Public IP in a cluster setup

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Public IP in a cluster setup

Postby mark_18 » Mon May 05, 2014 4:35 pm

Hello,

I'm planning to build a cluster setup,1 database/Web server, 2 asterisk, 1 archive(windows server).
My question is which server should i put a public ip address?
My boss need to access monitoring and recordings outside.

Thanks for help.
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Fresh Install
Inbound/Blended
mark_18
 
Posts: 19
Joined: Wed Mar 26, 2014 3:16 pm
Location: Philippines, Batangas City

Re: Public IP in a cluster setup

Postby mark_18 » Tue May 06, 2014 11:41 am

Any help please?
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Fresh Install
Inbound/Blended
mark_18
 
Posts: 19
Joined: Wed Mar 26, 2014 3:16 pm
Location: Philippines, Batangas City

Re: Public IP in a cluster setup

Postby rrb555 » Tue May 06, 2014 6:34 pm

webserver for the recordings. I am not really sure about the monitoring.. are u talking about here the live call monitoring? or just real time report which webserver with a Public IP Address will manage.
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: Public IP in a cluster setup

Postby mark_18 » Wed May 07, 2014 10:06 am

The real time report. also need to download recordings outside
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Fresh Install
Inbound/Blended
mark_18
 
Posts: 19
Joined: Wed Mar 26, 2014 3:16 pm
Location: Philippines, Batangas City

Re: Public IP in a cluster setup

Postby geoff3dmg » Wed May 07, 2014 10:49 am

Each telephony server will need an external IP if you are doing SIP. You can get round the requirement for the archive/web servers needing external IPs if you either setup a VPN (your router/firewall might have this built in), or do port forwarding (you'll also have to do some apache mod_rewrite voodoo if you go down the port forwarding route).
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Public IP in a cluster setup

Postby mark_18 » Wed May 07, 2014 12:23 pm

Thanks, for the idea
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Fresh Install
Inbound/Blended
mark_18
 
Posts: 19
Joined: Wed Mar 26, 2014 3:16 pm
Location: Philippines, Batangas City

Re: Public IP in a cluster setup

Postby boybawang » Thu May 08, 2014 3:04 pm

mark_18 wrote:Hello,

I'm planning to build a cluster setup,1 database/Web server, 2 asterisk, 1 archive(windows server).
My question is which server should i put a public ip address?
My boss need to access monitoring and recordings outside.

Thanks for help.



I highly recommend you have 1 public ip per asterisk server, each asterisk server must have 2 LAN cards, keep the db server inside the local network the same as your web server.

Your archive server must also be on the localnetwork.

You must do portforwarding from your router to your web server and archive server so it can be accessible from the outside

When exposing the asterisk servers via public IP you will need to make sure that allowguest=no on your sip.conf, implement tight passwords on your sip phones and install fail2ban to prevent those bruteforce scripts from draining your servers resources or guessing your passwords.
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Re: Public IP in a cluster setup

Postby williamconley » Mon Jul 07, 2014 12:16 am

Boybawang and I disagree on a few points, but we do agree on the basic principles.

1) I agree all asterisk servers "Should" have a public IP address. But this is not a solid rule (just like it's not a solid rule that you have Static IPs for telephone servers, LOL). If your agents are all local to the asterisk servers and you have no need of external access besides the carrier connections, then those carrier connections will determine your need for public IP addresses. If your router allows two carrier connections without a problem (or if you are using a T1/E1 card and do not have a SIP or IAX carrier), then you don't actually Need public IPs for the asterisk servers. The "external boss web access" for monitoring requires only access to a single web server, which can be easily managed by any router.

2) Do not rely on fail-to-ban. Use a whitelist-based system. We've published Dynamic Good Guys on Viciwiki.com, but any whitelist method will do (which means: lock the server and only allow access to those whose IPs you've personally approved ... then fail2ban is pointless). Note that fail2ban comes with some challenges due to misuse and misconfiguration plus the fact that it can (and has been) circumvented by rotating IP address brute force attacks. A whitelist locked server (properly configured) will NOT respond to any server on any port who is not "whitelisted". Thus an attack would never be initiated as no one knows you exist.

3) IF you have only ONE public IP available to you, you'll need to use it to point inbound calls to one of the dialers (unless your carrier allows registration) and to point port 80 to your web server. All of which should still be whitelisted if they have any outside links (with the private subnet "allowed" of course to allow all traffic to/from your agents and the other servers without interference).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Public IP in a cluster setup

Postby w37h » Thu Oct 09, 2014 9:24 pm

Hello,

Good day! Newbie here. :)

Just want to ask if do I need to have a public IP if this will be my setup. This is for an inbound account only and do a manual dial from time to time.

1 DB/Web server
1 Dialer
1 pfSense

VoIP <----> ISP <----> pfSense <----> DB/Web | Dialer <----> Agents

No need for us to access remotely.




ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Multi Server/ ISO Preload Install
Inbound
w37h
 
Posts: 3
Joined: Thu Oct 09, 2014 9:01 pm

Re: Public IP in a cluster setup

Postby williamconley » Thu Oct 09, 2014 10:39 pm

It's never a requirement for the Vicidial system to have its own public IP, but there are restrictions if you do not.

For instance: If you use IP authentication at your carrier, they will send the calls to the IP/Port and you'll need to forward that port to the dialer. If they only allow port 5060, you can only forward to one dialer since you cannot forward one port to more than one machine. If your carrier allows registration, however, you can have multiple dialers register and they will each get the calls from inbound to the account they are registered for.

If none of that matters to you (and it's rare that it would), then you should not have any issues related to the lack of a separate IP for Vicidial.

However: pfSense can be tricky to configure for VOIP and this has caused some problems. Remember that this is an Asterisk server and can accept calls via SIP or IAX, but it is rare to find a carrier that speaks IAX. So you'll likely need to configure SIP through the pfSense. Port 5060 can be forwarded to the dialer you want to get your inbound calls and ports 10000-25000 can usually be set up as trigger ports (causing a port 5060 outbound to an IP to automatically allow a trigger port response to pass to the same server, thus passing the audio correctly). All UDP, of course. I suspect there is a fair amount of help for pfSense with Asterisk out there, but we've had a few clients ask us to fix their system for them. Usually I tell them it's easier/cheaper to just get a real router instead of paying us, but we've still configured a few for clients. Usually the problem is that the client "loves" pfSense so much that they get comfortable with the settings and make a random change without thinking and it takes us a while to root it out. LOL

Do remember that you'll need to set externip in /etc/asterisk/sip.conf to the public IP in most cases.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Public IP in a cluster setup

Postby w37h » Fri Oct 10, 2014 12:20 am

@williamconley

thank you so much for your inputs, appreciate it!
w37h
 
Posts: 3
Joined: Thu Oct 09, 2014 9:01 pm

Re: Public IP in a cluster setup

Postby richardroi » Fri Oct 10, 2014 6:45 am

Speaking of security, is the yast firewall not that enough? I'm doing white listing there. Or having DGG is better?
Thank you!
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Inbound/Blended
richardroi
 
Posts: 373
Joined: Mon Mar 21, 2011 7:20 pm

Re: Public IP in a cluster setup

Postby geoff3dmg » Mon Oct 13, 2014 7:35 am

Yast firewall is enough. I tend to turn it off though and write the IPTables rules myself.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Public IP in a cluster setup

Postby richardroi » Mon Oct 13, 2014 11:15 am

thank you geoff3dmg!
ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
64bit Single Server/ ISO Preload Install
Inbound/Blended
richardroi
 
Posts: 373
Joined: Mon Mar 21, 2011 7:20 pm


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 49 guests