What could be the best work scheme?
Submitted by peterpunx on Fri, 08/15/2008 - 8:03am.
I have two trixbox in Usa and two trixbox in Peru (south america), they all are interconnected with iax2 trunks, 3 of them have IP publics, the fourth one is behind a sonicwall pro 1260 and i have in Peru like 25 ip phones (lynksys spa 942) connected to that server using a VPN, that VPN is made with a Hotbrick firewall/vpn 1200. All the phones are registered and works sometimes we have some calls that not sound very well but is not always is like for moments and some days but I think that could be the internet.
In the past I tried to work with the sonicwall pro 230 and asterisk and it didn't work because the ip phones couldnt connect to the asterisk.
Now I want to protect the other trixbox but Im not sure what to use. I was thinking to buy a SonicWall NSA 2040 for the 2 trixbox that I have in Peru. With my second trixbox that I have in Peru the problem is that I dont have ip phones just in my office also we have phones in other offices (like one or two per office), what should I use to protect my trixbox and dont have problems with the calls and ip phones (problems like registration of ip phones and calls that not sound well)
Im not sure if the way like Im working right now is ok but is working, what do you think? Is ok to use the vpn to send calls through it?
Thanx
I like SonicWalls
Fri, 08/15/2008 - 9:09am
and you can play about to give VoIP calls priority over the VPN links.
If your VPNs are JUST for VoIP traffic you might want to use a lower level of encryption on the VPN (which equals lower overhead, therefore more bandwidth for your calls)
Using the same brand of hardware everywhere does make life easier for maintenance and setup, so that is the way I would go.
Even if you don't want to use VPN you can implement security so that only IAX2 is allowed and then only from the IP addresses that you recognise as being your other sites.
I'd certainly NOT want to have a trixbox system sitting on open internet connection - this is asking for trouble.
I'm not sure what you want to know regarding:
With my second trixbox that I have in Peru the problem is that I dont have ip phones just in my office also we have phones in other offices (like one or two per office), what should I use to protect my trixbox and dont have problems with the calls and ip phones
J
sonicwalls and vpns
Fri, 08/15/2008 - 11:09am
Thanks for the answer and sorry for my bad english... Im a spanish speaker...
I wanted to say that I have several offices in different cities of Peru and I have IP phones in each office. My question was about what firewall can I implement in front of my trixbox, because in the past I had problems with a firewall Sonicwall pro 230, the ip phones cant register to the trixbox behind the firewall although I opened the sip ports.
I dont like so much the hotbrick firewall/vpn 1200 because I cant use several NAT's with more than one server.
My vpn is just for VOIP. Your advise about lower the encription is good, Im gonna do that.
What type of firewalls do you use?
Thanks
new sonicwalls better VoIP support
Fri, 08/15/2008 - 3:56pm
Hi,
Your English is certainly much better than my Spanish!
The newer SonicWalls have much better VoIP support but you still need to be careful with regard to NAT.
We've used almost every Sonicwall ever made (really, for about 10 years now!), in use now we have many Pro 3060s and now also NSA3500 - all good.
Below are the some of the VoIP options on recent Soniwall SonicOS
General Settings
Enable consistent NAT
SIP Settings
Enable SIP Transformations
Permit non-SIP packets on signaling port
Enable SIP Back-to-Back User Agent (B2BUA) support
SIP Signaling inactivity time out (seconds):
SIP Media inactivity time out (seconds):
Additional SIP signaling port (UDP) for transformations (optional):
H.323 Settings
Enable H.323 Transformations
Only accept incoming calls from Gatekeeper
Enable LDAP ILS Support
H.323 Signaling/Media inactivity time out (seconds):
Default WAN/DMZ Gatekeeper IP Address:
J
options
Mon, 08/25/2008 - 7:37am
Thanx for the answer... now I have a Sonicwall NSA 2400, it have a very easy administration web page. In the option of VOIP I have this
General Settings
X Enable consistent NAT
SIP Settings
X Enable SIP Transformations
Permit non-SIP packets on signaling port
X Enable SIP Back-to-Back User Agent (B2BUA) support
SIP Signaling inactivity time out (seconds): 1800
SIP Media inactivity time out (seconds): 120
Additional SIP signaling port (UDP) for transformations (optional): 0
It is ok? or I have to change something.
For SIP I normally use this ports
[2727,UDP]
[5060:5082,TCP]
[5060:5082,UDP]
[10000:20000,UDP]
Do I need another port? or it is ok with those?, I make the question because I saw several pages of what ports to use.
Thanx
lots of options...
Mon, 08/25/2008 - 12:49pm
Hi,
Depends what you are looking to link! I'm guessing you are opening these up to allow in the phones.
2727,UDP - MediaGateway - (MGCP) Call Agent - don't know if you'd necesarily need this - normally you'd need 2427 UDP too (for control)
Call setup/signalling - SIP
[5060:5082,TCP] - SIP usually only 5060 / 5061 required - can usually set which port to use both ends
[5060:5082,UDP] - same again
Call voice data - RTP
[10000:20000,UDP] - RTP can sometimes setup how many ports supported inc start /end point
In short, don't think you need the 1st one - rest I think are right.
J
I personally am using the
Thu, 08/28/2008 - 12:02pm
I personally am using the netgate firewall appliances with pfsense. (I'm an open source junkie) and they haven't gone down yet. I've been on pfsense for a few years now I've never had a problem with them or the vpn links. VOIP works great over them too.. just remember to "prefer" a lower bandwidth codec.
Member Since:
2006-08-09