Chris Mason (Lists)
2005-May-25 05:09 UTC
[Asterisk-Users] Asterisk and Monwall - comments
Just got a net4501 board, installed cf card/Monowall. Does anyone have a monowall firewall with Asterisk behind it, any problems, can external SIP phones work? What firewall rules are you using? Chris Mason Int: (305) 704-7249 Fax: (815)301-9759
Yes I do. Works fine. It's important to let Monowall create the forwarding rules for you after you create the NAT entries. If you create it manually, it is hit-and-miss. My config is: NAT: WAN > UDP > FROM: > 4569 > NAT IP: ASTERISK IP > LOCAL PORT 4569 (IAX) WAN > UDP > FROM: > 5060 > NAT IP: ASTERISK IP > LOCAL PORT 5060 (SIP) WAN > UDP > FROM: > 10000-20000 > NAT IP: ASTERISK IP > LOCAL PORT 10000 (SIP MEDIA STREAM) TRAFFIC SHAPING: Run the shaper wizard, then: Change the m_Total Download and m_Total Upload pipes to values approxmating the peak bandwidth of your Internet connection -5% or so. If you set it to an arbitrarily high value, shaping will not work. Assign WAN > Source (ALL *) > Destination > ASTERISK IP/Port Number > Target to m_Total Download pipe NOT queue! Assign LAN > ASTERISK IP/Port Number > Destination > Source (ALL *) > Target to m_Total Upload pipe NOT queue! This gives Asterisk control of the entire pipe, forcing other applications to queue. Calculate the total number of expected Asterisk sessions (SIP & IAX) through the firewall X the expected amount of bandwidth. For example, I give my salespeople full access to my PRI so I expect a maximum of 23 sessions X ~100 kilobits/sec, so 2.3 mbit/sec peak. I have a burstable E10 with about 5.5 mbit sustained, so I have 3.2 mbit left over. Create another pipe that is the size of the remainder of the bandwidth you have calculated above. Assign every other queue that the shaper wizard creates that has nothing to do with Asterisk, this pipe you have created. In the queue, give it weights as you see fit. For example, I hate email, so I assign SMTP a weight of 4. Another critical factor is what your ISP works best with in terms of the WAN interface. In our case, we had extremely poor perfomance until they mentioned that their connection works best at 10baseT, full duplex. WTF? OK, if you go to: http://my-monowall-ip/exec.php and execute the command: ifconfig fxp1 media 10baseT/UTP mediaopt full-duplex adjust according to what your ISP works best with. What sucks for me is I boot off CD so if I have to reboot the firewall I have to re enter the command. You can set this permanently if you boot of of CF or HD. I am using IAX--MONOWALL--IAX so this probably won't apply to you but the Wondershaper script helped immensely. On my Asterisk server on the LAN, I set Wondershaper to the max bandwidth of my E10, and for remote IAX users, 768K up / 1.5 down for DSL, and 1.5 up and 1.5 down for cable. Wondershaper + traffic shaping works perfect for me. Last hint: To see what is happening, it's important to enable logging for the port forwarding rule so you can determine if your phones are hitting the Asterisk server. Turn it off afterward as it just creates overhead. hth -----Original Message----- From: Chris Mason (Lists) [mailto:lists@masonc.com] Sent: Wednesday, May 25, 2005 6:09 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: [Asterisk-Users] Asterisk and Monwall - comments Just got a net4501 board, installed cf card/Monowall. Does anyone have a monowall firewall with Asterisk behind it, any problems, can external SIP phones work? What firewall rules are you using? Chris Mason Int: (305) 704-7249 Fax: (815)301-9759 _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users