asterisk users - Mar 2015 - Asterisk on OpenWrt (first time user)

Hello list,

I'm hoping that you could read through this mail and give me some tips
on how to improve my setup (functionality, security, really anything).
It's my first Asterisk installation and meant for simple home use.

I installed Asterisk 11 on an OpenWrt Barrier Breaker router. Currently
it's configured for Ekiga so I can test. In a few weeks I'll change to a
Telco SIP provider for a PSTN connect.

My Ekiga test calls are successful. So it does seem to work :)

The router is configured like this:

- has a user 'asteriskpbx' so Asterisk doesn't run as root
- has a USB stick for logs and CDRs
- has a LAN port which I removed from the regular LAN VLAN and put into
  its own VLAN; only the hardware SIP phone is connected; there's no
  forwarding to and from this network
- firewall allows SIP and RTP packets from the outside, but only from
  Ekiga.net

The main config file:

[directories]
astdbdir => /mnt/usb/asterisk/dbdir
astlogdir => /mnt/usb/asterisk/logdir

[options]
systemname = my.dynamic.domain.com	
runuser = asteriskpbx		
rungroup = asteriskpbx		
defaultlanguage = de           
documentation_language = en_US	
live_dangerously = no		

[compat]
pbx_realtime=1.6
res_agi=1.6
app_set=1.6

Here's the SIP setup:

[general]
	context=unauthenticated
	allowguest=no
	srvlookup=no
	udpbindaddr=0.0.0.0
	tcpenable=no
	localnet=172.16.28.0/24
	alwaysauthreject=yes
	language=de

register => MyEkigaUser:MyEkigaPass at ekiga.net/MyEkigaUser

[my-codecs](!)
	allow=!all,alaw

[home-phone](!,my-codecs)
	acl=voice_vlan
	directmedia=no
	type=friend
	host=dynamic
	context=LocalSets

[MyPhoneMacAddress](home-phone)
	secret=MyPhonePassword

[ekiga_inbound](my-codecs)
	acl=acl_ekiga_inbound
	type=peer
	host=ekiga.net
	context=from-ekiga

[ekiga_outbound](my-codecs)
	acl=acl_ekiga_outbound
	type=peer
	host=ekiga.net
	defaultuser=MyEkigaUser
	remotesecret=MyEkigaPass
	fromuser=MyEkigaUser
	fromdomain=ekiga.net

This is my dialplan:

[LocalSets]
	exten => 101,1,Dial(SIP/MyPhoneMacAddress,30)
	exten => 500,1,Dial(SIP/ekiga_outbound/500,30)
	exten => 501,1,Set(GROUP(users)=CallsToProvider)
	 same => n,NoOp(There are ${GROUP_COUNT(CallsToProvider)} calls for account
CallsToProvider.)
	 same => n,GotoIf($[${GROUP_COUNT(CallsToProvider)} > 1]?denied:continue)
	 same => n(denied),NoOp(There are too many calls up already. Hang up.)
	 same => n,HangUp()
	 same => n(continue),NoOp(Continue processing call as normal here ...)
	 same => n,Dial(SIP/ekiga_outbound/501,30)
	exten => 520,1,Dial(SIP/ekiga_outbound/520,30)

; For later when dialing out via the PSTN connect
;
; Apparently the German RegTP says that local numbers are at least
; 4 digits long. So the following will catch all calls (1234, 0242113,
; 003412314 etc.). Lets strip everything except numbers from the
; extension, though. And only allow 1 call at a time.
;
;       exten => _XXXX.,1,Set(GROUP(users)=CallsToProvider)
;        same => n,NoOp(There are ${GROUP_COUNT(CallsToProvider)} calls from
LocalSets to sip_provider_out.)
;        same => n,GotoIf($[${GROUP_COUNT(CallsToProvider)} >
1]?denied:continue)
;        same => n(denied),NoOp(There are too many calls up already. Hang
up.)
;        same => n,HangUp()
;        same => n(continue),NoOp(Continue processing call as normal here
...)
;        same => n,Set(SAFE_EXTEN=${FILTER(0-9,${EXTEN})})
;        same => n,Set(CALLERID(name)=area code + number)
;        same => n,Set(CALLERID(num)=area code + number)
;        same => n,Dial(SIP/sip_provider_out/${SAFE_EXTEN},30)
;
; Emergeny numbers (110, 112 and 115):
;
;       exten => _11[025],1,Set(CALLERID(name)=area code + number)
;        same => n,Set(CALLERID(num)=area code + number)
;        same => n,Dial(SIP/sip_provider_out/${EXTEN})

[from-ekiga]
	exten => MyEkigaUser,1,Dial(SIP/MyPhoneMacAddress,30)

The AMI Manager is disabled, as is CLI access for anybody except root:

[general]
default_perm = deny
[root]
permit = all

Named ACLs:

[voice_vlan]
deny=0.0.0.0/0.0.0.0
permit=172.16.28.0/255.255.255.0

[acl_ekiga_inbound]
deny=0.0.0.0/0.0.0.0
permit=86.64.162.35

[acl_ekiga_outbound]
deny=0.0.0.0/0.0.0.0

Only load necessary modules:

[modules]
autoload=no
load => chan_sip.so
load => res_rtp_asterisk.so
load => app_dial.so
load => pbx_config.so
load => app_cdr.so
load => cdr_csv.so
load => func_strings
load => func_groupcount.so

Any tips/hints/suggestions appreciated. Thanks for reading!

Kind regards,
Sebastian