Forum Replies Created
Unresolved fluctuating call quality, between WAN and PBX (as attendant is choppy). Periods range from clear to severe(scratches, burps, hisses, hiccups, dropouts, and occasional disconnects).
WAN – same on Rogers cable, and Bell DSL
Router – same on Zeroshell, ZyWallUWG, DLink x 2, .. same (or better) no rules vs. rules for PBX
PBX – same on new hardware and software load, same (or better) no NAT settings (interestingly, calls seemed crystal clear right after set NAT:never/IP:public, but it didn’t last)
Router – default supposed to work but, rule (currently off) allow 5060u(or range) doesn’t seem to affect
Asterisk – default supposed to work but:
– Asterisk sip_custom.conf>public, private IPs (uncomment)
– Asterisk FreePBX>SIP Settings Module(competes with .conf above)>NAT:yes, no, never, route | IP:Public, Static, Dynamic (supposed public is no NAT, static is NAT)
– Asterisk trunk or other relevant settings? Again, default supposed to work so I doubt it.
Provider – try another for calls in/out, provider can do a trace, maybe I can with wireshark
WAN – maybe getting hammered by spammers/hackers based on location, will ask ISP and/or attempt to log or monitor
– White/Black IP List for IPTables, I am going to implement this, though I don’t know f it’s part of the problem at the moment, better safe than sorry
The issue seems to be routing WAN traffic, is there anything I am missing?
I guess traces and monitoring would help…
atheling, to be clear, do you consider an asterisk box behind a zeroshell router to be a viable professional solution for a small/medium office? To simply provide reliable call quality without reboots of the router and asterisk boxes? And in particular with zeroshell on the low power C3-533Mhz box I mentioned?
I too have been considering the comparison to a simple hardware based router such as DLink, TP-LINK, Asus, etc (w/wo WRT/Tomato firmware) if it will provide the stability, lower operational cost and feature set, (VOIP/SIP, bonding/failover, MLPPP(tomato), (VPN), etc), and if this will resolve the linux routing/switching issue(s)?
You mention monitoring/testing for issues. I will watch ping and loads, but is there a way to see any IP attacks? Do I have to enable some logging?
I have two boxes and will put one down to just a 5060 VS and similar on the asterisk and report back. ~ thx!
AussieWISP, I found instructions to enable SFTP in zeroshell on this forum, which will allow you to use WinSCP from your PC which will make file management (patches etc) easy.
Hey AussieWISP – I hope I didn’t add to the confusion, and atheling will be able to clear us up.
I’m not sure of the patch status but I read the same thing, and am still on b12 (not the vitamin).
Asterisk in the downloads section is to install (barebones) asterisk right on your zeroshell box.
My next question is the same as yours. If successful next is to bond/balance/failover my 2 connections, and it seems rules are put into the section to control the behavior?
If that’s successful I’ll then try MLPPP(as our ISP does, and must support it) with 4 or 5 connections bonded.
Hi Guys, if I could join in.. I was about to start a topic asking for voip/sip help, as there are so surprisingly few to reference, then I see this one just started. And, with no less than atheling responding, who seems the resident expert from all previous posts.
atheling regarding your setup recommendations, I have:
Setup: zeroshell, DSL modem, cable modem, (no pstn lines), switch, asterisk box, 10 PCs, 10 SIP phones, and up 6 occasional remote SIP phones.
Script: [Pre boot]
for file in /Database/custom/*
cp $(file) /root/kerbynet.cgi/scripts/
ppp0/any UDP 5000-5082 192.168.1.2:5000-5082
ppp0/any UDP 10000-20000 192.168.1.2:10000-20000
Firewall: Forward table needs a rule corresponding the VS rule correct?
Accept UDP opt — in ppp0 out * 0.0.0.0->192.168.1.2 udp dpts:5000:5084
Accept UDP opt — in ppp0 out * 0.0.0.0->192.168.1.2 Layer7 RTP udp dpts:10000:20000
NAT yes, RTP reinvite no, no other SIP settings to speak of really…
Occasional call quality/drops, moreso on the end of people calling in.
Quality degrades and seems daily reboots help (usually just the asterisk box).
First, I’ve had horrible call quality for the last few days, and restarted the asterisk box several times which changed nothing. So I rebooted zeroshell and it’s all clear again. Any ideas why this could be? Anything in zeroshell I can check, or setup to monitor? I’d at least like to determine if it is a hardware, software, or configuration related.
As the system is all voip (no pstn/pri), my primary concern is the voip provider sip trunk connection(5060,10000-20000). Does your setup cover this as well as the occasional remote phones?
So should I erase the RTP rules, and make SIP only 5060 (or is it 1 port per remote phone or something)? Could these extra open ports cause a problem or just less secure?
THANKS, IN ADVANCE, FOR ANY HELP, SERIOUSLY!
If I can’t figure this out, I’m going to get a DLink WBR-2310 router (because they are supposed to work perfectly for SIP) and separate the voice LAN, then consider trying zeroshell on different (atom?) hardware in the future. I can’t find the link but it’s currently running on a small Lite-ON ‘Book PC’ VIA C3 533MHz 500ram 40hdd, but maybe that’s not enough, or there is an incompatibility.
** As an aside, I believe the moderators should start a VOIP/SIP section in the forum index, as it’s a growing indispensable component.
Can anyone help me find / generate these files?
Want to connect my phone which has OpenVPN built in, to Zeroshell, and the interface requires these.
CA.crt OpenVPN CA(CA.crt)
*.crt Client Certificate
*.key Client Key
Thanks in advance for any assistance, it seems straightforward but I haven’t seen an example using all three and, while most example use the CA I’m not sure about the format because the phone asks for .crt (vs .pem etc that ZS generates), maybe I just rename it? If so, where do the other 2 come from?
I can’t get that rule to work, but it works to have a port forwarding rule which directs the wan port to the lan IP, and then a forward rule to allow only the traffic from the source IP we want.
But this method does not seem to work for to open 5000-5082udp for SIP and 10000-20000udp for RTP for the pbx (minus the source IP needs to be open to all).
Another method I want to try is 1:1 NAT. I have two WAN connections one with 5 static IPs and one with 1 static IPs. I’m just not sure of all the in’s and out’s with having the two connections working at the same time.
I’ve been reading up, trying to get a little familiar with IPTables.
Thank you for your rule ppalias, I haven’t switched to it yet, I have a few questions:
1) What I had seems to be working,
Virtual Server: ppp0, ANY, TCP, 25,443, 192.168.1.5:25,443
FORWARD: ACCEPT tcp opt — in ppp0 out ETH01 #.their.IP.# -> 192.168.1.5 tcp dpt:25
do you see any problems or advantages to switching to the rule you mention?
2) These rules seem to work for SMTP and http, but not SIP(UDP5000-5084) and RTP(UDP:10000-20000), any ideas? Something similar to your PREROUTING rule?
3) If I enable the NAT and Virtual Servers script, it works in conjunction with, and doesn’t disable the Virtual Servers page, correct?
4) In your rule, did you mean to use DNAT versus MASQUERADE?
5) Is /usr/local/sbin/ required before iptables?August 28, 2010 at 2:09 pm in reply to: Switched Cable to DSL and can’t access any ports, ZS answers #50815
If anyone happens to read this… seems I had two things wrong:
1 – SETUP>HTTPS> I had added the WAN interface and a specific external IP to try to access ZS externally – DON’T do this, it doesn’t work, and it takes over entire the interface, 443 can no longer be used for anything else, hence we couldn’t access our exchange webmail.
2 – Switched from Cable modem to DSL modem, but hadn’t switched rules from ETH02 to ppp0.
Thx guys, I responded last night but seems my lovely iphone ate it..
The mail filtering service works IP-IP only, so only they can hit our mail server as we’re in a busy area and were getting slammed.
While testing VS/FW rules, TCP25 was open for 2 mins and got 2 spams. I added SourceIP (not in VS so need FW rules) and it seems to work.
I’m still getting used to chains vs the typical single FW, so please enlighten me if there’s a more elegant solution:
In (def:Drop) ppp0 Source:IP, Dest:TCP25
Fwd (def:Drop) ppp0-eth01(LAN) Source:IP, Dest:TCP25
So, it seems:
– ppp0 is used instead of ETH01
– no rules are needed for ETH01(?)
– if I happened to switch ETH01 back to a cable modem, I would then switch the rule from ppp0 back to ETH01.
I have no interest in QOS for incoming mail so I have the rule(s) in firewall.
I have the rule in both input and forward (output is just set to allow all). But, I’m not sure which combination of parts(int, sourceIP, destIP, port) should be where? I understand the fundamentals but I’m still wrapping my head around what to put in which chain.
I have another question just trying to look up:
eth0 is connected to my cable modem, simple.
eth2 is connected to my dsl modem, no as simple because it also has another interface ppp0, which can be used in NAT, FW, etc.
I’m not sure where I have to include ppp0 in a rule or two, or a bond or bridge to ensure it works simply like eth0?
It’s full router mode.
Is sounds like the Source IP field is the right one?
And using a QOS rule works, or does it not matter where the rule is?July 30, 2010 at 1:16 pm in reply to: Switched Cable to DSL and can’t access any ports, ZS answers #50814
yes, ppp0 is on eth2.
yes, dns is the same as opendns is used.
DNS is status ‘down’ and entirely blank except forwarders:
ANY (Server: 184.108.40.206,220.127.116.11)
*DNS, DHCP, AD, EXCH – Done by MS server (apparently it’s not entirely happy if it doesn’t control all these)
We had to use another router until we figure out the setting not allowing mail or anything through the ports.
Outgoing all works fine.
Incoming DNS/IP fine, router responds fine (even to WAN pings – I’d like to turn that off), but blocks all traffic to ports.
I’ll post the full config, doing screen shots now.
Here’s my updated setup.
VS (all Eth0-Any)
UDP 5000-5100, 10000-20000 192.168.1.4:5000-5100, 10000-20000 (VOIP)
TCP 1022, 1443 – 192.168.1.4:22, 443 (VOIP PBX SETUP)
TCP 25 – 192.168.1.2:25 (EXCHANGE EMAIL I/O)
TCP 443 – 192.168.1.2:443 (EXCHANGE WEBMAIL)
INPUT ACCEPT 1,2,3-ACCEPT Eth1 :22, 443, all, 6-DROP Eth0 all
FORWARD ACCEPT 1-ACCEPT all
OUTPUT ACCEPT 1-ACCEPT all
My confusion was, I wanted to enter the IP of our email provider service so only they can access our port 25, but I put it in VS – Interface IP, ~oops.
So this should be in a firewall rule? Do I still use the VS rule?
ie. Input 4-ACCEPT Eth0 source209.x.x.x:25 (email-spam service IP)
Not sure if it’s a good idea, or will work, to limit port range to RTP?
Input 5-ACCEPT Eth0 dest192.168.1.4:10000-20000 L7:RTP
I would like to be able to enable web access to https GUIs on WAN ports other than 443. Will my 2nd VS rule work? Also, you indicated it would be different for the ZS, how is that done?
THANKS FOR ALL YOUR HELP!
Right, sorry that’s what I meant: if you input .0 maybe a warning/auto adds /24 (and you can change to smaller subnet if you prefer) to prevent errors. Anyway, just a thought.
I should have mentioned by setup, pretty typical:
cable modem/staticIPs (eth0), ZS(router/FW), LAN 192.168.1.0(eth1)
Here is a summary of my VS rules:
eth0/IP(RemoteServer OR MyStaticWAN?):TCP25 – 192.168.1.2:5
eth0/ANY:UDP5060,10000-20000 – 192.168.1.4:5060,10000-20000
eth0/ANY:TCP444(random) – 192.168.1.10:443 [web GUI]
If the first IP address is my interface, not the server communicating with me, where can I put that (under firewall chain input)?
What firewall rules are required beyond the default rules, I have:
Input ACCEPT – default was no rules, I added
– accept eth1:22, 80, 443 (I saw in a post to put this as a safeguard in case lock yourself out of ZS)
– drop eth0 all
Forward ACCEPT – default no rules, ‘accept all from all’ would be redundant because that is the default action correct?
Output ACCEPT – same as above.