Asterisk server static IP or behind NAT?
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by William P.N. Smith on April 17, 2006, 7:50 pm
Please log in for more thread options
I'm designing my first Asterisk system, and I'm a bit stuck on where to put the server. I've got a bunch of Polycom phones and a Linksys SRW224P Poe switch, and I'm building a box to run A@Home... I have some public static IPs available, and I have NAT router(s) providing internet access to my LAN, so I can either give the PBX a static IP or put it on my LAN, but I can't figure out what's the 'right' thing to do. Obviously I want to put the phones on the LAN, so I can move them around to any network jack, and they can supply LAN connectivity to connected computers. Therefore the phones will be behind my NAT router getting IP addresses in the 192.168.1.x subnet. I figure I can either: A) Put the PBX behind the NAT router. This puts the phones on the same subnet as the PBX, and adds some additional security by putting the PBX behind a (hardware) firewall. The downside is that there are ports to open in the firewall, and my impression is that connecting phones in other locations is more difficult and/or prone to problems. B) Put the PBX out on the net with a static IP, but then don't the phones have to do the (STUN?) NAT Traversal thing to get to their PBX? C) I suppose I could play some games with DMZ on a cheap router, but that feels like the worst of both worlds... D) There's probably something I can do with VLANs on the switch, but that's a rathole, I can't find any good VLAN references, and I really don't want to try to learn too many things at once. 8*| Anyway, I'd really appreciate some hints or general guidance from the experts here! Thanks! | ||||||||||||||||||||||
|
Posted by Enzo Michelangeli on April 17, 2006, 8:33 pm
Please log in for more thread options The scenario B) is definitely the best. In Asterisk's sip.conf, in the sections for the phones behind the NAT, set "nat=yes"; do NOT enable STUN on the phones, because that would likely prevent communications among internal phones if canreinvite=yes in also set for them in sip.conf . In fact, canreinvite=no is the safest choice anyway, even though it may slightly increase the latency by forcing all the traffic to flow through Asterisk. If you put Asterisk behind the NAT, you are going to have endless problems: port forwarding with SIP is not enough, as IP addresses are transmitted in ASCII inside the payload. Some modern routers have "SIP helper" modules able to modify them on the fly, similarly to what is done with FTP, but don't count of it. Dealing with NAT traversal is where IAX shines in comparison with SIP. Even better would be to use as router the Linux box where Asterisk runs, and have Asterisk bind to 0.0.0.0. This way, neither internal nor external connections would be NATted... For more details, see: http://www.voip-forum.com/?p=131&more=1 (under "SIP and NAT - what is the problem, really?") and the scenarios described at http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions . Enzo  | ||||||||||||||||||||||
|
Posted by Jonathan Roberts on April 18, 2006, 8:07 am
Please log in for more thread options William: I may be pointing out the obvious but.... Be sure to secure your Asterisk box if you put it on a static IP or in the DMZ. I have a test box in the DMZ and gets pounded all day and night by people trying to get into it. Jonathan | ||||||||||||||||||||||
|
Posted by William P.N. Smith on April 18, 2006, 8:26 am
Please log in for more thread options Yeah, also http://www.voip-info.org/wiki/view/Asterisk@Home+Handbook+Wiki+Chapter+7#7223PolycomandNATSWelcometohellatleastas seems to say that my phones won't do NAT traversal very well, and (at least in the beginning) I'll be using the PBX with POTS lines, so maybe I'll put it inside the firewall to start with and see how it goes... Thanks for the feedback, all! | ||||||||||||||||||||||
|
Posted by Wolfgang S. Rupprecht on April 18, 2006, 3:06 pm
Please log in for more thread options http://www.voip-info.org/wiki/view/Asterisk@Home+Handbook+Wiki+Chapter+7#7223PolycomandNATSWelcometohellatleastas My personal feeling is that phones and asterisk should really be on real static IP's so that they can re-invite and have a faster direct talk-path. Putting your phones inside a NAT-ing firewall forces you to turn off re-invites and leaves asterisk in your talk-path. If the machine gets busy and asterisk gets delayed by a few 100ms, audio will "hiccup". For security reasons you should run asterisk as some powerless user in a chroot jail. This is a bit fiddley to set up, but well worth it if some script kiddie finds an exploitable asterisk bug. And asterisk does have plenty of questionable code for kiddies to try to find some way to exploit. Look at the large number of system(...) calls. All of those are accidents waiting to happen. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ | ||||||||||||||||||||||
| Similar Threads | Posted |
| Asterisk server static IP or behind NAT? | April 17, 2006, 7:50 pm |
| Cisco GK static registration | March 8, 2005, 7:48 pm |
| RT31P2 - How to get a static IP address on LAN | August 25, 2005, 8:01 am |
| Simple static Jitter buffer dimensioning | February 23, 2006, 7:20 am |
| SIP Server | May 24, 2006, 2:16 pm |
| EMS server | June 22, 2006, 3:07 am |
| Looking for a SIP server in C++ or Java | September 22, 2004, 7:28 am |
| What SIP server/registrar should I use? | July 31, 2005, 4:33 am |
| Looking for a STUN server | September 12, 2005, 10:01 pm |
| Which SIP server to choose? | February 22, 2006, 2:06 am |
| SCCP server | October 31, 2006, 6:10 pm |
| Conference calls with server? | September 15, 2004, 6:56 pm |
| A SIP Server needed for testing | October 20, 2004, 6:35 am |
| VOIP Server solution? | September 2, 2005, 5:54 pm |
| VOIP server under Windows | July 26, 2006, 11:39 am |
|
Home Cabling Guide
Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Click Here to learn more |
> to put the server. I've got a bunch of Polycom phones
> and a Linksys SRW224P Poe switch, and I'm building a box to run
> A@Home...
> I have some public static IPs available, and I have NAT router(s)
> providing internet access to my LAN, so I can either give the PBX a
> static IP or put it on my LAN, but I can't figure out what's the
> 'right' thing to do.
> Obviously I want to put the phones on the LAN, so I can move them
> around to any network jack, and they can supply LAN connectivity to
> connected computers. Therefore the phones will be behind my NAT
> router getting IP addresses in the 192.168.1.x subnet.
> I figure I can either:
> A) Put the PBX behind the NAT router. This puts the phones on the
> same subnet as the PBX, and adds some additional security by putting
> the PBX behind a (hardware) firewall. The downside is that there are
> ports to open in the firewall, and my impression is that connecting
> phones in other locations is more difficult and/or prone to problems.
> B) Put the PBX out on the net with a static IP, but then don't the
> phones have to do the (STUN?) NAT Traversal thing to get to their PBX?
> C) I suppose I could play some games with DMZ on a cheap router, but
> that feels like the worst of both worlds...
> D) There's probably something I can do with VLANs on the switch, but
> that's a rathole, I can't find any good VLAN references, and I really
> don't want to try to learn too many things at once. 8*|
> Anyway, I'd really appreciate some hints or general guidance from the
> experts here!
> Thanks!