing table, rather than just Unreachable, Asterisk complains as below: [May 14 07:20:37] WARNING[2082]: chan_sip.c:3781 __sip_xmit: sip_xmit of 0x2b61f424e7a0 (len 509) to 172.29.1.252:5060 returned -1: Destination address required [May 14 07:20:38] WARNING[2082]: chan_sip.c:3781 __sip_xmit: sip_xmit of 0x2b61f458c940 (len 507) to 172.29.1.13:5060 returned -1: Destination address required You also get the same when you try to ping it. Can you think of any way to resolve this. I tried a null route and that didn't work. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Analogue CLIP (CallerID)
Ah I understand now. So do you know what the modem is expecting from a CLIP perspective or is this what you are trying to find? What is the interface from the modem to the Emergency Console? Can you build something that connects directly to the console? It certainly seems like something that needs to be updated. Regards Michael Knill From: Michael Keuter Reply to: AstLinux List Date: Wednesday, 20 April 2022 at 9:47 pm To: AstLinux List Subject: Re: [Astlinux-users] Analogue CLIP (CallerID) Am 20.04.2022 um 01:36 schrieb Michael Knill mailto:michael.kn...@ipcsolutions.com.au>>: Hi Michael I'm a little confused here. I was assuming this: elevator -> PSTN -> SPA112 -> Asterisk elevator -> PSTN -> Asterisk (via Voip to PSTN)) -> SPA112 -> Modem -> Emergency Support console (special construction modem with "handset") Update: I could simulate the internal part with an 20 year old Siemens analogue DECT phone at the SPA112. CallerID (CLIP) works fine after the first ring with "Bellcore (bell-202 or v.23)", "ETSI FSK (bell-202 or v.23)" and "ETSI FSK with PR (UK) (bell-202 + v.23)". Even the CallerID name is shown. When I set to e.g. "DTMF Denmark" the phone shows only "External Call". What am I missing? Regards Michael Knill From: Michael Keuter mailto:li...@mksolutions.info>> Reply to: AstLinux List mailto:astlinux-users@lists.sourceforge.net>> Date: Wednesday, 20 April 2022 at 9:20 am To: AstLinux List mailto:astlinux-users@lists.sourceforge.net>> Subject: Re: [Astlinux-users] Analogue CLIP (CallerID) Hi Michael, the „potential“ customer has these modems for a long time, and there are no alternatives (like SIP) at the market. And sure, in SIP I see the correct CallerID, but the modem don‘t see the „right“ CallerID generated by the ATA. Sent from a mobile device. Michael Keuter Am 20.04.2022 um 00:58 schrieb Michael Knill mailto:michael.kn...@ipcsolutions.com.au>>: Hi Michael Just wondering why you need analogue modems to receive the calls from the elevators? Have you done a SIP Debug of the traffic coming from the SPA112’s to see if the number is anywhere in the SIP Invite? Do you know the particular standard for this in your country and is this supported by the SPA112’s? I have never used analogue FXO for anything sorry. Regards Michael Knill From: Michael Keuter mailto:li...@mksolutions.info>> Reply to: AstLinux List mailto:astlinux-users@lists.sourceforge.net>> Date: Wednesday, 20 April 2022 at 2:23 am To: AstLinux List mailto:astlinux-users@lists.sourceforge.net>> Subject: [Astlinux-users] Analogue CLIP (CallerID) Hi list, I am trying to install an Asterisk PBX for an elevator emergency central in Germany. The callees are 6 analogue modems who receive calls from the elevators. The main issue is that the modems need to identify the elevator via a so called analogue CLIP (Calling Line Identification Presentation) where the calling number is shown to the receiving modem. It is not the Asterisk CALLERID(num) but a special "message" which is transfered for analogue phones between the first 2 ringings (but I think this is generated from the CALLERID(num)). There are several different methods for that, that can be set in the ATA (Cisco SPA112, latest EOL firmware): I tried every possible combination of "Caller ID Method" and "Caller ID FSK Standard", but without success. Has anybody on the list made experiences with analogue CLIP? Michael Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] PPPoE Keepalive
Awesome thanks Lonnie. Some great options there. Not at 1.4 yet (coming soon) so might try the iPoE option initially. The PPPoE options look very interesting. Think I may do some fine tuning in my 1.4.4 release. Would be interesting to see if CAKE improves anything too. Regards Michael Knill On 10/2/22, 12:57 am, "Lonnie Abelbeck" wrote: Hi Michael, Nicely described issue. 1) Adjust lcp-echo-* settings (requiring AstLinux 1.4.1 or later) By default the pppoe ppp peer options include: -- lcp-echo-interval 20 lcp-echo-failure 3 -- Try adding a PPPOE_PPP_OPTIONS variable in your /mnt/kd/rc.conf.d/user.conf file: -- PPPOE_PPP_OPTIONS="lcp-echo-interval 5 lcp-echo-failure 10" -- or also add lcp-echo-adaptive -- PPPOE_PPP_OPTIONS="lcp-echo-interval 5 lcp-echo-failure 10 lcp-echo-adaptive" -- Test and adjust values accordingly. 2) Adjust QoS Possibly (AstLinux 1.4.4 or later) CAKE support in the traffic shaper would help, but no evidence it would. 3) Changing the service to IPoE I have always thought to avoid PPPoE if possible, so if IPoE is an available choice, that may be a good idea. Lonnie > On Feb 8, 2022, at 10:49 PM, Michael Knill wrote: > > Hi Group > > I have a site that for years intermittently has periods where it loses PPPoE connectivity on a regular basis. After further investigation by one of my techs, it appears that when this is happening there is significant upstream congestion on the service due to a Veeam backup in progress. > Note that I have set traffic shaping and the voice is not affected however it is when the PPPoE drops the connection e.g. > Feb 9 12:40:33 3060-ETS_Ref-CM1 daemon.info pppd[362]: No response to 3 echo-requests > > We have always blamed the access provider but have not been able to pinpoint the issue. I'm now thinking that possibly during this high congestion, LCP Echo Request/Reply are being delayed and/or dropped meaning that Astlinux thinks connectivity is lost and it resets the connection. > > So my questions are: > • Is this possible? > • If so, how can I fix it? Something in QoS? Can I change the PPPoE parameters for LCP echos maybe? > • Would changing the service to IPoE fix the problem e.g. only DHCP then? > > Thanks all. > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] PPPoE Keepalive
Hi Group I have a site that for years intermittently has periods where it loses PPPoE connectivity on a regular basis. After further investigation by one of my techs, it appears that when this is happening there is significant upstream congestion on the service due to a Veeam backup in progress. Note that I have set traffic shaping and the voice is not affected however it is when the PPPoE drops the connection e.g. Feb 9 12:40:33 3060-ETS_Ref-CM1 daemon.info pppd[362]: No response to 3 echo-requests We have always blamed the access provider but have not been able to pinpoint the issue. I'm now thinking that possibly during this high congestion, LCP Echo Request/Reply are being delayed and/or dropped meaning that Astlinux thinks connectivity is lost and it resets the connection. So my questions are: 1. Is this possible? 2. If so, how can I fix it? Something in QoS? Can I change the PPPoE parameters for LCP echos maybe? 3. Would changing the service to IPoE fix the problem e.g. only DHCP then? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] WAN Bridge interface
Thanks David Regards Michael Knill From: David Kerr Reply to: AstLinux List Date: Thursday, 3 February 2022 at 7:51 pm To: AstLinux List Subject: Re: [Astlinux-users] WAN Bridge interface If you are looking for redundancy on the WAN uplink then the way to do it is with bonded interfaces not bridged interfaces, assuming the other end supports bonds (also known as Link Aggregation) then the network layer will take care of it all. Astlinux out-of-the-box does not support bonded interfaces, I have added support in my version of Astlinux (on my Github, in the develop branch). I have bonded interfaces on both my WAN and LAN. The WAN has two ethernet cables connecting to my cable modem. The LAN has two ethernet cables connected to my switch that is configured with a LAG (link aggregation group), you need a managed switch that supports LAG. I did it because my Comcast/Xfinity service will deliver 1.4Gbps download speeds, and one ethernet cable maxes out at just under 1Gbps, so to get the most out of my internet service I need to be able to pump more through the Astlinux gateway than a single cable will allow. But you also get redundancy, disconnect one of the two bonded cables and the system doesn't miss a beat (but max throughput drops to 1Gbps). David On Wed, Feb 2, 2022 at 6:28 PM Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: Hi Lonnie It's the firewalls that are configured for failover using FireCluster. They use VRRP as I just found out: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html?Highlight=firecluster%20mac%20address Regards Michael Knill On 3/2/22, 9:23 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: Interesting, but I don't quite understand how the upstream multihomed link works. If the AstLinux WAN bridge interface has a static IP and gateway, how is this a failover situation ... unless like you mentioned a VRRP (keepalived) setup. Is the AstLinux static gateway IP ARP'ing to different MACs depending on some magic upstream? All in the same subnet? If "yes" above, then this would indeed be a special case where you would want the WAN to be a bridge interface. Lonnie > On Feb 2, 2022, at 4:04 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. > I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. > > Regards > Michael Knill > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" mailto:li...@lonnie.abelbeck.com>> wrote: > >Hi Michael, > >It would be a special case where you would want the WAN to be a bridge interface. > >How is the WAN interface's IP address defined? > >I'm not sure how your two WAN trunks are routed to your bridge interface. > >But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. > >Lonnie > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Hi Group >> >> I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. >> >> Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. >> It just seems better than sticking a switch in between creating another single point of failure. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> >> W: ipcsolutions.com.au<http://ipcsolutions.com.au> >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org<mailto:pay...@krisk.org>. > > >
Re: [Astlinux-users] WAN Bridge interface
Hi Lonnie It's the firewalls that are configured for failover using FireCluster. They use VRRP as I just found out: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_ap_cluster_id_wsm.html?Highlight=firecluster%20mac%20address Regards Michael Knill On 3/2/22, 9:23 am, "Lonnie Abelbeck" wrote: Interesting, but I don't quite understand how the upstream multihomed link works. If the AstLinux WAN bridge interface has a static IP and gateway, how is this a failover situation ... unless like you mentioned a VRRP (keepalived) setup. Is the AstLinux static gateway IP ARP'ing to different MACs depending on some magic upstream? All in the same subnet? If "yes" above, then this would indeed be a special case where you would want the WAN to be a bridge interface. Lonnie > On Feb 2, 2022, at 4:04 PM, Michael Knill wrote: > > It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. > I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. > > Regards > Michael Knill > > On 3/2/22, 9:00 am, "Lonnie Abelbeck" wrote: > >Hi Michael, > >It would be a special case where you would want the WAN to be a bridge interface. > >How is the WAN interface's IP address defined? > >I'm not sure how your two WAN trunks are routed to your bridge interface. > >But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. > >Lonnie > > > > >> On Feb 2, 2022, at 3:33 PM, Michael Knill wrote: >> >> Hi Group >> >> I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. >> >> Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. >> It just seems better than sticking a switch in between creating another single point of failure. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] WAN Bridge interface
It's a static address with the gateway address shared on the firewalls as active and standby. Not sure if they have a virtual address like VRRP but doesn't make any difference from Astlinux's perspective. I did some testing and all seemed to work. Its on a Qotom box so I assume performance should not be an issue. Regards Michael Knill On 3/2/22, 9:00 am, "Lonnie Abelbeck" wrote: Hi Michael, It would be a special case where you would want the WAN to be a bridge interface. How is the WAN interface's IP address defined? I'm not sure how your two WAN trunks are routed to your bridge interface. But, if a 2-port ethernet switch would work, so should a 2-interface linux bridge. Lonnie > On Feb 2, 2022, at 3:33 PM, Michael Knill wrote: > > Hi Group > > I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. > > Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. > It just seems better than sticking a switch in between creating another single point of failure. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] WAN Bridge interface
Hi Group I have set up two ports on my Astlinux box into a bridge and allocated to the WAN interface. These ports are connected behind a primary and failover Watchguard firewall as a DMZ interface. The LAN interface connects to the Voice VLAN making this system a VPN router only for about 70 phones. Just wanting to know if anyone can see any issues with this architecture as I haven’t used bridge interfaces before. It just seems better than sticking a switch in between creating another single point of failure. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Moving to Asterisk 16 from 13 guidance
These are the best resources: https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+14 https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+15 https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+16 Significant changes that I see: * The 'Macro' dialplan application has been deprecated and is no longer built by default * The Command action now sends the output from the CLI command as a series of Output headers for each line instead of as a block of text with the --END COMMAND-- delimiter to match the output from other actions. Regards Michael Knill From: AstLinux List Reply to: AstLinux List Date: Friday, 21 January 2022 at 10:58 am To: AstLinux List Cc: Ionel Chila Subject: [Astlinux-users] Moving to Asterisk 16 from 13 guidance Any guidance / faq, formal or informal for moving from Asterisk 13 to 16? I run a very small home setup with 3 SIP providers and about 20 clients. My sip.conf and extensions.conf is not that complex :) Do I need to put in another image? Would it preserve my current configuration? I appreciate any guidance. As always great community and great work with Astlinux team. Cheers | | A | Release: astlinux-1.4.4 - Asterisk 13.38.3 | s | Host Name: HOME-PBX.entouch.net<http://HOME-PBX.entouch.net> | t | Last Boot: 2022-01-20 12:21 | L | Linux: 4.19.208-astlinux x86_64 | i | CPU: Intel Atom D2550 (4x) @ 1866 MHz | n | RAM: 3933 MB | u | Board Type: genx86_64 | x |Hardware: Generic x86_64 | HOME-PBX ~ # ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Updated Vultr - Cloud Hosted Guest VM Documentation
Thanks Lonnie for updating this. Yes I love Vultr and always use the firewall. PS Linode has a firewall now too. I don't use Vultr for any customer or high available systems though as they have had some network issues in the past here. But its great for Lab systems, jump servers, Unifi Controller etc. Regards Michael Knill On 28/12/21, 9:39 pm, "Michael Keuter" wrote: > Am 27.12.2021 um 22:07 schrieb Lonnie Abelbeck : > > Hi, > > Updated Vultr - Cloud Hosted Guest VM Documentation > > There have been some cosmetic changes in the Vultr setup process, so the documentation now reflects those changes. > > More significantly, a Vultr "Firewall Group" is described to disallow network traffic during VM Setup, and then disable the Vultr Firewall after the AstLinux Firewall is enabled. A couple extra steps, but adds peace of mind, and the "Firewall Group" can be reused for new instances. > > Vultr KVM > https://doc.astlinux-project.org/userdoc:hosted_guest_vm_vultr > > Please report any typos or confusing text. > > Lonnie Hi Lonnie, nice update! The added Firewall is a useful feature during the installation. Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Moving to Asterisk 16
Ok thanks Lonnie. Already disabled pre SE __ Regards Michael Knill On 19/12/21, 12:41 pm, "Lonnie Abelbeck" wrote: Hi Michael, > Are we looking at an Asterisk 16SE version at some stage? Not in 2022, we plan to be supporting ast13se, ast16 and ast18 You will need to manage your modules.conf to disable pjsip in ast16 ... or build a custom image with ast16 and --without-pjproject. Lonnie > On Dec 18, 2021, at 6:59 PM, Michael Knill wrote: > > Thanks all. Looks like I'm going to 1.4.4 with Asterisk 16 then. > Are we looking at an Asterisk 16SE version at some stage? > > Regards > Michael Knill > > On 19/12/21, 11:57 am, "Michael Knill" wrote: > >Thanks Michael. I'm already using res_parking.conf so that's all good. > >Regards >Michael Knill > >On 18/12/21, 9:33 pm, "Michael Keuter" wrote: > > > >> Am 18.12.2021 um 02:04 schrieb Michael Knill : >> >> Hi Group >> >> Wanting to get some dev work done over the Christmas break and am considering my options. >> Certainly moving from Astlinux 1.3.10 to 1.4.4 but trying to decide whether I move to Asterisk 16 or not. >> Has anyone had any issues? Are there any gotchas with the move? I can only see AMI changes for the Command action! >> >> Regards >> >> Michael Knill >> Managing Director > >Hi Michael, > >I successfully migrated all my AstLinux installations to Asterisk 16 in 2021 and had no issues so far. >I just tweaked the "modules.conf" to not load the new stuff that I don't needed. > >And the parking stuff is now in a new "res_parking.conf" file in Asterisk and has to stripped from "features.conf". > >There are simple advices in the Asterisk error messages after the upgrade (e.g which new files could not be loaded => "/stat/etc/asterisk/"). > >Michael > >http://www.mksolutions.info > > > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Moving to Asterisk 16
Thanks all. Looks like I'm going to 1.4.4 with Asterisk 16 then. Are we looking at an Asterisk 16SE version at some stage? Regards Michael Knill On 19/12/21, 11:57 am, "Michael Knill" wrote: Thanks Michael. I'm already using res_parking.conf so that's all good. Regards Michael Knill On 18/12/21, 9:33 pm, "Michael Keuter" wrote: > Am 18.12.2021 um 02:04 schrieb Michael Knill : > > Hi Group > > Wanting to get some dev work done over the Christmas break and am considering my options. > Certainly moving from Astlinux 1.3.10 to 1.4.4 but trying to decide whether I move to Asterisk 16 or not. > Has anyone had any issues? Are there any gotchas with the move? I can only see AMI changes for the Command action! > > Regards > > Michael Knill > Managing Director Hi Michael, I successfully migrated all my AstLinux installations to Asterisk 16 in 2021 and had no issues so far. I just tweaked the "modules.conf" to not load the new stuff that I don't needed. And the parking stuff is now in a new "res_parking.conf" file in Asterisk and has to stripped from "features.conf". There are simple advices in the Asterisk error messages after the upgrade (e.g which new files could not be loaded => "/stat/etc/asterisk/"). Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Moving to Asterisk 16
Thanks Michael. I'm already using res_parking.conf so that's all good. Regards Michael Knill On 18/12/21, 9:33 pm, "Michael Keuter" wrote: > Am 18.12.2021 um 02:04 schrieb Michael Knill : > > Hi Group > > Wanting to get some dev work done over the Christmas break and am considering my options. > Certainly moving from Astlinux 1.3.10 to 1.4.4 but trying to decide whether I move to Asterisk 16 or not. > Has anyone had any issues? Are there any gotchas with the move? I can only see AMI changes for the Command action! > > Regards > > Michael Knill > Managing Director Hi Michael, I successfully migrated all my AstLinux installations to Asterisk 16 in 2021 and had no issues so far. I just tweaked the "modules.conf" to not load the new stuff that I don't needed. And the parking stuff is now in a new "res_parking.conf" file in Asterisk and has to stripped from "features.conf". There are simple advices in the Asterisk error messages after the upgrade (e.g which new files could not be loaded => "/stat/etc/asterisk/"). Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Moving to Asterisk 16
Forgot to mention that I am currently on 13. Regards Michael Knill From: Michael Knill Reply to: AstLinux List Date: Saturday, 18 December 2021 at 12:19 pm To: AstLinux List Subject: [Astlinux-users] Moving to Asterisk 16 Hi Group Wanting to get some dev work done over the Christmas break and am considering my options. Certainly moving from Astlinux 1.3.10 to 1.4.4 but trying to decide whether I move to Asterisk 16 or not. Has anyone had any issues? Are there any gotchas with the move? I can only see AMI changes for the Command action! Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Moving to Asterisk 16
Hi Group Wanting to get some dev work done over the Christmas break and am considering my options. Certainly moving from Astlinux 1.3.10 to 1.4.4 but trying to decide whether I move to Asterisk 16 or not. Has anyone had any issues? Are there any gotchas with the move? I can only see AMI changes for the Command action! Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Clone Astlinux SSD Hard Drive
I would be building a whole new system and just copy across the KD files. That's the beauty of Astlinux. Regards Michael Knill On 15/11/21, 10:16 am, "Ionel Chila via Astlinux-users" wrote: I had this Astlinux box running for almost 12 years now. Rock SOLID and thanks to Astlinux. Thanks for all the good and hard work going into this. I am thinking about switching the system to a Supermicro motherboard mini-itx to get the IPMI capabilities. I could just plug in the same SSD drive, boot up and be done with it but I would love to upgrade the SSD as well. That being said what is best way to clone the 2 SSD drives? DD or other method? I have a lot of custom stuff so re-installing the astlinux fresh and transferring manually will be a pain. Cloning is the way to go. Cheers and many thanks Ionel Chila ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] New internet provider with IPoE
Ah I think I understand where the confusion is. For DSL services here its up to the customer to provide and configure the DSL modem. Its usually done via their ISP but can be reconfigured if necessary as we have done. So its not really anything to do with the ISP. I think a secondary address on the interface should work fine for this just not sure how to do it? Regards Michael Knill On 11/11/21, 8:42 am, "Lonnie Abelbeck" wrote: Probably a question for your ISP. A single DHCP public address is all I would expect. Lonnie > On Nov 10, 2021, at 3:24 PM, Michael Knill wrote: > > Thanks Lonnie > > No my modem just bridges the IPoE to Astlinux and gives it a default gateway. > The modem itself is on 172.30.254.2/24 and usually 172.30.254.1 is configured on eth0 with PPPoE as the WAN interface. > This is now not configured on eth0 but it should be able to be added as a secondary address I assume? > > Regards > Michael Knill > > On 11/11/21, 12:30 am, "Lonnie Abelbeck" wrote: > >Hi Michael, > >Are you saying the ISP is providing both DHCP and Static IPs for your public WAN address(es) using the same routed subnet? > >My business DOCSIS cable modem ISP provides either a DHCP or a Static IP public WAN address, but not both at the same time for the same interface. Basically because the DHCP addresses are routed in a different public subnet versus the Static addresses. > >On the other hand, if only DHCP is used for the public WAN address, then to admin your bridge modem using a static private address should work without any extra effort. > >Again in my example, the cable modem will accept HTTPS connections to 192.168.100.1, provided 192.168.100.1 is routed via the default route over the WAN path, the modem's web interface will appear. Though if you defined a local private 192.168.100.1/24 LAN network or block RFC1918 egress traffic, the modem's web interface will be blocked. > >Lonnie > > > >> On Nov 9, 2021, at 10:03 PM, Michael Knill wrote: >> >> We are now using a new internet provider that uses IPoE rather than PPPoE which is nice. >> Just wondering if its possible to have the WAN interface as both DHCP and also a secondary static IP Address to connect to the bridge modem. >> I have this set up with PPPoE but as it's a separate interface its easy to do. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] New internet provider with IPoE
Thanks Lonnie No my modem just bridges the IPoE to Astlinux and gives it a default gateway. The modem itself is on 172.30.254.2/24 and usually 172.30.254.1 is configured on eth0 with PPPoE as the WAN interface. This is now not configured on eth0 but it should be able to be added as a secondary address I assume? Regards Michael Knill On 11/11/21, 12:30 am, "Lonnie Abelbeck" wrote: Hi Michael, Are you saying the ISP is providing both DHCP and Static IPs for your public WAN address(es) using the same routed subnet? My business DOCSIS cable modem ISP provides either a DHCP or a Static IP public WAN address, but not both at the same time for the same interface. Basically because the DHCP addresses are routed in a different public subnet versus the Static addresses. On the other hand, if only DHCP is used for the public WAN address, then to admin your bridge modem using a static private address should work without any extra effort. Again in my example, the cable modem will accept HTTPS connections to 192.168.100.1, provided 192.168.100.1 is routed via the default route over the WAN path, the modem's web interface will appear. Though if you defined a local private 192.168.100.1/24 LAN network or block RFC1918 egress traffic, the modem's web interface will be blocked. Lonnie > On Nov 9, 2021, at 10:03 PM, Michael Knill wrote: > > We are now using a new internet provider that uses IPoE rather than PPPoE which is nice. > Just wondering if its possible to have the WAN interface as both DHCP and also a secondary static IP Address to connect to the bridge modem. > I have this set up with PPPoE but as it's a separate interface its easy to do. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] New internet provider with IPoE
We are now using a new internet provider that uses IPoE rather than PPPoE which is nice. Just wondering if its possible to have the WAN interface as both DHCP and also a secondary static IP Address to connect to the bridge modem. I have this set up with PPPoE but as it's a separate interface its easy to do. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Unbanning an Adaptive Ban IP Address
Hi Group I think I have asked this before but I need an elegant solution for ‘Unbanning’ an IP Address rather than Whitelisting it or deleting the log file it is in. For instance I have a likely dynamic home IP Address that I want to just remove from being banned but could be banned in the future. I'm thinking I could replace all instances of the IP Address in the log with something like and then restart the firewall. Would this work? Any other options? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Mikrotik Wireguard VPN Endpoint
Hi All Responding to my post here. I can confirm that my Mikrotik hAPac3 has been running fine on 7.1b6 which I will be upgrading soon to 7.1rc4 in my home office. It uses a Wireguard VPN to connect to a hosted Astlinux system for our office and it has been quite stable for months now. We intend on using it for production systems moving forward and will be building a plug and play telephony gateway solution using these devices: https://mikrotik.com/product/RB960PGS https://mikrotik.com/product/crs112_8p_4s_in https://mikrotik.com/product/crs328_24p_4s_rm Not enough grunt to be a site router but fine to route voice traffic over a Wireguard tunnel. Just plug it in anywhere on the network and plug your phones in. We now have full visibility inside the customers network which will allow us to better manage the solution. Regards Michael Knill On 13/12/20, 1:26 am, "Lonnie Abelbeck" wrote: Hi Michael, Thanks for the info, keep us updated. Mikrotik WireGuard support is a great development. Lonnie > On Dec 11, 2020, at 11:08 PM, Michael Knill wrote: > > Hmm I would probably wait for a little while though as I have found a couple of annoying bugs ☹ > > Regards > Michael Knill > > From: Michael Knill > Reply to: AstLinux List > Date: Saturday, 12 December 2020 at 3:49 pm > To: AstLinux List > Subject: [Astlinux-users] Mikrotik Wireguard VPN Endpoint > > Thought I would let the group that I have been testing Wireguard on Mikrotik (supported 7.1beta3) to Astlinux. > Working very well so far on a powerful and cost effective router out of the box. > > Regards > Michael Knill > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] L2TP on Astlinux
Actually thinking I will use SSTP for VPN to the management and monitoring environment as it appears to be much better suited for the task. Regards Michael Knill From: Michael Knill Reply to: AstLinux List Date: Tuesday, 28 September 2021 at 6:56 am To: AstLinux List Subject: Re: [Astlinux-users] L2TP on Astlinux Hi thanks Christopher Interesting you mention this as I am currently developing a solution whereby I'm going to put all my Astlinux systems in the cloud and connect remotely to it via Mikrotik switches in router mode, essentially creating a telephony gateway appliance. These are the products I will be using: https://mikrotik.com/product/crs112_8p_4s_in https://mikrotik.com/product/crs328_24p_4s_rm https://mikrotik.com/product/crs354_48p_4s_2q_rm From the gateway, I will have a management VPN terminating into our management and monitoring environment (Unimus and Zabbix) and a VPN directly to the Astlinux VM. I want to use Wireguard and I think 7.1b6 is getting very close to production ready and it has worked well for months in my home office. If L2TP works well I may use this in the interim while testing Wireguard or maybe just to the management and monitoring environment. I'm assuming you use Mikrotik CHR in the NOC? Have you ever connected L2TP directly to an Astlinux system? Thanks all. Regards Michael Knill From: AstLinux List Reply to: AstLinux List Date: Monday, 27 September 2021 at 11:27 pm To: AstLinux List Cc: The Cadillac Kid Subject: Re: [Astlinux-users] L2TP on Astlinux for my remote workers I use a little Mikrotik POE router, establishes an L2TP tunnel to a Mikrotik in my NOC which then talks to my Asterisk Server.. phones work perfectly in this manner and voice is encrypted, no SIP ports open to the public side.. handles NAT situations in people's homes pretty well (as long as they dont have junk like EERO) On Monday, September 27, 2021, 06:15:23 AM EDT, Michael Keuter wrote: > Am 27.09.2021 um 10:37 schrieb Michael Knill > mailto:michael.kn...@ipcsolutions.com.au>>: > > Hi Group > > Forgive my lack of VPN knowledge here. V85 of Yealink phones supports L2TP. > Could this be supported on Astlinux? > It looks like it would be easier to set up on the phone than OpenVPN. > > Regards > > Michael Knill Hi Michael, I looked at it last year, when V85 was released. The Yealink L2TP implementation doesn't even support a static PSK. Only username/password. Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.<mailto:pay...@krisk.org.> ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] L2TP on Astlinux
Hi thanks Christopher Interesting you mention this as I am currently developing a solution whereby I'm going to put all my Astlinux systems in the cloud and connect remotely to it via Mikrotik switches in router mode, essentially creating a telephony gateway appliance. These are the products I will be using: https://mikrotik.com/product/crs112_8p_4s_in https://mikrotik.com/product/crs328_24p_4s_rm https://mikrotik.com/product/crs354_48p_4s_2q_rm From the gateway, I will have a management VPN terminating into our management and monitoring environment (Unimus and Zabbix) and a VPN directly to the Astlinux VM. I want to use Wireguard and I think 7.1b6 is getting very close to production ready and it has worked well for months in my home office. If L2TP works well I may use this in the interim while testing Wireguard or maybe just to the management and monitoring environment. I'm assuming you use Mikrotik CHR in the NOC? Have you ever connected L2TP directly to an Astlinux system? Thanks all. Regards Michael Knill From: AstLinux List Reply to: AstLinux List Date: Monday, 27 September 2021 at 11:27 pm To: AstLinux List Cc: The Cadillac Kid Subject: Re: [Astlinux-users] L2TP on Astlinux for my remote workers I use a little Mikrotik POE router, establishes an L2TP tunnel to a Mikrotik in my NOC which then talks to my Asterisk Server.. phones work perfectly in this manner and voice is encrypted, no SIP ports open to the public side.. handles NAT situations in people's homes pretty well (as long as they dont have junk like EERO) On Monday, September 27, 2021, 06:15:23 AM EDT, Michael Keuter wrote: > Am 27.09.2021 um 10:37 schrieb Michael Knill > mailto:michael.kn...@ipcsolutions.com.au>>: > > Hi Group > > Forgive my lack of VPN knowledge here. V85 of Yealink phones supports L2TP. > Could this be supported on Astlinux? > It looks like it would be easier to set up on the phone than OpenVPN. > > Regards > > Michael Knill Hi Michael, I looked at it last year, when V85 was released. The Yealink L2TP implementation doesn't even support a static PSK. Only username/password. Michael http://www.mksolutions.info ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.<mailto:pay...@krisk.org.> ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] L2TP on Astlinux
Hi Group Forgive my lack of VPN knowledge here. V85 of Yealink phones supports L2TP. Could this be supported on Astlinux? It looks like it would be easier to set up on the phone than OpenVPN. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Large number of Firewall entries
Thanks Lonnie May even add this to my standard build. Regards Michael Knill On 27/9/21, 10:54 am, "Lonnie Abelbeck" wrote: Michael, The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so parsing sip.conf using 'sed' or such should be reasonably straightforward. BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset (ex. udp_sip_hosts), you can very efficiently match all of them with only one rule: -- iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -- That would allow you to rebuild only the "udp_sip_hosts" ipset when the sip.conf got changed, without rebuilding the firewall. Though requires some 'ipset' command knowledge, though not complex at all. Example 'ipset' usage in AstLinux: https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 If you only use IPv4 a lot of the example can be simplified. Lonnie > On Sep 26, 2021, at 7:17 PM, Michael Knill wrote: > > Thanks Lonnie. > > Actually now that I think about it, is there any reason why the custom rule could not parse sip.conf for host= and open up all Public IP's? > It would mean that you would need to restart the firewall every time you modified sip.conf but I'm sure we could build this into our portal very simply. > > Regards > Michael Knill > > On 27/9/21, 9:47 am, "Lonnie Abelbeck" wrote: > >Hi Michael, > >With 300 rules and the same across all your boxes, I would use /mnt/kd/arno-iptables-firewall/custom-rules to define these. > >Very similar to the deny_ext_local() example I posted recently, but the reverse ... pass_ext_local() using -j ACCEPT > >Without testing, something like ... >-- >pass_ext_local() >{ > local proto="$1" host="$2" port="$3" > > echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: $port" > iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >} >## uncomment to enable ## >#pass_ext_local udp 1.2.3.4 5060 >#pass_ext_local tcp 1.2.3.0/24 5061 >-- > >If you only use udp/5060, you could simplify things, maybe only one "echo" statement and a variable defining all 300 IPs. Generic shell scripting. > >Again untested ... >-- >pass_ext_local_udp_sip() >{ > local host proto="udp" port="5060" IFS > local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" > > echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" > unset IFS > for host in $sip_hosts; do >iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT > done >} >pass_ext_local_udp_sip >-- > >Alternatively, you could define the sip_hosts variable with a file if desired. > >Lonnie > > > > > >> On Sep 26, 2021, at 5:32 PM, Michael Knill wrote: >> >> Hi Group >> >> I'm looking to have a large number of firewall entries in Astlinux e.g. 300. They would be all the same e.g. I want to open port 5060 from multiple sites. >> Is there an easier/neater way to do this other than lots of firewall entries in the Firewall Tab? >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. >
Re: [Astlinux-users] Large number of Firewall entries
Thanks Lonnie. Actually now that I think about it, is there any reason why the custom rule could not parse sip.conf for host= and open up all Public IP's? It would mean that you would need to restart the firewall every time you modified sip.conf but I'm sure we could build this into our portal very simply. Regards Michael Knill On 27/9/21, 9:47 am, "Lonnie Abelbeck" wrote: Hi Michael, With 300 rules and the same across all your boxes, I would use /mnt/kd/arno-iptables-firewall/custom-rules to define these. Very similar to the deny_ext_local() example I posted recently, but the reverse ... pass_ext_local() using -j ACCEPT Without testing, something like ... -- pass_ext_local() { local proto="$1" host="$2" port="$3" echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: $port" iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT } ## uncomment to enable ## #pass_ext_local udp 1.2.3.4 5060 #pass_ext_local tcp 1.2.3.0/24 5061 -- If you only use udp/5060, you could simplify things, maybe only one "echo" statement and a variable defining all 300 IPs. Generic shell scripting. Again untested ... -- pass_ext_local_udp_sip() { local host proto="udp" port="5060" IFS local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" unset IFS for host in $sip_hosts; do iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT done } pass_ext_local_udp_sip -- Alternatively, you could define the sip_hosts variable with a file if desired. Lonnie > On Sep 26, 2021, at 5:32 PM, Michael Knill wrote: > > Hi Group > > I'm looking to have a large number of firewall entries in Astlinux e.g. 300. They would be all the same e.g. I want to open port 5060 from multiple sites. > Is there an easier/neater way to do this other than lots of firewall entries in the Firewall Tab? > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Large number of Firewall entries
Hi Group I'm looking to have a large number of firewall entries in Astlinux e.g. 300. They would be all the same e.g. I want to open port 5060 from multiple sites. Is there an easier/neater way to do this other than lots of firewall entries in the Firewall Tab? Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Wireguard limits
Thanks David We built a Wireguard Peers Tab which makes this easier. Managing IP’s is certainly a little tricky but we will be adding more tools later to make this easier. Regards Michael Knill From: David Kerr Reply to: AstLinux List Date: Tuesday, 7 September 2021 at 11:37 pm To: AstLinux List Subject: Re: [Astlinux-users] Wireguard limits Hi Michael, This is probably best asked over in the wireguard list. There are several commercial VPN providers that are supporting wireguard so I assume that it can handle a high volume of connections... it is likely dependent on the CPU/Memory available at the server side. The challenge with wireguard for a large deployment is managing all the connection secrets and IP addresses -- there is no built-in provision for e.g. dynamic IP address assignment. I've not looked into this at all so there could be tools available to manage that. But once you get into 100's of end points managing this manually could become burdensome. David On Mon, Sep 6, 2021 at 6:54 PM Michael Knill mailto:michael.kn...@ipcsolutions.com.au>> wrote: Hi Group Just wondering what you would consider is the maximum number of clients for a Wireguard interface that you would feel comfortable with assuming you have enough resources to support the traffic? Im looking at connecting up to 400 remote peers. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org<mailto:pay...@krisk.org>. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Wireguard limits
Thanks Lonnie. Yep I suspected it wouldn't be an issue but certainly interesting info. Seems like its pretty much based on resource usage which we are continually monitoring. The traffic over the VPN's is very low as its voice only. I have plenty of RAM available so no problems there. Regards Michael Knill On 8/9/21, 12:27 am, "Lonnie Abelbeck" wrote: Hi Michael, Good question ... I did a did a little research. Two things come to mind, the WireGuard CPU usage per traffic and RAM usage per peer. WireGuard CPU usage per traffic: --- WireGuard uses the ChaCha20 stream cypher, while very fast just in software, it can take advantage of common CPU features (in order of performance) [1] -- CPU flags: ssse3 avx2 avx512f avx512vl -- As a test I would suggest using 'iperf3' across a WireGuard tunnel and using 'htop' to monitor the total CPU usage across all cores. Granted not all the CPU usage will be WireGuard, but it gives you a feel for the overall performance. Example: Linode VM 1GB RAM 1-core of AMD EPYC 7601 32-Core Processor @ 2200 MHz CPU flags: ssse3 avx2 WireGuard: iperf3 approx. 10% CPU usage for 100 Mbps traffic BTW, If you can subtract the iperf3 CPU usage from above you would get an even better answer. Example: Bare metal 4GB RAM 4-core Intel Core i3-6100U @ 2300 MHz CPU flags: ssse3 avx2 WireGuard: 6% CPU usage for 100 Mbps traffic WireGuard RAM usage per peer: In February of 2021, Jason Donenfeld (WireGuard author) made a change "queueing: get rid of per-peer ring buffers". [2] Quoting Jason: "Having two ring buffers per-peer means that every peer results in two massive ring allocations. On an 8-core x86_64 machine, this commit reduces the per-peer allocation from 18,688 bytes to 1,856 bytes, which is an 90% reduction. Ninety percent! With some single-machine deployments approaching 500,000 peers, we're talking about a reduction from 7 gigs of memory down to 700 megs of memory." BTW, this RAM peer reduction was included in WireGuard 1.0.20210219 and AstLinux 1.4.2. So 400 peers is very small by comparison, and even with AstLinux 1.4.1 and older, 400 peers uses 7.5 MB RAM (750 KB with latest) which should not be an issue in either case. Lonnie [1] https://git.zx2c4.com/wireguard-linux-compat/tree/src/crypto/zinc/chacha20/chacha20-x86_64.pl?id=635aa0b75f54eddbcb29fda282d05db4b66f803c [2] https://git.zx2c4.com/wireguard-linux-compat/commit/?id=635aa0b75f54eddbcb29fda282d05db4b66f803c > On Sep 6, 2021, at 5:53 PM, Michael Knill wrote: > > Hi Group > > Just wondering what you would consider is the maximum number of clients for a Wireguard interface that you would feel comfortable with assuming you have enough resources to support the traffic? > Im looking at connecting up to 400 remote peers. > > Regards > > Michael Knill > Managing Director ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Wireguard limits
Hi Group Just wondering what you would consider is the maximum number of clients for a Wireguard interface that you would feel comfortable with assuming you have enough resources to support the traffic? Im looking at connecting up to 400 remote peers. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Wireguard Mobile Client
Thanks Lonnie No that cannot happen as the softswitch only connects to a single Astlinux peer IP address e.g. Peer 1 - 10.4.1.1/32, Peer 2 - 10.4.1.2/32 All the Astlinux peers would have the same locally significant range 10.4.0.1-254. All calls to the softswitch from a remote peer are terminated by Asterisk with no direct media. Looks like this is what I will do then. Nice! Thanks again. Regards Michael Knill On 6/9/21, 8:11 am, "Lonnie Abelbeck" wrote: That should work, be a CIDR ninja. :-) Though if you want your "softswitch" to route to a remote Mobile Client, /23's all around might be needed. Lonnie > On Sep 5, 2021, at 4:47 PM, Michael Knill wrote: > > Thanks Lonnie > > So what I am thinking is that I will use a /23 on the remote system but continue to use /24 for my softswitch on the higher subnet. This will give a total of 250 VPN connections to the Softswitch. > Each remote system will then have the lower subnet for local connectivity only for mobile peers and remote peers. > > So for your example below, the softswitch will be on 10.4.1.254/24 for instance and the remote peer will be on 10.4.1.1-250 but will be configured as a /23 so it has all 10.4.0.x for local connections. > > What do you think? > > Regards > Michael Knill > > On 4/9/21, 12:35 pm, "Lonnie Abelbeck" wrote: > >Hi Michael, > >As per the docs, the range of .101 to .199 is reserved for mobile clients. >-- >Note -> Mobile Clients are automatically assigned a unique IP address in the range of .101 to .199 for the last octet (example here: 10.4.0.101 to 10.4.0.199). Best practice is to refrain from using IP's in this range for both this tunnel's “IPv4 Address” (above) and Remote Peer's IP address so both configuration types can coexist. Similarly for IPv6 the Mobile Client reserved range is …:0101 to …:0199. >-- >When a new Mobile Client is added, it will only check other mobile clients for uniqueness, not manually added remote peers. > > >Alternatively, if you need more than ~150 manually added remote peers, it should be possible to use a /23 (255.255.254.0) IPv4 NetMask. > >Using: netcalc 10.4.0.1/23 >-- >HostMin : 10.4.0.1 1010.0100.000 0.0001 >HostMax : 10.4.1.254 1010.0100.000 1.1110 >-- >Here the reserved mobile client range is still 10.4.0.101 to 10.4.0.199 > >You have the previous ~150 manually added remote peer range plus a ~250 10.4.1.x range. > >This /23 subnet should work for the WireGuard -> Tunnel Options: -> IPv4 NetMask: 255.255.254.0 > >but I have not tested it much. Would that work for you? > >Lonnie > > > >> On Sep 3, 2021, at 7:46 PM, Michael Knill wrote: >> >> Hi Group >> >> Is there any reason that I could not use the .101 to .199 subnet addresses for Remote Peers? If I do add a mobile peer will it check Remote Peers when allocating an IP addresses or would I need to manually check there are no duplicates? >> As I am moving to cloud hosting most of my systems now with direct mobile connectivity, I don't need to use mobile peers but I do need the address space. >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> W: ipcsolutions.com.au >> >> >> Smarter Business Communications >> >> ___ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > >___ >Astlinux-users mailing list >Astlinux-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/astlinux-users > >Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to p
Re: [Astlinux-users] Wireguard Mobile Client
Thanks Lonnie So what I am thinking is that I will use a /23 on the remote system but continue to use /24 for my softswitch on the higher subnet. This will give a total of 250 VPN connections to the Softswitch. Each remote system will then have the lower subnet for local connectivity only for mobile peers and remote peers. So for your example below, the softswitch will be on 10.4.1.254/24 for instance and the remote peer will be on 10.4.1.1-250 but will be configured as a /23 so it has all 10.4.0.x for local connections. What do you think? Regards Michael Knill On 4/9/21, 12:35 pm, "Lonnie Abelbeck" wrote: Hi Michael, As per the docs, the range of .101 to .199 is reserved for mobile clients. -- Note -> Mobile Clients are automatically assigned a unique IP address in the range of .101 to .199 for the last octet (example here: 10.4.0.101 to 10.4.0.199). Best practice is to refrain from using IP's in this range for both this tunnel's “IPv4 Address” (above) and Remote Peer's IP address so both configuration types can coexist. Similarly for IPv6 the Mobile Client reserved range is …:0101 to …:0199. -- When a new Mobile Client is added, it will only check other mobile clients for uniqueness, not manually added remote peers. Alternatively, if you need more than ~150 manually added remote peers, it should be possible to use a /23 (255.255.254.0) IPv4 NetMask. Using: netcalc 10.4.0.1/23 -- HostMin : 10.4.0.1 1010.0100.000 0.0001 HostMax : 10.4.1.254 1010.0100.000 1.1110 -- Here the reserved mobile client range is still 10.4.0.101 to 10.4.0.199 You have the previous ~150 manually added remote peer range plus a ~250 10.4.1.x range. This /23 subnet should work for the WireGuard -> Tunnel Options: -> IPv4 NetMask: 255.255.254.0 but I have not tested it much. Would that work for you? Lonnie > On Sep 3, 2021, at 7:46 PM, Michael Knill wrote: > > Hi Group > > Is there any reason that I could not use the .101 to .199 subnet addresses for Remote Peers? If I do add a mobile peer will it check Remote Peers when allocating an IP addresses or would I need to manually check there are no duplicates? > As I am moving to cloud hosting most of my systems now with direct mobile connectivity, I don't need to use mobile peers but I do need the address space. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Wireguard Mobile Client
Hi Group Is there any reason that I could not use the .101 to .199 subnet addresses for Remote Peers? If I do add a mobile peer will it check Remote Peers when allocating an IP addresses or would I need to manually check there are no duplicates? As I am moving to cloud hosting most of my systems now with direct mobile connectivity, I don't need to use mobile peers but I do need the address space. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Maximum memory usage
Thanks Lonnie. 1G it will be Regards Michael Knill On 23/8/21, 8:11 am, "Lonnie Abelbeck" wrote: Hi Michael, Without FOP and no LXC containers, 1.0G RAM should be safe and not a worry. You could go lower, but you would have to monitor things more closely. Lonnie > On Aug 22, 2021, at 3:45 PM, Michael Knill wrote: > > Hi Group > > I'm using VMware vCloud with one of my providers and have set up a Virtual Data Centre. I'm looking to set up a few Astlinux systems in this environment. > Although you can overcommit on CPU, you cannot on RAM and as this is fairly expensive, I'm wanting to go as low as I am comfortable on each Astlinux system. > > Just wondering what the maximum RAM usage you should ever see on an Astlinux system assuming no FOP is running? I have currently made it 1.5G but I think I can go lower than this. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > > Smarter Business Communications > > ___ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Maximum memory usage
Hi Group I'm using VMware vCloud with one of my providers and have set up a Virtual Data Centre. I'm looking to set up a few Astlinux systems in this environment. Although you can overcommit on CPU, you cannot on RAM and as this is fairly expensive, I'm wanting to go as low as I am comfortable on each Astlinux system. Just wondering what the maximum RAM usage you should ever see on an Astlinux system assuming no FOP is running? I have currently made it 1.5G but I think I can go lower than this. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [IPC Solutions] Smarter Business Communications ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.