vicidial.org

Hello,

I'm planning to build a cluster setup,1 database/Web server, 2 asterisk, 1 archive(windows server).
My question is which server should i put a public ip address?
My boss need to access monitoring and recordings outside.

Thanks for help.

Any help please?

webserver for the recordings. I am not really sure about the monitoring.. are u talking about here the live call monitoring? or just real time report which webserver with a Public IP Address will manage.

The real time report. also need to download recordings outside

Each telephony server will need an external IP if you are doing SIP. You can get round the requirement for the archive/web servers needing external IPs if you either setup a VPN (your router/firewall might have this built in), or do port forwarding (you'll also have to do some apache mod_rewrite voodoo if you go down the port forwarding route).

Thanks, for the idea

mark_18 wrote:Hello,

I'm planning to build a cluster setup,1 database/Web server, 2 asterisk, 1 archive(windows server).
My question is which server should i put a public ip address?
My boss need to access monitoring and recordings outside.

Thanks for help.

I highly recommend you have 1 public ip per asterisk server, each asterisk server must have 2 LAN cards, keep the db server inside the local network the same as your web server.

Your archive server must also be on the localnetwork.

You must do portforwarding from your router to your web server and archive server so it can be accessible from the outside

When exposing the asterisk servers via public IP you will need to make sure that allowguest=no on your sip.conf, implement tight passwords on your sip phones and install fail2ban to prevent those bruteforce scripts from draining your servers resources or guessing your passwords.

Boybawang and I disagree on a few points, but we do agree on the basic principles.

1) I agree all asterisk servers "Should" have a public IP address. But this is not a solid rule (just like it's not a solid rule that you have Static IPs for telephone servers, LOL). If your agents are all local to the asterisk servers and you have no need of external access besides the carrier connections, then those carrier connections will determine your need for public IP addresses. If your router allows two carrier connections without a problem (or if you are using a T1/E1 card and do not have a SIP or IAX carrier), then you don't actually Need public IPs for the asterisk servers. The "external boss web access" for monitoring requires only access to a single web server, which can be easily managed by any router.

2) Do not rely on fail-to-ban. Use a whitelist-based system. We've published Dynamic Good Guys on Viciwiki.com, but any whitelist method will do (which means: lock the server and only allow access to those whose IPs you've personally approved ... then fail2ban is pointless). Note that fail2ban comes with some challenges due to misuse and misconfiguration plus the fact that it can (and has been) circumvented by rotating IP address brute force attacks. A whitelist locked server (properly configured) will NOT respond to any server on any port who is not "whitelisted". Thus an attack would never be initiated as no one knows you exist.

3) IF you have only ONE public IP available to you, you'll need to use it to point inbound calls to one of the dialers (unless your carrier allows registration) and to point port 80 to your web server. All of which should still be whitelisted if they have any outside links (with the private subnet "allowed" of course to allow all traffic to/from your agents and the other servers without interference).

Hello,

Good day! Newbie here.

Just want to ask if do I need to have a public IP if this will be my setup. This is for an inbound account only and do a manual dial from time to time.

1 DB/Web server
1 Dialer
1 pfSense

VoIP <----> ISP <----> pfSense <----> DB/Web | Dialer <----> Agents

No need for us to access remotely.




ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Multi Server/ ISO Preload Install
Inbound

It's never a requirement for the Vicidial system to have its own public IP, but there are restrictions if you do not.

For instance: If you use IP authentication at your carrier, they will send the calls to the IP/Port and you'll need to forward that port to the dialer. If they only allow port 5060, you can only forward to one dialer since you cannot forward one port to more than one machine. If your carrier allows registration, however, you can have multiple dialers register and they will each get the calls from inbound to the account they are registered for.

If none of that matters to you (and it's rare that it would), then you should not have any issues related to the lack of a separate IP for Vicidial.

However: pfSense can be tricky to configure for VOIP and this has caused some problems. Remember that this is an Asterisk server and can accept calls via SIP or IAX, but it is rare to find a carrier that speaks IAX. So you'll likely need to configure SIP through the pfSense. Port 5060 can be forwarded to the dialer you want to get your inbound calls and ports 10000-25000 can usually be set up as trigger ports (causing a port 5060 outbound to an IP to automatically allow a trigger port response to pass to the same server, thus passing the audio correctly). All UDP, of course. I suspect there is a fair amount of help for pfSense with Asterisk out there, but we've had a few clients ask us to fix their system for them. Usually I tell them it's easier/cheaper to just get a real router instead of paying us, but we've still configured a few for clients. Usually the problem is that the client "loves" pfSense so much that they get comfortable with the settings and make a random change without thinking and it takes us a while to root it out. LOL

Do remember that you'll need to set externip in /etc/asterisk/sip.conf to the public IP in most cases.

@williamconley

thank you so much for your inputs, appreciate it!

Speaking of security, is the yast firewall not that enough? I'm doing white listing there. Or having DGG is better?
Thank you!

Yast firewall is enough. I tend to turn it off though and write the IPTables rules myself.

thank you geoff3dmg!