pfSense or DD-WRT or a simple RV082?
Submitted by csierra on Wed, 08/27/2008 - 11:52pm.
I should name this post Multiple I have so many questions hope find a path to follow.
After giving up on the NAT issues I have read a lot and so far I have the following conclusions:
NEEDS:
We need to achieve a single Trixbox in the office, capable of handling 3 POTS, 8 SIP on site extensions and 5 FXO´s to reuse existing cabling and so. The riddle is how to allow about 8 additional remote SIP peers (no VPN, for many specific reasons I am not going to go into, we can´t use VPN).
STATUS:
We have a ADSL 4mbps down / 768 kbps up (wich can be augmented to whatever is needed to handle 8 concurrent calls) PPOE DSL connection plugged to a Thomson 585 modem router firewall, wich actually do the DHCP and handles 1 fixed IP to connect 6 PC's and the Trixbox. We have an analog card installed in the Trixbox, working fine for the 3 FXS's / 5 FXO's, we have full features inside this LAN either with SIP softphones, FXS´s, FXO´s etc, however no joy at all with the remote peers. We have trouble too with a couple of SIP providers (one way auido, no DMFT response, etc)
ADVISE:
What we are planning to do is to run the DSL modem router bridged instead as of a router, then, (here is where we need advise) plug it into a real router into wich plug the Trixbox and a 8 port switch and / or an access point if needed.
QUESTIONS:
Could the router be a linksys or a d-link flashed with the so mentioned DD-WRT VoIP Version? Could this be a reliable solution for the remote SIP peers?
Could the router be a PC based on the new Intel Atom essential series (nice light board, does this have the punch to handle 8 concurrent calls?) running DD-WRT x86 version? Could this really fix the NAT hell?
*If either this first two options are the solution, wich router should I purchase to run DD-WRT?
Could be the pfSense the solution? If so, can you please provide some links to good tutorials or how-to configure the pfSense to achieve this?
And at last, could be the linksys RV-082 (or any other $300.00 usd range) router could effectively allow us to have remote SIP peers to connect reliably? Also would be desirable to have QoS features.
Thank you in advance
budget
Thu, 08/28/2008 - 3:38am
I think your budget is rather optimistic to get a good router / firewall to do what you need (others, I am sure, will rush to correct me!) .
I'll use an old favourite analogy, when buying a sound system spend 50% of the budget on speakers as these are the parts that deliver the sound to you - getting the best speakers from the start gives the best sound that can be delivered by the components behind them and usually makes a less expensive system sound much better. I think the same rule applied to firewalls, you are securing your entire infrastructure behind this device - so make it a darned good one!
I'm (as many will attest) a bit of a SonicWall fan - they ship boxes which are fairly simple to setup (when compared with Pix & the like) and have quite a range of kit - Just had a quick look and a SonicWall TZ180 is just about at the limit of your budget, shop around, maybe get on on ebay, buy the support package and get the latest SonicOs enhanced and you've got a good base to build from.
They support a range of VoIP features such as consistent NAT, SIP & H323 transformations and you can easily setup open access to the (I hope) known and fixed IP addresses of your remote SIP peers.
I hope this helps.
J
Why not use the Trixbox
Thu, 08/28/2008 - 7:09am
If you want to avoid NAT completely add a second network card to your TB and use it to control your internet connection. For the firewall configuration I prefer shorewall which is a way of creating the required Iptables rules to set up a Linux firewall and their is even a webmin module for it so you can have a web interface just like an appliance box (most of which are embedded Linux anyway).
I've done this on several boxes some TB with remote extensions and some plain CentOS servers.
set up the second NIC so that the interface is up without an ip and run adsl-setup to configure you dsl connection to use the new interface. Select no firewall during the adsl-setup script as you need to set that up separately.
I can provide more instructions if you are interested.
I would not run the firewall
Thu, 08/28/2008 - 8:22am
I would not run the firewall on the trixbox, this is asking for trouble.
Do you want the remote users to be able to VPN to the router for the remote phones? Are there more than one remote phone per location?
The problem with phones and VPN's is you need a firewall at both ends.
--
Scott
aka "Skyking"
Heterogeneus
Thu, 08/28/2008 - 12:53pm
To make the picture a bit more clear, we only have one main location and today we have 5 independant sales reps spread 1000 miles from the office that work mainly from their home offices or small offices fom wich we are not willing to purchase any hardware, all of them have DSL bandwidth inet connections and laptops. We are joining another 3 sales reps wich need to connect as well. None of this have a fixed IP, however it is one phone per connection. Adjustments to those connections can be reasonably done to make a fair QoS work for them. As to the http tunnels we are not getting into that, I´ll explain why. 9 out of 10 small business and home ISP is provided by Prodigy (Telmex) wich have announced that doing VPN for transporting VoIP or Video by IP are going to be banned, disconnected, fined and possibly sued, this is because Telmex is going into triple play within the next 60 days and of course they want their infraestructure unused to keep ripping off their clients, just picture this, in Spain you can get 30 mbps down / 6 mbps up for 35 euro. I guess in the States you can get quite similiar deals; well in Mexico we pay 35 usd for 1 mbps down / 256 kbps up and if you want a VPN you must get into a Service Level Agreement. I can do that for the main office, event change ISP, but just cant for every single remote user we hire, so VPN is a no no here.
As to the SonicWall, I have no experience with that brand, however I´ve read many opinions saying those make all in one, and none of those is well done so...
As to running the soft firewall in the same Trixbox unit, just as Scott says, that is a no-no too, specialy if you consider I am very Linux illetare (just learning).
What I see as a good way to go is just having the remote SIP peers to connect directly to the Trixbox box and rely on a small set of pinholes and MD5 digest security. Perhaps I am lost in space beleiving this is possible? Theorically it is but so far have no success achieving this.
Does anyone have any experience with a router flashed with DD-WRT for VoIP? or any router capable of effectivelly *not* messing RTP headers? Is this linksys RV-082 capable of that?
Thanks all for your advise!
As to
VOIP Newbie
PFSense
Thu, 08/28/2008 - 1:07pm
I wouldn't install the firewall on the system running Trixbox itself. That's just asking for trouble in my mind...
I personally use Smoothwall on a 1U P4 (~$250), but I have been looking at PFSense as well because it also offers bridge mode which would allow you to use your external IP for your Trixbox system behind the firewall.
Cheers,
Jens
Look online and get a cheap
Thu, 08/28/2008 - 2:00pm
I'd also suggest pfSense. I
Thu, 08/28/2008 - 2:03pm
I'd also suggest pfSense. I really like running a PC based router/firewall because you get reliable and equivalent feature, for half the cost.
Look on CraigsList... I got myself a IBM ProLiant 2.8GHz 2GB ram for just $135, works like a champ. Not to mention local pickup means no waiting, haha.
Ok, pfSense seems to be
Thu, 08/28/2008 - 2:19pm
Thanks all for the feedback, I am kind of avoiding pfSense because of the setup; sounds great and almost ready to go for it but can you please provide some helpful links for tutoriasl (screenshots would be better) to do it fast -minimize the learning curve) and also, have specific questions; do a new Intel Atom (or VIA, or AMD equivalent) could do better than a Celeron or an old pc? how much ram on it? how much disk space would it take to have it full gimmicks on it? I am thinking loud here, if i am going to make a firewall, I think I´d better try to at least make the disk solid state and try also (if it is within the 400 at most) budget to go fanless...
As to the SonicWall, I´ve browsed their site and is so fuzzy (they offer a VoIP solution based on a router that is discontinued?) If companies could just understand the term simplicity...
Thanks again
VOIP Newbie
www.pfsense.org
For what
Thu, 08/28/2008 - 2:28pm
For what it's worth, sonicwall isn't exactly much easier than pfsense. As for a "VOIP" firewall, it's nothing more than a firewall with QoS and that is something pfsense supports out of the box.
As for installation, installing a CD isn't exactly rocket science. Stick the CD in a machine and it'll install it all for you (relatively easy).. or you could hire any one of us to do the installation for you. I could get a pfsense box up and running in about 10 min. configured for "VOIP" with QoS.
Just a sidenote.. Understanding how your network works is probably a good thing to learn for troubleshooting issues.
If you can install trixbox, you can install pfsense.
Cheers.
hmmm
Thu, 08/28/2008 - 2:45pm
okay - I'm outvoted.. but I'd still go for a lower end SonicWall over the PC with software - simply because of the time involved in setup and the power usage - our energy prices are spiralling here, a 250w server vs SonicWall TZ would cost approx £200 (~$370) per year more to run. I like to keep energy use down (run server software on low energy notebooks etc).
Percy - fyi, wrong, wrong on the SonicWall front - setup can be, literally, 5 mins, and you generally have much more than just QoS for VoIP.
However you end up running it - good luck
The processor, memory and
Thu, 08/28/2008 - 2:50pm
The processor, memory and hard disk requirements for a firewall largely depend on how many other things you want to do with it. For example, Smoothwall offers SIP call tracking on firewall level. It can also do a virus check on incoming mail as well. QOS is standard as well. PFSense is very similar, but more firewall focused. Both solutions are typically used as gateway firewalls to protect your entire landscape. In general they typically exceed appliance firewall solutions in flexibility and performance.
If you installed Trixbox I would think that you won't have any issues to install PFSense. The QOS part is pretty much self explaining and a simple setup with two network cards and one IP address should only take about an hour to install and configure.
For starters you should be fine with the default rules and then you can limit those over time. Configuration is being done through a relatively user friendly web portal.
In my opinion it isn't necessarily easier to configure a firewall appliance unless you use their typically expensive support packages. I previously used a WatchGuard firewall which was very easy to setup, but it lacked some customization options PFSense and Smoothwall offer.
Best regards,
Jens
It was not the firewall indeed
Sat, 08/30/2008 - 9:34pm
What were causing a conflic, and I don´t know if this is already documented but, this causes trixbox not to work properly; I read a post here http://pbxinaflash.com/forum/archive/index.php?t-267.html
where what is described actually causes a conflict and when those changes are done the conflic is gone.
It consist of a confusion when we use the same host as the server host and the same host name is indicated in the hosts files where Trixbox adds yourpseudo.dyndns.org pointing to 127.0.0.1 and at the same time, the sip_nat.conf uses externhost=yourpseudo.dyndns.org and that makes the remote SIP peers not to have audio, or dropping calls at 20 secs. I simply changed that entry in /etc/hosts from yourpseudo.dyndns.org to generichost or any other name but not the externhost name.
Hope this brings in some light to someone experiencing the same issues in the future.
As of all of you who guided and advised me, thank you again! pfSense not for now, my Thomson Router is doing like a charm (so far)
Thanks again
VOIP Newbie
Multiple NICs in TB
Wed, 09/10/2008 - 7:34am
Hi
I cam across your post as I am looking for details on how to set upa TB with two NICs, one on our LAN and the other plugged straight into a DSL router.
The router does not have a firewall enabled. Does the TB have the firewall enabled by default or would I have to enable it?
Many thanks
Gordon
Member Since:
2008-02-22