asterisk users - May 2003 - [new user] VPN or NAT? (and a FAQ)

I live in Tennessee, USA, and work 1000km away in Texas. Thanks to the 
wonders of broadband I never leave home (well, not for WORK, that is. 
:) I'm setting up an Asterisk system whereby I'll have an extension in 
Texas, so clients can reach me at a local telephone number.

We have a VPN set up already (OpenVPN, which I highly recommend to 
anyone needing such a thing.) It does encryption. While the throughput 
is slightly less than a direct route, it's still pretty responsive. (I 
never did any benchmarking beyond a simple comparison of ping times and 
a few scp's.) Each side has a dedicated firewall/gateway router (one of 
which, a 386, is definitely NOT suited for service as a * server) and a 
separate VPN gateway behind the firewall. I'm thinking that the VPN 
servers will become the * servers.

On Mon, 2003-05-26 at 15:18, Rob McGee wrote:
> So, what would you recommend, VPN or NAT?
VPN if you are using anything except IAX.  NAT can be difficult to set
up with protocols that dynamically assign port numbers (like pretty much
all VoIP protocols, except IAX)

-- 
BTEL Consulting
850-484-4535 x2111 (Office)
504-595-3916 x2111 (Experimental)
877-552-0838 (Backup Phone)

Well welcome to the group. Since Tennessee is a wide state, and Texas is
generally huge, it makes it difficult to guess where you are. If you are
close to Nashville, you are welcome to give me a yell and come by my
office where we have been using asterisk for more than a year as our
production pbx. Within a week or so our office will be using IAX to
bring in our phone lines from our colo service(Makes it wonderfull to
think if we move the office, we only need to move a T1 of data service)

Steven

On Mon, 2003-05-26 at 15:18, Rob McGee wrote:
> I live in Tennessee, USA, and work 1000km away in Texas. Thanks to the 
> wonders of broadband I never leave home (well, not for WORK, that is. 
> :) I'm setting up an Asterisk system whereby I'll have an extension
in
> Texas, so clients can reach me at a local telephone number.
> 
> We have a VPN set up already (OpenVPN, which I highly recommend to 
> anyone needing such a thing.) It does encryption. While the throughput 
> is slightly less than a direct route, it's still pretty responsive. (I 
> never did any benchmarking beyond a simple comparison of ping times and 
> a few scp's.) Each side has a dedicated firewall/gateway router (one of
> which, a 386, is definitely NOT suited for service as a * server) and a 
> separate VPN gateway behind the firewall. I'm thinking that the VPN 
> servers will become the * servers.
> 
> >From reading this list and the * docs, it sounds like NAT could be made
> to work. But if I use the VPN I don't need to mess with NAT, and the 
> connection security is already assured.
> 
> So, what would you recommend, VPN or NAT?
> 
> Now for the FAQ: minimum CPU requirements:
> 
> Another option would be to decommission my 386 router. I have a P166 
> (128MB RAM) standing by which could assume the role of firewall / 
> gateway. I could put * on both routers, using neither VPN nor NAT.
> 
> Would a P166 be adequate to play the role of * server? Its other tasks 
> aren't very CPU-intensive in general. I might be able to upgrade that 
> one to a P200MMX.
> 
> I want to run 1-2 extensions at the most, with a 1-port TDM400P 
> (TDM10B?) card, on the end with the P166. Bandwidth is supplied by 
> cable modems on both ends, 256KB/s upstream.
> 
> I've been looking through the docs and the list archives (better search
> features would be nice :) and this question comes up a lot, but no 
> definitive answer is provided, that I have found anyway. I do 
> understand that the answer is relative to the anticipated load. Could 
> this be added to the FAQ, please?
-- 
Steven Critchfield <critch@basesys.com>

Rob,

The only problem Asterisk has with NAT is when using SIP. 
 I've managed to get it working myself by making a few 
minor changes to the code, but for your application I'd 
say go for IAX.  You will have to setup a port forward for 
the IAX packets on your firewall, but that's it really.

I have a pretty secure firewall in me lab, for incoming 
traffic that is, and I was able to call Digium over the 
net 5 minutes after installing Asterisk.

So to answer your question.  I'd say, if you want the 
security, go for the VPN.  But it will without a doubt run 
a bit better without the extra overhead, so if you're not 
worried about security on your voice, go for NAT.

Jamie Carl

On Mon, 26 May 2003 15:18:22 -0500
  Rob McGee <asterisk@richardthecomputerguy.com>
wrote:
>*This message was transferred with a trial version of 
>CommuniGate(tm) Pro*
>I live in Tennessee, USA, and work 1000km away in Texas. 
>Thanks to the 
>wonders of broadband I never leave home (well, not for 
>WORK, that is. 
>:) I'm setting up an Asterisk system whereby I'll have an 
>extension in 
>Texas, so clients can reach me at a local telephone 
>number.
>
>We have a VPN set up already (OpenVPN, which I highly 
>recommend to 
>anyone needing such a thing.) It does encryption. While 
>the throughput 
>is slightly less than a direct route, it's still pretty 
>responsive. (I 
>never did any benchmarking beyond a simple comparison of 
>ping times and 
>a few scp's.) Each side has a dedicated firewall/gateway 
>router (one of 
>which, a 386, is definitely NOT suited for service as a * 
>server) and a 
>separate VPN gateway behind the firewall. I'm thinking 
>that the VPN 
>servers will become the * servers.
>
>>From reading this list and the * docs, it sounds like NAT 
>>could be made 
>to work. But if I use the VPN I don't need to mess with 
>NAT, and the 
>connection security is already assured.
>
>So, what would you recommend, VPN or NAT?
>
>Now for the FAQ: minimum CPU requirements:
>
>Another option would be to decommission my 386 router. I 
>have a P166 
>(128MB RAM) standing by which could assume the role of 
>firewall / 
>gateway. I could put * on both routers, using neither VPN 
>nor NAT.
>
>Would a P166 be adequate to play the role of * server? 
>Its other tasks 
>aren't very CPU-intensive in general. I might be able to 
>upgrade that 
>one to a P200MMX.
>
>I want to run 1-2 extensions at the most, with a 1-port 
>TDM400P 
>(TDM10B?) card, on the end with the P166. Bandwidth is 
>supplied by 
>cable modems on both ends, 256KB/s upstream.
>
>I've been looking through the docs and the list archives 
>(better search 
>features would be nice :) and this question comes up a 
>lot, but no 
>definitive answer is provided, that I have found anyway. 
>I do 
>understand that the answer is relative to the anticipated 
>load. Could 
>this be added to the FAQ, please?
>-- 
>     Rob McGee ( rob0 at richardthecomputerguy dot com )
>     Richard the Computer Guy, L.L.C.
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users@lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
Regards,

Jamie Carl
Jazz Inc.
Email:  me@jazz-inc.net
Web:    www.jazz-inc.net
Phone:  +61-414-365-466
Jabber: jazz@netmindz.net