• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1895
  • Last Modified:

Asterisk + Nat + DHCP + Firewall + VPN + QOS in one server

Hello,
I've successfully implementented an asterisk solution in a small company. They have only 5 computers and 5 ip phones. They have a cable internet access, serving two public ip addresses, one ip to the linux box and the other ip to router. the linux box must have a public ip to serve sip phones outside. It would be much better if I could integrate all those services in the linux box, they, some times, have problems with QoS. I was experimenting with IPCOP, but wasn't able to build asterisk on it. Is there a similar solution to this problem?
0
luismallozzi
Asked:
luismallozzi
  • 3
  • 3
  • 2
  • +1
1 Solution
 
grbladesCommented:
You can certenly build the firewall on top of any Linux distribution. It is basically just a configuration of the standard iptables firewall that comes as standard.

I would not expect it to cure your QOS issues though. You can prioritise the outbound traffic which will cure the problem of other people hearing you clearly but you really cannot do much about inbound traffic so the audio you hear can still get choppy. Really the only alternative is to get an expensive internet connection where you can secify QOS on the other end or (often the better and cheaper approach) get a cheap 2nd internet connection just for voip.
0
 
luismallozziAuthor Commented:
well, i am not worried about the downstream, they have 8mbit downstream and 600kbit upstream, its the low upsteam that's causing the problem. I liked IPCOP for its web based management tool. Is there a way to install IPCOP without the distro that comes with it?
0
 
grbladesCommented:
No IPCOP is a dedicated distribution and cannot be installed by itself on Linux.

I suggest you have a look at Firestarter (http://www.fs-security.com/). If that is too simple and wont allow you to prioritise multiple output chains then look at Shorewall (http://www.shorewall.net/)
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
diepesCommented:
Well one option would be to run IPCOP in a VM, as a dedicated Firewall.

Could probably be done by loading Xen-kernel, and running a IPCOP in a dom-u handling the firewall and routing.

Probably not recommended it you have not played with Xen.
But could be fun.
0
 
grbladesCommented:
Good idea. You really want asterisk to be directly connected to the external interface without any NAT device in the way as SIP does not work well with NAT. This should be possible as it just means the machine and the VM would be both accessing the same network interfaces but pretending to be different IP addresses.
0
 
diepesCommented:
Yes and if IPCOP supports running as a bridged FW, the whole nat problem will be avoided, with the benefit of the traffic control
0
 
luismallozziAuthor Commented:
ok, I will give this a try... I never used xen, it's probally time to begin :). I will google  for the xen configuration, then try to implement in my machine, then I will transport the solution to the server. I will post later the proceedings so the community can follow the instalation. Thanks for your support.
0
 
DrDamnitCommented:
You're best bet is to use iptables for firewalling with QoS (See: http://lartc.org/howto/lartc.cookbook.fullnat.intro.html)

SIP and NAT are not friends (IAX and NAT are friends). If you use something other than IPtables, make sure that the NAT table is suffciently big to ensure that it continues to allow phones to register even if there has been no activity in a while. Otherwise, the NAT forgets that phone xyz is actually permitted to talk to so and so, and you'll get one way calling until a call is setup. Just for good measure, be sure to use qualify=yes to jog the routing table's memory.
0
 
luismallozziAuthor Commented:
The problem is I am using asterisk in realtime. SIP Qualify doesn´t work with this mode. I am using other method to keep the nat tunnel opened: the sip keep alive of linksys voice gateways. Since all of my devices are provisioned its easy to maintain this way. I do not recommend this solution for larger instalations.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now