Keystone IT Tech

pfsense by default only allows one sip registration to be active at a time on a protected LAN. The siproxd extension allows multiple phones to coexist happily, but it is a little confusing to set up. Here is what works the best from my testing:
Firewall: Rules: WAN = none for SIP or RTP

Firewall: NAT: Port Forward = none

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Reboot the pfsense machine

UPDATE: siproxd is not necessary for multiple sip reigsrations to work! The above should be adequate.

Install the siproxd package from the System:Package Manager page on the pfsense admin page.

Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060. Expedited Forwarding on.

Reboot the pfsense machine

I am including some screenshots to help.

Click on the “e” to edit the rule.

siproxd settings:

Using the default traffic shaper works really well for simple qos needs. Set your defined rtp ports (e.g. udp 3000 and 3001) and udp 5060 and udp 4569 as high priority. Add any offending traffic (e.g. gotomeeting at udp 8200) as low or medium. Takes about 5 minutes and works like a charm!

# do a CentOS 5 install 
# deselect Office Productivity
# select Developement
# select Web Server
# disable selinux  (this is a MUST do)
# reboot
#

#
#rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora

yum -y update
updatedb

yum -y install joe
yum -y install screen
yum -y install kernel-devel
yum -y install cdrecord
yum -y install mkisofs
yum -y install libidn
yum -y install libgcj
yum -y install bison
yum -y install libtermcap
yum -y install libtermcap-devel
yum -y install newt
yum -y install newt-devel
yum -y install ncurses
yum -y install ncurses-devel
yum -y install openssl
yum -y install openssl-devel
updatedb

service httpd start

cd /usr/src

yum -y install mysql.i386
yum -y install mysql-server
yum -y install mysql-devel

service mysqld start
wget http://www.dynx.net/ASTERISK/gnudialer/easy_setup/create_tables.sql
mysql -uroot < create_tables.sql

# CHANGE THIS
mysqladmin -uroot password '~somepassword'

service httpd start

#wget http://prdownloads.sourceforge.net/webadmin/webmin-1.350-1.noarch.rpm
#rpm -i webmin-1.350-1.noarch.rpm

cd /usr/src

wget http://downloads.digium.com/pub/asterisk/releases/asterisk-1.2.24.tar.gz
tar zxfv asterisk-1.2.24.tar.gz
wget http://downloads.digium.com/pub/asterisk/releases/asterisk-addons-1.2.8.tar.gz
tar zxfv asterisk-addons-1.2.8.tar.gz
wget http://downloads.digium.com/pub/libpri/releases/libpri-1.2.6.tar.gz
tar zxfv libpri-1.2.6.tar.gz
wget http://downloads.digium.com/pub/zaptel/releases/zaptel-1.2.22.tar.gz
tar zxfv zaptel-1.2.22.tar.gz

cd /usr/src/libpri-1.2.6
make clean
make
make install

cd /usr/src/zaptel-1.2.22
make clean
make
make install
make config

cd /usr/src/asterisk.1.2.24
make mpg123
make clean
make
make install
make samples
/usr/sbin/safe_asterisk

yum -y install subversion
cd /usr/src
svn checkout http://dynx.net/svn/gnudialer-puff/trunk gnudialer-puff
cd gnudialer-puff
make clean
make
make install
make reload

cd /usr/src/gnudialer-puff/astcrm-1.1.6
wget http://www.dynx.net/ASTERISK/gnudialer/java/j2sdk-1_4_2_08-linux-i586.rpm
rpm -i j2sdk-1_4_2_08-linux-i586.rpm
export PATH=$PATH:/usr/java/j2sdk1.4.2_08/bin
export CLASSPATH=$CLASSPATH:.
make clean
make
make install

# remember you need to still read all the /usr/src/gnudialer-puff/README's and INSTALL 
# remember you need to still read all the /usr/src/gnudialer-puff/astcrm-1.1.6/README's and INSTALL
# you need to do this because you MUST change the user/pass in various areas, 
# or use the defaults if you are UNSURE whats needs to change.

Original File

It is pretty easy to find the server password for hudlite if you don’t have it.

Connect via ssh to to the server

issue the following command:

ps aux | grep hud
The password is returned on the line with the ./hudlite-server process

From the fonality knowledgebase.

This is to complement my most popular post, from 2 years ago, which is about trunking two freePBX servers. It is even easier to trunk two trixbox Pro servers and set up 4 digit dialing.

Example:

server 1 ID: 1231000  has 7xxx extensions. Extensions dialed 6xxx will go to server 2

server 2 ID: 3212000 has 6xxx extensions. Extensions dialed 7xxx will go to server 1

Substitute your server ID numbers where applicable

SERVER 1 SETTINGS:

From server 1 control panel, go to the Options:voip page. Add a voip account with the following settings:

Provider: Other, IAX2

Route Name: 3212000

Username: leave blank

Password: leave blank

Register: No

Server: s3212000x.trixbox.fonality.com

Click Add Voip Account, and acknowledge the dire warning.

go to the Options:dial plan page.

Add a new dial plan:

Prefix: 6

dial string: xxx

Description and Type: optional

Route: VoIP: 3212000

Strip Digits: 0

Prepend: 000 (VERY IMPORTANT)

Click Add Dial Plan

SERVER 2 SETTINGS:

From server 2 control panel, go to the Options:voip page. Add a voip account with the following settings:

Provider: Other, IAX2

Route Name: 1231000

Username: leave blank

Password: leave blank

Register: No

Server: s1231000x.trixbox.fonality.com

Click Add Voip Account, and acknowledge the dire warning.

go to the Options:dial plan page.

Add a new dial plan:

Prefix: 7

dial string: xxx

Description and Type: optional

Route: VoIP: 1231000

Strip Digits: 0

Prepend: 000 (VERY IMPORTANT)

Click Add Dial Plan

You now should have 4 digit dialing between servers.

With the floods here in Iowa this summer I suddenly had several customers with no internet connections. I expected voip trunks to not work, but several of them also were losing registration on all their phones. I thought I had understood how to set up DNS properly, but I did not quite have it.

Here’s the best formula as I understand it:

Have your gateway use a valid public DNS server.
Have the trixbox Pro server use the gateway as the primary DNS, and a public DNS server as the secondary DNS
Have the phones use the trixbox Pro server as their only DNS.

One thing that drove me about insane was my sandbox server was on a cheap netgear router. I guess cheap routers can’t be counted on to function properly at all without a WAN link. I could unplug the WAN link and within a minute the phones would lose registration, even with everything else set up correctly. Today I put an IPCOP firewall on the sandbox network and everything functions exactly like it should without the WAN link.

A Linksys WRT54G loses registrations at intervals but keeps the trixbox Pro system marginally functional. A Linksys WRTT54G with DD-WRT firmware functions properly, though.

A related problem with VERY similar symptoms:
Having a SIP trunk with a FQDN will cause all phones to unregister in the event of an internet outage. Changing to a straight IP address removes that problem. I guess that is an asterisk bug.

This could be needed for any number of reasons, but I needed to do this to have two trixbox Pro servers live next to each other on the same LAN behind an IPCop firewall. They were reporting back the same IP address to the hybrid hosting source, so inbound connections to both were routing to the one server. Normally this is remedied manually by changing the externip in sip.conf, but that is set automatically with trixbox pro, and not an option.

You need to log into the firewall at the console or via ssh. You need to comment out one line to disable masquerading, and add a few more in its place:

nano /etc/rc.d/rc.firewall

#Individual machine on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 10.0.1.99 -j SNAT --to-source 1.2.3.5
#all other machines on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 1.2.3.4
#all other machines on ORANGE
/sbin/iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT --to-source 1.2.3.4
#DISABLE MASQUERADE
# /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE


TFTP uses UDP packets. The client connects from a random port to port 69, then the server connects back to the original port. This does not survive NAT (network address translation), possibly not on either end. trixbox pro and many other phone systems use TFTP for provisioning phones, so this is a problem for remote phones. Here is a fix that allows tftp traffic through an iptables based firewall (IPCop in this example).

You will need to enable ssh on the firewall and connect a session. IPCop uses non-standard port 222, and can usually only be connected to from the internal (green) network.

nano /etc/rc.d/rc.network

add these two lines:
modprobe ip_conntrack_tftp
modprobe ip_nat_tftp

Save and exit.

For immediate effect, repeat the two lines at the command prompt, or reboot the firewall. I had to repeat this on both firewalls, as IPCop firewalls were on both ends.

If using trixbox pro, you also need to make a few minor changes to the configuration files for the phones in order for the phone to try the correct server. Change the sNNNN.trixbox.fonality.com settings to sNNNNx.trixbox.fonality.com where NNNN is your server number. I modified the file itself. Fonality recommends modifying the phone config on the phone once it is initially configured.

ping -i 0.02 -s 270 -c 500 <ip address>

You need superuser privileges to perform a ping with a .02 second interval. The -s 270 is the size of a ulaw SIP packet. The -c denotes 500 packets. The resulting ping flood will simulate a SIP packet flow. You can quickly see any lost packets and the jitter. QOS settings can cause this type of traffic to not act exactly like SIP traffic.

Nerd Vittles » Introducing Version 3 of the Plug-and-Play Asterisk IP PBX for Windows

Making VMware Keep Correct Time. Until recently, the only sure-fire way to make sure VMware kept the same time as your hardware clock was to use a cron job which polled a time server for the correct time and then reset the VMware/Linux clock every few minutes. That’s been fixed, and we’ll show you how to patch the boot loader to fix it. But, first, while you’re using WebMin, let’s disable the time-setting cron job. From the main WebMin menu, choose Hardware->System Clock. In about the middle of the page is an option to Synchronize (the time) on Schedule. Just set it to No and Save your change. Now go to the command prompt on your server and make certain you are logged in as root. Edit the boot loader (nano -w /boot/grub/grub.conf) and move down to line 16 which begins with the word “kernel.” Edit that line so that it looks like the following and save your change (Ctrl-X, Y, then Enter). Then reboot your system (shutdown -r now). HINT: Everything after “noapic” is new stuff to be added, and it all must be appended to the end of the existing line.kernel /vmlinuz-2.6.9-34.0.2.EL ro root=LABEL=/ acpi=off noapic nosmp nolapic clock=pit