On Wed, 2011-04-27 at 10:16 -0700, Myles Wakeham wrote:
Well there is one 'optimization' that I need to sort out. There seems
to be some latency between the Asterisk server (and the SIP Phones) and
callers. Depending on the caller's network (ie. POTS, Cell phone, other
Voip, etc.) we find about 30% of the time that there is a small delay
(about 1/2 a second) between us talking and the caller hearing it, which
makes it sound like the caller is talking to an offshore company located
in South Asia. I have read numerous posts, discussions, etc. about this
sort of thing and it seems that it has something to do with our
Firewall, QoS, etc. and I'm entertaining moving the entire Asterisk
server outside of our Firewall, and connecting the SIP phones to it on
an entirely separate sub-net with a dedicated NAT router.
1/2 second latency i dough it could be attributed to a firewall/qos,
unless your Internet connection is saturated with p2p or some other high
volume traffic (movie/radio streaming) or your firewall is running on
some slow machine with too many rules for packet inspection etc.
If that's the case moving asterisk to public ip wan't fix it.
As a first indication you could add a qualify=yes in all your sip
peers to see how long it takes them to talk to asterisk.
It kinda scares me though. I know that SIP is an attractive
attack-vector, and that there are scripts out there that target SIP
devices. I know I could run Fail2Ban on the server, which is fine
(we're doing that anyway now), but before I go down this path, I wanted
to get general feedback if we are using our Asterisk system using 'best
practices' or whether it should never be sitting behind a Firewall,
despite the fact that it is working pretty close to perfect as it is
right now. I just want to find a way to reduce the latency.
Does anyone have any thoughts about this?
90% of the problems i see with asterisk security has to do with bad
configuration, bad dialplans and bad security policies (weak
passwords,no monitoring) etc.
The other 10% can be protocol or asterisk security issues but usually
these get fixed before script-kiddies get a chance to use them.
In your case since all your sip traffic would be coming from a single IP
address (of your provider) things are a bit easier to setup.
IMHO try to avoid as much as you can exposing asterisk to a public
ip/network and use it as a last resort method if everything else fails.
Stelios
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users