Asterisk + Nat + DHCP + Firewall + VPN + QOS in one server

Hello,
I've successfully implementented an asterisk solution in a small company. They have only 5 computers and 5 ip phones. They have a cable internet access, serving two public ip addresses, one ip to the linux box and the other ip to router. the linux box must have a public ip to serve sip phones outside. It would be much better if I could integrate all those services in the linux box, they, some times, have problems with QoS. I was experimenting with IPCOP, but wasn't able to build asterisk on it. Is there a similar solution to this problem?
luismallozziAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
You can certenly build the firewall on top of any Linux distribution. It is basically just a configuration of the standard iptables firewall that comes as standard.

I would not expect it to cure your QOS issues though. You can prioritise the outbound traffic which will cure the problem of other people hearing you clearly but you really cannot do much about inbound traffic so the audio you hear can still get choppy. Really the only alternative is to get an expensive internet connection where you can secify QOS on the other end or (often the better and cheaper approach) get a cheap 2nd internet connection just for voip.
0
luismallozziAuthor Commented:
well, i am not worried about the downstream, they have 8mbit downstream and 600kbit upstream, its the low upsteam that's causing the problem. I liked IPCOP for its web based management tool. Is there a way to install IPCOP without the distro that comes with it?
0
grbladesCommented:
No IPCOP is a dedicated distribution and cannot be installed by itself on Linux.

I suggest you have a look at Firestarter (http://www.fs-security.com/). If that is too simple and wont allow you to prioritise multiple output chains then look at Shorewall (http://www.shorewall.net/)
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

diepesCommented:
Well one option would be to run IPCOP in a VM, as a dedicated Firewall.

Could probably be done by loading Xen-kernel, and running a IPCOP in a dom-u handling the firewall and routing.

Probably not recommended it you have not played with Xen.
But could be fun.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grbladesCommented:
Good idea. You really want asterisk to be directly connected to the external interface without any NAT device in the way as SIP does not work well with NAT. This should be possible as it just means the machine and the VM would be both accessing the same network interfaces but pretending to be different IP addresses.
0
diepesCommented:
Yes and if IPCOP supports running as a bridged FW, the whole nat problem will be avoided, with the benefit of the traffic control
0
luismallozziAuthor Commented:
ok, I will give this a try... I never used xen, it's probally time to begin :). I will google  for the xen configuration, then try to implement in my machine, then I will transport the solution to the server. I will post later the proceedings so the community can follow the instalation. Thanks for your support.
0
DrDamnitCommented:
You're best bet is to use iptables for firewalling with QoS (See: http://lartc.org/howto/lartc.cookbook.fullnat.intro.html)

SIP and NAT are not friends (IAX and NAT are friends). If you use something other than IPtables, make sure that the NAT table is suffciently big to ensure that it continues to allow phones to register even if there has been no activity in a while. Otherwise, the NAT forgets that phone xyz is actually permitted to talk to so and so, and you'll get one way calling until a call is setup. Just for good measure, be sure to use qualify=yes to jog the routing table's memory.
0
luismallozziAuthor Commented:
The problem is I am using asterisk in realtime. SIP Qualify doesn´t work with this mode. I am using other method to keep the nat tunnel opened: the sip keep alive of linksys voice gateways. Since all of my devices are provisioned its easy to maintain this way. I do not recommend this solution for larger instalations.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.