› Forums › Network Management › ZeroShell › Asterisk goes offline when connected to ZS
- This topic is empty.
-
AuthorPosts
-
December 3, 2010 at 8:55 pm #51377
lip
Memberatheling, to be clear, do you consider an asterisk box behind a zeroshell router to be a viable professional solution for a small/medium office? To simply provide reliable call quality without reboots of the router and asterisk boxes? And in particular with zeroshell on the low power C3-533Mhz box I mentioned?
I too have been considering the comparison to a simple hardware based router such as DLink, TP-LINK, Asus, etc (w/wo WRT/Tomato firmware) if it will provide the stability, lower operational cost and feature set, (VOIP/SIP, bonding/failover, MLPPP(tomato), (VPN), etc), and if this will resolve the linux routing/switching issue(s)?
You mention monitoring/testing for issues. I will watch ping and loads, but is there a way to see any IP attacks? Do I have to enable some logging?
I have two boxes and will put one down to just a 5060 VS and similar on the asterisk and report back. ~ thx!
AussieWISP, I found instructions to enable SFTP in zeroshell on this forum, which will allow you to use WinSCP from your PC which will make file management (patches etc) easy.
December 4, 2010 at 2:39 am #51378AussieWISP
MemberI’ve applied the patch, not sure exactly how to test it but Astreisk is still offline, I also have one of my PPPOE connections showing connected in setup-network tab but always going to FAULT mode in netbalancer.
My SCRIPTS log is
03:20:20 [Firewall Chain]: Disabled
03:20:20 message repeated 4 times
03:20:26 [NAT and Virtual Servers]: Disabled
03:20:26 [QoS]: Disabled
03:20:34 [Post Boot]: Running …
03:20:34 Starting Asterisk PBX …
03:20:34 ^[[A^[[70G[ ^[[1;32mOK^[[0;39m ]
03:20:34 [Post Boot]: SUCCESSMy SSHD logs is
02:15:51 Server listening on 0.0.0.0 port 22.
02:15:51 socket: Address family not supported by protocol
02:15:56 Received signal 15; terminating.
02:16:06 Server listening on 0.0.0.0 port 22.
02:16:06 socket: Address family not supported by protocol
02:18:54 Connection from 192.168.1.153 port 2050
02:19:12 Failed none for aussiewisp from 192.168.1.153 port 2050 ssh2
02:19:12 error: Could not get shadow information for aussiewisp
02:19:12 Failed password for aussiewisp from 192.168.1.153 port 2050 ssh2
02:19:29 Failed password for aussiewisp from 192.168.1.153 port 2050 ssh2
02:19:33 Failed password for aussiewisp from 192.168.1.153 port 2050 ssh2
02:19:36 Failed password for aussiewisp from 192.168.1.153 port 2050 ssh2
02:22:52 Connection from 192.168.1.153 port 2062
02:22:52 Failed none for aussiewisp from 192.168.1.153 port 2062 ssh2
02:22:52 Accepted password for aussiewisp from 192.168.1.153 port 2062 ssh2
02:22:52 subsystem request for sftp
03:20:29 Server listening on 0.0.0.0 port 22.
03:20:29 socket: Address family not supported by protocolMaybe I should check out Freeswitch or 3CX, guess its a bit premature as ZS is still have connectivity issues which I would assume will affect any voip server.
Oh, if its of any consequence both ZS and Asterisk are on their own servers (IBM 3650 2 x dual core xeon’s 1.8ghz with 4G ram)
December 4, 2010 at 7:06 am #51379AussieWISP
MemberHave done a packet trace with Wireshark, ZS is completly blocking all SIP packets, I have no firewalls, no rules, have applied athelings patch, have rebooted but for some strange reason the SIP is being lost/blocked by ZS
December 4, 2010 at 4:25 pm #51380atheling
Member@lip wrote:
atheling, to be clear, do you consider an asterisk box behind a zeroshell router to be a viable professional solution for a small/medium office? To simply provide reliable call quality without reboots of the router and asterisk boxes?
Every situation is a little different. In my case, yes I think an Asterisk box behind a Zeroshell router can be reliable for a SOHO environment.
But the whole system is more than just those two boxes. What are the failure modes likely in your area (power, reliability of ISPs, etc.)? What is your budget? In the “good old days” first world telephone companies set a goal of “5 nines” availability. That is that the system would provide dial tone and handle a call 99.999% of the time. That works out to about 5 minutes of down time per year. It takes a couple of minutes for either of my net5501 boxes to reboot. It takes a couple of minutes for Zeroshell to detect a WAN failure, switch over then for Asterisk to detect that its registration with my VoIP providers has failed and re-register. Net result is that my uptime is less than 99.999% since I’d only be allowed maybe two reboots per year and no WAN failures. Making a good phone system is very hard if you set the goal to match the old TelCo standards. But if you lower your standards to 99.9% or maybe even 99.99% availability it is achievable.
Same consideration for voice quality. Maintaining consistent high quality voice (or any two way streaming data) in the packet switched, store and forward environment that the Internet provides is a challenge. What is “good enough” for you?
@lip wrote:
And in particular with zeroshell on the low power C3-533Mhz box I mentioned?
I too have been considering the comparison to a simple hardware based router such as DLink, TP-LINK, Asus, etc (w/wo WRT/Tomato firmware) if it will provide the stability, lower operational cost and feature set, (VOIP/SIP, bonding/failover, MLPPP(tomato), (VPN), etc), and if this will resolve the linux routing/switching issue(s)?
I don’t have any specific knowledge of the C3-533 MHz box you mentioned. But the specifications sound similar to the net5501 boxes I have been successfully using. I haven’t stress tested mine but I would expect that I could handle 10 or so simultaneous calls. I don’t do any transcoding in the Asterisk box. Were I to have it do transcoding I would expect the maximum simultaneous traffic would be lower.
@lip wrote:
You mention monitoring/testing for issues. I will watch ping and loads, but is there a way to see any IP attacks? Do I have to enable some logging?
I have both my Zeroshell box and my AstLinux box send logging to my mail server. The mail server could be setup to email me when odd things are in the log. There is a big body of software specifically designed for doing things like intrusion detection. I basically just keep an eye on the logs and look for patterns that I then manually respond to.
On the Zeroshell box I put in a number of rules to block IP addresses if they have too many log in attempts in too short a time. I found the rules on the Internet but was unable to figure out how to do them easily through the GUI so I just used one of the scripts that Zeroshell allows to do the following:
# Block dictionary and flood attacks against traffic to servers
iptables -t filter -N custom_forward
# SSH port
iptables -t filter -A custom_forward -p tcp –dport 22 -i ETH01 -m state –state NEW -m recent –update –seconds 600 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 22 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 22 -i ppp0 -m state –state NEW -m recent –update –seconds 600 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 22 -i ppp0 -m state –state NEW -m recent –set
# POP3 port
iptables -t filter -A custom_forward -p tcp –dport 110 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 110 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 110 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 110 -i ppp0 -m state –state NEW -m recent –set
# Mail submission port
iptables -t filter -A custom_forward -p tcp –dport 587 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 587 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 587 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 587 -i ppp0 -m state –state NEW -m recent –set
# POP3S port
iptables -t filter -A custom_forward -p tcp –dport 995 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 995 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 995 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 995 -i ppp0 -m state –state NEW -m recent –set
# CVS port
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ppp0 -m state –state NEW -m recent –set
# SIP port
iptables -t filter -A custom_forward -p udp –dport 5060 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p udp –dport 5060 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p udp –dport 5060 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p udp –dport 5060 -i ppp0 -m state –state NEW -m recent –set
iptables -t filter -A FORWARD -j custom_forwardUnfortunately the SIP version of this does not seem to work the way I’d like as it UDP is not a session based protocol and the attackers to not wait long enough between attempts for distinct sessions to be detected by iptables. This logic does work very well for stopping things like ssh dictionary attacks.
@lip wrote:
AussieWISP, I found instructions to enable SFTP in zeroshell on this forum, which will allow you to use WinSCP from your PC which will make file management (patches etc) easy.
After rebooting Zeroshell, I log in on the CLI, get to bash and then set the login shell to bash. After that I can ssh in directly to bash which means that I can use the ssh component of the FUSE filesystem to mount Zeroshell as a filesystem on a Linux or Macintosh computer. I don’t do Windows if I can avoid it, so I don’t know if mounting a filesystem on a remote box accessed by ssh is possible there.
December 4, 2010 at 4:37 pm #51381atheling
Member@AussieWISP wrote:
Have done a packet trace with Wireshark, ZS is completly blocking all SIP packets, I have no firewalls, no rules, have applied athelings patch, have rebooted but for some strange reason the SIP is being lost/blocked by ZS
If you are using Wireshark then you probably know what you are doing network wise.
Outbound traffic should work with no firewall rules. And that should allow responses back in via the same port. So it sounds like it should work…
Can I assume that other non-SIP traffic is working?
What is the default policy on your firewall setting’s “forward” chain?
I do have a “virtual server” set for UDP port 5060 to pass data to my AstLinux box from both of my WAN links. But this should only be necessary if you are expecting unsolicited SIP traffic (external extension to your phone system and/or traffic from unknown entities who have done a look up on e164.org or equivalent).
December 4, 2010 at 11:58 pm #51382AussieWISP
MemberYes other tcp udp traffic is getting through. My firewall has been turned off. I am thinking of trying a bond or bridge between one pppoe and say eth01 which I would put asterisk on but I have not been able to work out how
December 7, 2010 at 2:20 am #51383lip
MemberUnresolved fluctuating call quality, between WAN and PBX (as attendant is choppy). Periods range from clear to severe(scratches, burps, hisses, hiccups, dropouts, and occasional disconnects).
Eliminated
WAN – same on Rogers cable, and Bell DSL
Router – same on Zeroshell, ZyWallUWG, DLink x 2, .. same (or better) no rules vs. rules for PBX
PBX – same on new hardware and software load, same (or better) no NAT settings (interestingly, calls seemed crystal clear right after set NAT:never/IP:public, but it didn’t last)Unlikely
Router – default supposed to work but, rule (currently off) allow 5060u(or range) doesn’t seem to affect
Asterisk – default supposed to work but:
– Asterisk sip_custom.conf>public, private IPs (uncomment)
– Asterisk FreePBX>SIP Settings Module(competes with .conf above)>NAT:yes, no, never, route | IP:Public, Static, Dynamic (supposed public is no NAT, static is NAT)
– Asterisk trunk or other relevant settings? Again, default supposed to work so I doubt it.Remaining
Provider – try another for calls in/out, provider can do a trace, maybe I can with wireshark
WAN – maybe getting hammered by spammers/hackers based on location, will ask ISP and/or attempt to log or monitor
– White/Black IP List for IPTables, I am going to implement this, though I don’t know f it’s part of the problem at the moment, better safe than sorryThe issue seems to be routing WAN traffic, is there anything I am missing?
I guess traces and monitoring would help…December 7, 2010 at 12:18 pm #51384AussieWISP
MemberAfter all the research I’ve done on pbx systems and since trIalled trixbox, cosmo, 3cx, I am convinced that after reading the home page blurb, freeswitch may be the best option, I could never get Asterisk to work while connected to ZS.
April 18, 2011 at 11:20 pm #51385Manu Poletti
MemberThis post is a bit late but may be relevant to someone.
I run a small LAN with a Zeroshell Release 1.0.beta12 routing SIP traffic to a Asterisk VOIP server via virtual server rules. It works very well for us, However I have not been able to update to Release 1.0.beta14. When I load beta14 I find that the incoming audio traffic on port range 10000-10100 gets dropped. I used TCPDUMP on both the beta12 and beta14 builds to confirm this but have not been able to work out why it happens.
And as for VOIP server recommendations, I spent quite a bit of time looking at alternatives to Asterisk and have concluded that Freeswitch with a FreePBX UI would be an optimal solution. I have trailed this on a test server and it works well and is easy to install and maintain on Debian.
April 19, 2011 at 9:22 am #51386AussieWISP
MemberAfter months gone by and many resets the system now works well. I too have considered Freeswitch but there isn’t the support that Asterisk has. I had 4 individual servers runing each program, (ZS, Asterisk & A2Billing, Microtik & Radius Manager), was all going well but not enough redundancy so now all are running as VM’s on Vmware. Only loophole left is that ZS often gets stuck on which gateway to send traffic through and the users web browser just stalls, I have to keep putting rules in net balancer to tell it to go to only one gateway, kind of defeats the purpose. However in saying that, last week when I took the fibre links offline and only had two adsl lines active, ZS was balancing speedtest.net on both gateways, I thought this wasn’t even possible with speedtest.net. Would appreciate some feedback as to why ZS would stall when running multiple gateways when last week it ‘bonded’ them very nicely???
-
AuthorPosts
- You must be logged in to reply to this topic.