Forum Replies Created

Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
  • in reply to: Asterisk goes offline when connected to ZS #51383


    Unresolved fluctuating call quality, between WAN and PBX (as attendant is choppy). Periods range from clear to severe(scratches, burps, hisses, hiccups, dropouts, and occasional disconnects).

    WAN – same on Rogers cable, and Bell DSL
    Router – same on Zeroshell, ZyWallUWG, DLink x 2, .. same (or better) no rules vs. rules for PBX
    PBX – same on new hardware and software load, same (or better) no NAT settings (interestingly, calls seemed crystal clear right after set NAT:never/IP:public, but it didn’t last)

    Router – default supposed to work but, rule (currently off) allow 5060u(or range) doesn’t seem to affect
    Asterisk – default supposed to work but:
    – Asterisk sip_custom.conf>public, private IPs (uncomment)
    – Asterisk FreePBX>SIP Settings Module(competes with .conf above)>NAT:yes, no, never, route | IP:Public, Static, Dynamic (supposed public is no NAT, static is NAT)
    – Asterisk trunk or other relevant settings? Again, default supposed to work so I doubt it.

    Provider – try another for calls in/out, provider can do a trace, maybe I can with wireshark
    WAN – maybe getting hammered by spammers/hackers based on location, will ask ISP and/or attempt to log or monitor
    – White/Black IP List for IPTables, I am going to implement this, though I don’t know f it’s part of the problem at the moment, better safe than sorry

    The issue seems to be routing WAN traffic, is there anything I am missing?
    I guess traces and monitoring would help…

    in reply to: Asterisk goes offline when connected to ZS #51377


    atheling, to be clear, do you consider an asterisk box behind a zeroshell router to be a viable professional solution for a small/medium office? To simply provide reliable call quality without reboots of the router and asterisk boxes? And in particular with zeroshell on the low power C3-533Mhz box I mentioned?

    I too have been considering the comparison to a simple hardware based router such as DLink, TP-LINK, Asus, etc (w/wo WRT/Tomato firmware) if it will provide the stability, lower operational cost and feature set, (VOIP/SIP, bonding/failover, MLPPP(tomato), (VPN), etc), and if this will resolve the linux routing/switching issue(s)?

    You mention monitoring/testing for issues. I will watch ping and loads, but is there a way to see any IP attacks? Do I have to enable some logging?

    I have two boxes and will put one down to just a 5060 VS and similar on the asterisk and report back. ~ thx!

    AussieWISP, I found instructions to enable SFTP in zeroshell on this forum, which will allow you to use WinSCP from your PC which will make file management (patches etc) easy.

    in reply to: Asterisk goes offline when connected to ZS #51370


    Hey AussieWISP – I hope I didn’t add to the confusion, and atheling will be able to clear us up.

    I’m not sure of the patch status but I read the same thing, and am still on b12 (not the vitamin).

    Asterisk in the downloads section is to install (barebones) asterisk right on your zeroshell box.

    My next question is the same as yours. If successful next is to bond/balance/failover my 2 connections, and it seems rules are put into the section to control the behavior?
    If that’s successful I’ll then try MLPPP(as our ISP does, and must support it) with 4 or 5 connections bonded.

    in reply to: Asterisk goes offline when connected to ZS #51368


    Hi Guys, if I could join in.. I was about to start a topic asking for voip/sip help, as there are so surprisingly few to reference, then I see this one just started. And, with no less than atheling responding, who seems the resident expert from all previous posts.

    atheling regarding your setup recommendations, I have:
    Setup: zeroshell, DSL modem, cable modem, (no pstn lines), switch, asterisk box, 10 PCs, 10 SIP phones, and up 6 occasional remote SIP phones.

    Script: [Pre boot]
    modprobe nf_nat_sip
    for file in /Database/custom/*
    cp $(file) /root/kerbynet.cgi/scripts/

    Virtual server:
    ppp0/any UDP 5000-5082
    ppp0/any UDP 10000-20000

    Firewall: Forward table needs a rule corresponding the VS rule correct?
    Accept UDP opt — in ppp0 out *> udp dpts:5000:5084
    Accept UDP opt — in ppp0 out *> Layer7 RTP udp dpts:10000:20000

    NAT yes, RTP reinvite no, no other SIP settings to speak of really…

    Occasional call quality/drops, moreso on the end of people calling in.
    Quality degrades and seems daily reboots help (usually just the asterisk box).

    First, I’ve had horrible call quality for the last few days, and restarted the asterisk box several times which changed nothing. So I rebooted zeroshell and it’s all clear again. Any ideas why this could be? Anything in zeroshell I can check, or setup to monitor? I’d at least like to determine if it is a hardware, software, or configuration related.

    As the system is all voip (no pstn/pri), my primary concern is the voip provider sip trunk connection(5060,10000-20000). Does your setup cover this as well as the occasional remote phones?

    So should I erase the RTP rules, and make SIP only 5060 (or is it 1 port per remote phone or something)? Could these extra open ports cause a problem or just less secure?


    If I can’t figure this out, I’m going to get a DLink WBR-2310 router (because they are supposed to work perfectly for SIP) and separate the voice LAN, then consider trying zeroshell on different (atom?) hardware in the future. I can’t find the link but it’s currently running on a small Lite-ON ‘Book PC’ VIA C3 533MHz 500ram 40hdd, but maybe that’s not enough, or there is an incompatibility.

    ** As an aside, I believe the moderators should start a VOIP/SIP section in the forum index, as it’s a growing indispensable component.

    in reply to: OpenVPN client built into Grandstream GXV3140 #51354


    Can anyone help me find / generate these files?
    Want to connect my phone which has OpenVPN built in, to Zeroshell, and the interface requires these.

    CA.crt OpenVPN CA(CA.crt)
    *.crt Client Certificate
    *.key Client Key

    Thanks in advance for any assistance, it seems straightforward but I haven’t seen an example using all three and, while most example use the CA I’m not sure about the format because the phone asks for .crt (vs .pem etc that ZS generates), maybe I just rename it? If so, where do the other 2 come from?

    in reply to: limit WAN traffic from IP? #51008


    I can’t get that rule to work, but it works to have a port forwarding rule which directs the wan port to the lan IP, and then a forward rule to allow only the traffic from the source IP we want.

    But this method does not seem to work for to open 5000-5082udp for SIP and 10000-20000udp for RTP for the pbx (minus the source IP needs to be open to all).

    Another method I want to try is 1:1 NAT. I have two WAN connections one with 5 static IPs and one with 1 static IPs. I’m just not sure of all the in’s and out’s with having the two connections working at the same time.

    in reply to: limit WAN traffic from IP? #51006


    I’ve been reading up, trying to get a little familiar with IPTables.
    Thank you for your rule ppalias, I haven’t switched to it yet, I have a few questions:
    1) What I had seems to be working,
    Virtual Server: ppp0, ANY, TCP, 25,443,,443
    FORWARD: ACCEPT tcp opt — in ppp0 out ETH01 #.their.IP.# -> tcp dpt:25
    do you see any problems or advantages to switching to the rule you mention?
    2) These rules seem to work for SMTP and http, but not SIP(UDP5000-5084) and RTP(UDP:10000-20000), any ideas? Something similar to your PREROUTING rule?
    3) If I enable the NAT and Virtual Servers script, it works in conjunction with, and doesn’t disable the Virtual Servers page, correct?
    4) In your rule, did you mean to use DNAT versus MASQUERADE?
    5) Is /usr/local/sbin/ required before iptables?


    If anyone happens to read this… seems I had two things wrong:

    1 – SETUP>HTTPS> I had added the WAN interface and a specific external IP to try to access ZS externally – DON’T do this, it doesn’t work, and it takes over entire the interface, 443 can no longer be used for anything else, hence we couldn’t access our exchange webmail.

    2 – Switched from Cable modem to DSL modem, but hadn’t switched rules from ETH02 to ppp0.

    in reply to: limit WAN traffic from IP? #51004


    Thx guys, I responded last night but seems my lovely iphone ate it..

    The mail filtering service works IP-IP only, so only they can hit our mail server as we’re in a busy area and were getting slammed.

    While testing VS/FW rules, TCP25 was open for 2 mins and got 2 spams. I added SourceIP (not in VS so need FW rules) and it seems to work.

    I’m still getting used to chains vs the typical single FW, so please enlighten me if there’s a more elegant solution:

    In (def:Drop) ppp0 Source:IP, Dest:TCP25
    Fwd (def:Drop) ppp0-eth01(LAN) Source:IP, Dest:TCP25
    Out (def:Allow)

    So, it seems:
    – ppp0 is used instead of ETH01
    – no rules are needed for ETH01(?)
    – if I happened to switch ETH01 back to a cable modem, I would then switch the rule from ppp0 back to ETH01.

    in reply to: limit WAN traffic from IP? #51001


    I have no interest in QOS for incoming mail so I have the rule(s) in firewall.
    I have the rule in both input and forward (output is just set to allow all). But, I’m not sure which combination of parts(int, sourceIP, destIP, port) should be where? I understand the fundamentals but I’m still wrapping my head around what to put in which chain.

    I have another question just trying to look up:
    eth0 is connected to my cable modem, simple.
    eth2 is connected to my dsl modem, no as simple because it also has another interface ppp0, which can be used in NAT, FW, etc.
    I’m not sure where I have to include ppp0 in a rule or two, or a bond or bridge to ensure it works simply like eth0?


    in reply to: limit WAN traffic from IP? #50999


    It’s full router mode.

    Is sounds like the Source IP field is the right one?
    And using a QOS rule works, or does it not matter where the rule is?


    yes, ppp0 is on eth2.
    yes, dns is the same as opendns is used.
    DNS is status ‘down’ and entirely blank except forwarders:
    ANY (Server:,
    *DNS, DHCP, AD, EXCH – Done by MS server (apparently it’s not entirely happy if it doesn’t control all these)

    We had to use another router until we figure out the setting not allowing mail or anything through the ports.
    Outgoing all works fine.
    Incoming DNS/IP fine, router responds fine (even to WAN pings – I’d like to turn that off), but blocks all traffic to ports.

    I’ll post the full config, doing screen shots now.

    in reply to: Firewall vs Virtual Server ? #50797


    Here’s my updated setup.

    VS (all Eth0-Any)
    UDP 5000-5100, 10000-20000, 10000-20000 (VOIP)
    TCP 1022, 1443 –, 443 (VOIP PBX SETUP)

    INPUT ACCEPT 1,2,3-ACCEPT Eth1 :22, 443, all, 6-DROP Eth0 all

    My confusion was, I wanted to enter the IP of our email provider service so only they can access our port 25, but I put it in VS – Interface IP, ~oops.
    So this should be in a firewall rule? Do I still use the VS rule?
    ie. Input 4-ACCEPT Eth0 source209.x.x.x:25 (email-spam service IP)

    Not sure if it’s a good idea, or will work, to limit port range to RTP?
    Input 5-ACCEPT Eth0 dest192.168.1.4:10000-20000 L7:RTP

    I would like to be able to enable web access to https GUIs on WAN ports other than 443. Will my 2nd VS rule work? Also, you indicated it would be different for the ZS, how is that done?


    in reply to: Changed HTTPS setting and now cannot access! #50786


    Right, sorry that’s what I meant: if you input .0 maybe a warning/auto adds /24 (and you can change to smaller subnet if you prefer) to prevent errors. Anyway, just a thought.

    in reply to: Firewall vs Virtual Server ? #50795


    I should have mentioned by setup, pretty typical:
    cable modem/staticIPs (eth0), ZS(router/FW), LAN

    Here is a summary of my VS rules:
    eth0/IP(RemoteServer OR MyStaticWAN?):TCP25 –
    eth0/ANY:UDP5060,10000-20000 –,10000-20000
    eth0/ANY:TCP444(random) – [web GUI]

    If the first IP address is my interface, not the server communicating with me, where can I put that (under firewall chain input)?

    What firewall rules are required beyond the default rules, I have:
    Input ACCEPT – default was no rules, I added
    – accept eth1:22, 80, 443 (I saw in a post to put this as a safeguard in case lock yourself out of ZS)
    – drop eth0 all
    Forward ACCEPT – default no rules, ‘accept all from all’ would be redundant because that is the default action correct?
    Output ACCEPT – same as above.

Viewing 15 posts - 1 through 15 (of 16 total)