asterisk users - Apr 2005 - VPN/Asterisk combo

At a hotel we have two separate internal networks, one for office and one
for guests. I want to find an elegant way to have phones on both networks
and to allow some traffic between the networks but control most of it. I am
thinking of using a motherboard with a LAN interface and adding a dual LAN
board, installing a firewall on it, and then installing asterisk so that the
asterisk server is also the firewall. 
Has anyone done this, can you recommend software that will give me traffic
shaping and a robust firewall with VPN capabilities?


Chris Mason

Chris Mason (Lists) wrote:
> 
>Has anyone done this, can you recommend software that will give me traffic
>shaping and a robust firewall with VPN capabilities?
>  
>
Yes - Debian Linux (a cleaned up knoppix will give you easy install).

Use n' customize wondershaper script for traffic shaping.

OpenVPN will give you a great and stable VPN link.

Firehol is a must for readable, no-nonsense firewalls.


Cheers,
Jean-Michel.

-- 
Ykoz Un Max - La VoIP en pr?-pay?!
Essayez gratuitement - 5 cr?dits offerts.
---> http://ykoz.net/voip/max <---

I use monowall in an executive building with 18 different LANS all ran 
through the same firewall for Internet and IP phones with dual asterisk 
servers.
----- Original Message ----- 
From: "Chris Mason (Lists)" <lists@masonc.com>
To: "'Asterisk Users Mailing List - Non-Commercial
Discussion'"
<asterisk-users@lists.digium.com>
Sent: Tuesday, April 19, 2005 6:31 AM
Subject: [Asterisk-Users] VPN/Asterisk combo

> At a hotel we have two separate internal networks, one for office and one
> for guests. I want to find an elegant way to have phones on both networks
> and to allow some traffic between the networks but control most of it. I 
> am
> thinking of using a motherboard with a LAN interface and adding a dual LAN
> board, installing a firewall on it, and then installing asterisk so that 
> the
> asterisk server is also the firewall.
> Has anyone done this, can you recommend software that will give me traffic
> shaping and a robust firewall with VPN capabilities?
>
>
> Chris Mason
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com 
> [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of 
> Chris Mason (Lists)
> Sent: 19 April 2005 13:57
> To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: RE: [Asterisk-Users] VPN/Asterisk combo
> 
> 
> How do you get 18 interfaces on one machine?
> 
Probably VLANs and a router before the firewall.

> 
> Probably VLANs and a router before the firewall.
If you use VLANs, woud all the computers be able to access all the resoures
on the network?
I want the two networks to be seperated and only share one resource, the
PBX.
Chris Mason
www.anguillaguide.com
 >

> > 
> > Probably VLANs and a router before the firewall.
> 
> If you use VLANs, woud all the computers be able to access 
> all the resoures
> on the network?
Only if you route between the VLANs. You can enable dot1q tagging in
Linux and sub-interface the PBX, then configure that port as a dot1q
VLAN trunk on the switch.
> I want the two networks to be seperated and only share one 
> resource, the
> PBX.
Yes, this is possible, Linux kernel with 802.1q VLAN tagging,
A 802.1q VLAN compliant Switch, with ports in each VLAN

>Can anyone suggest a better way or give me some advice?
Monowall:

http://www.m0n0.ch/wall/features.php

Totally rocks. 2-and-3 card DMZ's with routing between them, traffic shaper,
IPSec and PPTP VPN's that actually work, easy to set up, good hardware
support, boot from CD, configuration in an XML file from floppy. Add 3
NIC's, 1 for your broadband, 1 for your internal LAN, & 1 for a DMZ lan
and
all you do is set up rules to pass IAX or SIP and a couple of routes. I am
using Monowall on a 10 mbit internet connection with an * server inside, and
25 SNOM's outside, sometimes my PRI is almost maxed with outbound and
inbound PSTN and Monowall just keeps on chugging. On a Compaq PII. With
ALAW. (Yes, ALAW. If you have the bandwidth, why not?)

Best part: Free.

It doesn't seem to honor the QoS bit, but you can simulate it with the
traffic shaper. I set it up to give SIP / IAX the highest priority and
things like SMTP the lowest. So far, so good - nobody's complained about
drop outs or anything like that. ALAW sounds so good it's spooky. 

Unless you have an insanely busy lan QoS isn't a *ton* of help. We run Mitel
VoIP as well and we have a very busy LAN with 250 hosts all doing stuff. We
went through a period where we obsessed over QoS being supported yadayada
and in the end it was difficult to support because of mongrel switches that
didn't honor the bits, bitchy servers that hated the QoS layer, etc so we
turned it off. No effect. We are processing about 2-3K calls a day + we do
lots of CAD / rendering / high bandwidth stuff, on a single subnet, no
VLAN'ing. Runs fine, Asterisk and MiNet, about 100 extensions behind the
firewall and 25 outside.

QoS is always a moving target on the Internet because if any of your
upstream provider's routers don't honor the bit, then the whole thing
grinds
to a halt and traffic is treated equally. I gave up on QoS and focussed on
traffic shaping at the bottleneck i.e. our Internet connection.

Monowall's GUI is slick and easy to use but it's sometimes easy to shoot
yourself in the foot. I let Monowall create the rules to let traffic through
automagically when you create the NAT forwarding rule. For some reason, you
can create the same rule manually but it won't work. It's also
blindingly
easy to set up a stupid rule that will let all sorts of bad traffic through,
so you have to be careful. 

One last catch: For whatever reason, hardware, software, nic, dunno, but we
always got better performance on our broadband (like, an order of magnitude
better) by forcing the NIC to 10baseT full duplex, instead of autodetect.
This was with Intel 82559 chipset NIC's, YMMV. Even still, i wouldn't
dare
use anything other than Intel or 3Com NIC's in a BSD box, though. 

hth

-----Original Message-----
From: Chris Mason (Lists) [mailto:lists@masonc.com]
Sent: Tuesday, April 19, 2005 11:27 AM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] VPN/Asterisk combo


Can it enforce QOS on the traffic?

Chris Mason
www.anguillaguide.com
 
> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com 
> [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of 
> Colin Anderson
> Sent: Tuesday, April 19, 2005 10:58 AM
> To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: RE: [Asterisk-Users] VPN/Asterisk combo
> 
> >Can anyone suggest a better way or give me some advice?
> 
> Monowall:
> 
> http://www.m0n0.ch/wall/features.php
> 
> Totally rocks. 2-and-3 card DMZ's with routing between them, 
> traffic shaper, IPSec and PPTP VPN's that actually work, easy 
> to set up, good hardware support, boot from CD, configuration 
> in an XML file from floppy. Add 3 NIC's, 1 for your 
> broadband, 1 for your internal LAN, & 1 for a DMZ lan and all 
> you do is set up rules to pass IAX or SIP and a couple of 
> routes. I am using Monowall on a 10 mbit internet connection 
> with an * server inside, and
> 25 SNOM's outside, sometimes my PRI is almost maxed with 
> outbound and inbound PSTN and Monowall just keeps on 
> chugging. On a Compaq PII. With ALAW. (Yes, ALAW. If you have 
> the bandwidth, why not?)
> 
> Best part: Free.
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

> From the feature list, it looks like it doesn't support dynamic routes 
>using OSPF or BGP, which is a big shame. Do you know of any plans to 
>support this?

No that tripped me up too I had to put in static routes for my IPSec VPN's.
Brought up the VPN, could ping hosts in the remote LAN's, but anytime I
tried to do anything with TCP and UDP the firewall logs filled up with
"denied" entries. Went crazy adding rules to permit traffic to no
effect.
Finally, added a static route and it started working perfectly. When you add
a rule, it seems to only affect traffic to the default outbound WAN
interface or DMZ interface. Because I didn't have a static route, it would
route packets intended for the VPN out the WAN interface, then the deny
rules would kick in. Adding a static route, it seems to shunt traffic out
the VPN bypassing the rules completely. 

Otherwise, though, a great little package and with more functionality than
our commercial firewall with the exception of IDS. Haven't tried the WiFi
part of it, mostly because finding Prism based cards these days is really
really hard.