 wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | reply to A_VoIPer
Re: [Asterisk] Trying to configure my Linksys PAP2 with Asterisk said by A_VoIPer:said by wifi4milez:Perhaps this is where I am missing a setting. When you say the "primary user is 12345_ATA" how do I quantify that? I am supposed to find a specific name for the ATA and use it here?
I don't have a PAP (I use an SPA2102), but I'd expect the menus to be similar. On settings for your line, there should be an entry for User ID and/or Auth ID (this is likely set as your Broadvoice SIP account number). On that same menu, you'll also likely find a setting for the SIP port. These are the key settings that need to match in your PBX configuration. BTW, it looks like I had the wrong type set in the config. I tested with type=user and applied it via the WebUI, but that didn't clear what was cached. I think you'll want type= friend to avoid sending a fake auth rejection back. Note to self, applying changes from the WebUI isn't always a valid test. Just so I am clear, the user ID I enter into the Asterisk settings will be my Broadvoice user ID? I will try that this evening along with changing the type to "friend".
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | reply to A_VoIPer
said by A_VoIPer:On settings for your line, there should be an entry for User ID and/or Auth ID (this is likely set as your Broadvoice SIP account number). On that same menu, you'll also likely find a setting for the SIP port. These are the key settings that need to match in your PBX configuration.
Nice! Thank you very much this is now working perfectly. I do notice a bit of latency, which is strange since its all internal network traffic. In either case that is a question for another thread. Two thumbs up for your great advice.
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
| reply to wifi4milez
said by wifi4milez:Just so I am clear, the user ID I enter into the Asterisk settings will be my Broadvoice user ID?
Very likely. When your ATA is set to "Ans Call Without Reg:" (or your PAP equivalent), I think it will still need a valid extension/ID to match on to know that it should except the INVITE packet. It should match your User ID setting on your ATA. Note, the User ID is only used for calls from your PBX to your ATA in my example. For your ATA to be permitted to call your PBX, the example I posted for the trunk uses the IP and port. |
|
| reply to wifi4milez
said by wifi4milez:I do notice a bit of latency, which is strange since its all internal network traffic. In either case that is a question for another thread. Two thumbs up for your great advice.
Sorry to hear about that and sorry to not reading your follow-up post while I had my reply sitting idle for awhile before I actually finished it and posted it  .
I'm not sure what to recommend about your latency. I hear almost no latency when I call my X-Lite or Phonerlite softphone extensions from my SPA-2102 ATA. You might look at your ATA stats and see if there is a high Jitter and/or Decode Latency delay. Also, you might make a test call between two softphones to eliminate any ATA issues. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | So a quick question about this setup. Right now this only works (obviously) when I am on my local network. Over the next few days I plan on setting it up so that I can connect via a remote device and dial to the other extensions as if I was on the LAN. Will the settings you just gave me be safe if the Asterisk box is exposed to the internet? |
|
| Remote access into your PBX? I don't think anything I recommended will introduce any extra security risk based on the static IP and port used for your ATA trunk configured on your PBX if it's all internal, but locking down your PBX for public Internet access is a totally different story and I recommend checking out the thread at »[Asterisk] FreePBX a couple of security questions
I highly recommend changing your default bindport and limiting any direct connections to your PBX. I personally have a few IP addresses from which I allow access at my screening router, but for the most part, I rely on proxy connections from my outside trunks that I initiate connections to and let them call me from their exposed servers. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by A_VoIPer:Remote access into your PBX? I don't think anything I recommended will introduce any extra security risk based on the static IP and port used for your ATA trunk configured on your PBX if it's all internal, but locking down your PBX for public Internet access is a totally different story and I recommend checking out the thread at »[Asterisk] FreePBX a couple of security questions
I highly recommend changing your default bindport and limiting any direct connections to your PBX. I personally have a few IP addresses from which I allow access at my screening router, but for the most part, I rely on proxy connections from my outside trunks that I initiate connections to and let them call me from their exposed servers.
Sounds good, I will post there. Thanks for your help.
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | reply to A_VoIPer
said by A_VoIPer:I like to tinker with my PBX and want to make sure I don’t accidently impact my ATA, so I’ve tried different setups. I originally took the extension path making one with matching username/password, but I currently have some characters in my primary username and sadly, FreePBX doesn’t allow characters in an extension. So, I now use a trunk for calls from the ATA and a custom extension for calls to the ATA. I’m sure there’s many ways to accomplish what you want, but below is something that should work for you.
As an example, let’s assume the following:
Your ATA is set with an IP of 10.1.1.2 and your line is using port 5061 and the primary user is 12345_ATA. And your PBX is 10.1.1.3 and the bindport is 5080. You dial #9 then phone number (and then # to avoid any delays) to route from the ATA to the PBX. Calls to extension 4444 on your PBX go to the ATA.
On your ATA, modify your dialplan to include the following:
|<#9,:>[x*].<:@10.1.1.3:5080>|
On your PBX, to allow a connection from the ATA, create a SIP trunk with a name of your choice and include the following peer details (since my ATA and PBX is isolated, I authenticate based on IP and port):
host=10.1.1.2
port=5061
type=friend
callerid=PAP2 ATA <4444>
nat=yes ;might not be needed, depending on your network
insecure=port,invite
context=from-internal
»www.voip-info.org/wiki/view/Aste···sip.conf is a good wiki for Asterisk settings.
For calls to extension 4444, setup a custom device. In the device options section, use the following dial string:
SIP/12345_ATA@10.1.1.2:5061
Since this worked so well, I was thinking of something that I wanted to bounce off you. I only plan on having one remote extension (the Android device), would I be able to safely do something like the above with it? I found an application that essentially functions like DYNDNS, giving my phone a static IP/URL that another device can use to connect to it. Could I securely link Asterisk and the Android device with this method when the Android is off the LAN? If I understand the way your instructions work, they are basically forcing a connection based on IP address. Since the DYDNS "like" service gives me a static address, would this allow me to connect to the remote extension without forwarding ports and opening my Asterisk up to threats?
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
| said by wifi4milez: I found an application that essentially functions like DYNDNS, giving my phone a static IP/URL that another device can use to connect to it. That doesn't sound possible, unless it works with a VPN service or similar. Please post details.
A normal VPN connection should indeed work with Asterisk as you would like, except perhaps for using a lot of battery. |
|
| reply to wifi4milez
said by wifi4milez:Could I securely link Asterisk and the Android device with this method when the Android is off the LAN?
If you want to securely link Asterisk to an external device, then I would think a VPN would be the most secure approach. The example I gave above was really more of a work-around for an ATA that had a primary SIP account to another provider and couldn't easily register to two providers on the same line. For an external SIP client running on a phone, a more simple approach would be to lock down your Asterisk server for external registrations (okay, that might not be that simple) and use a really strong extension password. To encrypt the VoIP stream and eliminate the need to allow any direct inbound SIP packets to your PBX, a VPN would be best.
Since Stewart mentioned battery life, I've heard that having the SIP client use TCP instead of UDP can help. Not sure if that's the case for the VPN connection too or not. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | reply to Stewart
said by Stewart:said by wifi4milez: I found an application that essentially functions like DYNDNS, giving my phone a static IP/URL that another device can use to connect to it. That doesn't sound possible, unless it works with a VPN service or similar. Please post details. A normal VPN connection should indeed work with Asterisk as you would like, except perhaps for using a lot of battery. So I got the DYDNS application running, but now I am thinking it might not be the ideal solution. Would I still need a VPN on top of that connection, or would the direct connection be secure enough? If I end up using a VPN I could just create a "regular" extension and forgo this whole DYDNS setup....
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
| said by wifi4milez:So I got the DYDNS application running, but now I am thinking it might not be the ideal solution. Please explain how this app works. I can't see how it can magically come up with a static IP, unless it's an IP hosted at the DNS provider. And, if that's the case, I would assume that a VPN would be involved -- if they are paying for bandwidth to relay your traffic (and presumably charging you accordingly), they should at least make it secure. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by Stewart:said by wifi4milez:So I got the DYDNS application running, but now I am thinking it might not be the ideal solution. Please explain how this app works. I can't see how it can magically come up with a static IP, unless it's an IP hosted at the DNS provider. And, if that's the case, I would assume that a VPN would be involved -- if they are paying for bandwidth to relay your traffic (and presumably charging you accordingly), they should at least make it secure. The service installs a client on whatever device you wish to have access to (router, phone, etc). This client takes the dynamic IP you are assigned by your provider, then links it to a custom hostname (also provided by them) such as mydevice@dydns.org. The client constantly checks your current IP and associates it with your hostname on the backend. This allows you access to whatever device you are trying to reach as if it had a static IP. Basic service is free.
»dyn.com/dns/
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
 espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
 ·Clear Wireless
| Which again points out the problem at which I believe Stewart  was hinting. Asterisk does infrequent hostname lookups, so unless you are in a position to restart asterisk every time your end-point IP changes this is idea is going to float like a lead balloon.
Working with dynamic endpoint IPs is the primary reason the SIP REGISTER process exists. If you're using using wired Internet connections, or secured wireless (encrypted private wifi, 2G/3G/4G provider wireless) then there is really minimal risk as long as you craft some firewall rules that reject obviously invalid attempts.
If using public wifi is a requirement, then encryption is the only option.
There are 2 kinds of folks that consistently get hacked when using software PBXes:
1) People who don't make the necessary efforts to ensure basic security of the PBX. (ie, leaving stock installation usernames and passwords, or leaving things like a FreePBX wide open to anyone to connect on port 80)
2) People who use mobile endpoints on public wireless networks without encrypting their traffic. You might as well be walking around wearing a T-Shirt that says "My SIP username is xxxx, my PBX is xxx, please hack me!" |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by espaeth:Which again points out the problem at which I believe Stewart was hinting. Asterisk does infrequent hostname lookups, so unless you are in a position to restart asterisk every time your end-point IP changes this is idea is going to float like a lead balloon.
Working with dynamic endpoint IPs is the primary reason the SIP REGISTER process exists. If you're using using wired Internet connections, or secured wireless (encrypted private wifi, 2G/3G/4G provider wireless) then there is really minimal risk as long as you craft some firewall rules that reject obviously invalid attempts.
If using public wifi is a requirement, then encryption is the only option.
This is all very helpful. I was a bit unsure about the safety of 2G/3G/4G however, can you provide a bit more insight on that? As of now I cant see any reason that I would need to connect via public wifi. My first goal here is to get this one extension safely working off the LAN, then if I decide I might ever need it I can implement a VPN.
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
|
|
espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2 Reviews:
·Clear Wireless
| said by wifi4milez: I was a bit unsure about the safety of 2G/3G/4G however, can you provide a bit more insight on that? For starters, you're not going to capture data on those networks using any off-the-shelf laptop running Wireshark. It's still wireless so it can still be captured and decrypted later if given enough time, but the risk of imminent threat is pretty low.
said by wifi4milez: My first goal here is to get this one extension safely working off the LAN, then if I decide I might ever need it I can implement a VPN. Serious question - does it need to be an extension?
I use Asterisk all the time for cheap calls that don't use my cell phone plan minutes. I use a calling card app on my Android phone (SmartDial) that recognizes when I dial one of a few defined numbers I might want to route through Asterisk and asks me if I want to use DISA or direct dial. If I select DISA, it calls one of my DIDs which matches an inbound rule based on dialed number and CID, presents a passcode prompt (which the calling app takes care of), and then presents a dialtone to dial a number. I didn't want to spring for the $5 for Sprint2Home and get unlimited calls to that DID, so I instead have Asterisk hang up the phone and call me back using a mobile phone CallerID number (so it's a free AnyMobileAnytime call) and then it places the call to the number I dialed.
Since the mobile phone network was designed to deliver voice, this results in less latency and better call quality. (especially when on the road) Obviously this doesn't work if you plan to use this in a lot of foreign airports, but I'm not sure if that's a big deal. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by espaeth:n those networks using any off-the-shelf laptop running Wireshark. It's still wireless so it can still be captured and decrypted later if given enough time, but the risk of imminent threat is pretty low.
Ok thanks, that does make sense once I think more about it.
said by espaeth:Serious question - does it need to be an extension?
Thats a good question, and I think the answer is yes. My phone already has a built in SIP client so I can easily add any number of VoIP providers directly to the native dialer. If I ever were to call internationally (never) this would allow me to save money. However, I am most interested in being able connect back to my home PBX without any kind of billing. An example is that my office building has very poor wireless reception, and it would be nice to privately call my wife at home without using my work phone. We have a wireless network in the office, so I could simply dial the extension (which the folks here just help me setup!) back at my place and talk that way. Other than that, this is just a long standing project that I have been trying to sort out so I just want the satisfaction of getting it done!
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
| said by wifi4milez:However, I am most interested in being able connect back to my home PBX without any kind of billing. An example is that my office building has very poor wireless reception, and it would be nice to privately call my wife at home without using my work phone.
If you're not ready to open up your PBX for connections from the Internet, a possible approach would be to setup two IP Freedom accounts at CallCentric. Register one from your PBX and another one with your mobile client. Then just call your PBX 777 number and setup the routing to ring your ATA extension. You could also use espaeth's approach and use DISA (make sure you use a good passcode) to call outbound too. This would add a hop to CC, but since it looks like you're in NY too, it should add very little latency. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by A_VoIPer:said by wifi4milez:However, I am most interested in being able connect back to my home PBX without any kind of billing. An example is that my office building has very poor wireless reception, and it would be nice to privately call my wife at home without using my work phone.
If you're not ready to open up your PBX for connections from the Internet, a possible approach would be to setup two IP Freedom accounts at CallCentric. Register one from your PBX and another one with your mobile client. Then just call your PBX 777 number and setup the routing to ring your ATA extension. You could also use espaeth's approach and use DISA (make sure you use a good passcode) to call outbound too. This would add a hop to CC, but since it looks like you're in NY too, it should add very little latency. Thats not a bad idea, although its very similar to what I had in place before. I am really trying to avoid adding any more latency if possible, since that seems to be the Achilles heal of all my previous attempts. If there is any way for me to directly connect from the Android to the ATA using just the PBX I suspect this will give me the best performance.
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
