I was wondering if anyone can give me any pointers or insights of whether or not to have an asterisk server behind a firewall. I have always ran Asterisk on a public IP but was wondering if I should move it to a local IP behind a firewall. I am looking to set up a location with 300 SIP phones. Normally, I would put the Asterisk server on one public IP and let the SIP phones get DHCP from a router on a different IP and they would register to the Public Asterisk server from that IP address. Should I move the asterisk server behind the same router? If so, how should the server be set up and what is the best router/firewall hardware to accomplish this environment? Thanks, -H -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160104/cad7a3a5/attachment.html>
Both work. If you have enough IP addresses to dedicate one to your Asterisk server, that removes one node in the path from the world. You will need a firewall on the Asterisk server to protect it from outside meddling. If you can put the Asterisk server on the same network as the SIP devices (using a second NIC) that should help performance. Is the SIP network on the same network as your internet/data LAN? Ron On 04/01/2016 1:15 PM, IPN Comm wrote:> I was wondering if anyone can give me any pointers or insights of > whether or not to have an asterisk server behind a firewall. > > I have always ran Asterisk on a public IP but was wondering if I > should move it to a local IP behind a firewall. > > I am looking to set up a location with 300 SIP phones. > > Normally, I would put the Asterisk server on one public IP and let the > SIP phones get DHCP from a router on a different IP and they would > register to the Public Asterisk server from that IP address. > > Should I move the asterisk server behind the same router? > > If so, how should the server be set up and what is the best > router/firewall hardware to accomplish this environment? > > Thanks, > -H > >-- Ron Wheeler President Artifact Software Inc email: rwheeler at artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160104/25602e2e/attachment.html>
Hi, I have used a sonicwall Firewall, it has a sip transformation feature. It is necessary to use a firewall to protect your server Best Regards, Madushan On Mon, Jan 4, 2016 at 11:45 PM, IPN Comm <ipncomm1 at gmail.com> wrote:> I was wondering if anyone can give me any pointers or insights of whether > or not to have an asterisk server behind a firewall. > > I have always ran Asterisk on a public IP but was wondering if I should > move it to a local IP behind a firewall. > > I am looking to set up a location with 300 SIP phones. > > Normally, I would put the Asterisk server on one public IP and let the SIP > phones get DHCP from a router on a different IP and they would register to > the Public Asterisk server from that IP address. > > Should I move the asterisk server behind the same router? > > If so, how should the server be set up and what is the best > router/firewall hardware to accomplish this environment? > > Thanks, > -H > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160105/32dc2678/attachment.html>
I have a /29 to use for the network. My immediate go-to set-up will be to put the asterisk server on a public IP off the /29 and harden the IPtables along with other monitoring scripts and lock down methods. Then add the router on a different /29 IP and have all the phones register through the router to the public asterisk server and limit only registrations from that router's IP address. I then would add the three trunks I need such as inbound/outbound, international, and 911 to the asterisk box However, I do think this is best practices. It is my understanding to move the asterisk box behind a router/firewall and have the phones on the same subnet of the asterisk box. Then the router/firewall will do the trunking to the vendors. I dont know which is best nor do I know the hardware for the router/firewall device. On Mon, Jan 4, 2016 at 1:31 PM, Ron Wheeler <rwheeler at artifact-software.com> wrote:> Both work. > If you have enough IP addresses to dedicate one to your Asterisk server, > that removes one node in the path from the world. > You will need a firewall on the Asterisk server to protect it from outside > meddling. > If you can put the Asterisk server on the same network as the SIP devices > (using a second NIC) that should help performance. > > Is the SIP network on the same network as your internet/data LAN? > > Ron > > > On 04/01/2016 1:15 PM, IPN Comm wrote: > > I was wondering if anyone can give me any pointers or insights of whether > or not to have an asterisk server behind a firewall. > > I have always ran Asterisk on a public IP but was wondering if I should > move it to a local IP behind a firewall. > > I am looking to set up a location with 300 SIP phones. > > Normally, I would put the Asterisk server on one public IP and let the SIP > phones get DHCP from a router on a different IP and they would register to > the Public Asterisk server from that IP address. > > Should I move the asterisk server behind the same router? > > If so, how should the server be set up and what is the best > router/firewall hardware to accomplish this environment? > > Thanks, > -H > > > > > -- > Ron Wheeler > President > Artifact Software Inc > email: rwheeler at artifact-software.com > skype: ronaldmwheeler > phone: 866-970-2435, ext 102 > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160105/d54c44af/attachment.html>