SUGGESTIONS Issues with t*f*t*p in a hosted deployment model

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
I'm in the process of setting up a Linode instance of PIAF Green as a hosted solution for around 10 phones at the moment. Spec'd out some Cisco 7975 phones for this particular site, using chan-sccp-b (which works beautifully - great project), but am running into issues with having t*f*t*p send configuration files from the Linode instance through the WAN to the phone remotely.

As a test, I grabbed one of my spare 7965s sitting here in in my home office, threw the firmware and configuration file needed on the Linode instance, manually pointed the phone to the Linode IP, and let it rip. When checking /var/log/messages, I could see that xinetd's t*f*t*p process was verbosely outputting that it was trying to respond to the phone's t*f*t*p request, but the transmission wasn't making it through:

Code:
Jun 25 18:48:03 li922-231 in.tftpd[31397]: RRQ from  [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:07 li922-231 in.tftpd[31398]: RRQ from [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:11 li922-231 in.tftpd[31399]: RRQ from  [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:18 li922-231in.tftpd[31400]: RRQ from  [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:22 li922-231 in.tftpd[31402]: RRQ from  [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:26 li922-231 in.tftpd[31420]: RRQ from  [insert home wan IP here] filename term65.default.loads
Jun 25 18:48:30 li922-231.tftpd[31448]: RRQ from  [insert home wan IP here] filename term65.default.loads


Stumped, I tcpdump'd my pfSense router's WAN interface and noticed that I was getting a response ingested back to the phone end, but pfSense was blocking the t*f*t*p return - as every t*f*t*p reply would be a randomized port number. Reading through RFC 1350, this seems to be business as usual.

However, this obviously introduces a problem for me. I could build an OpenVPN tunnel or otherwise from the customer's side when the phones are deployed to them back to my Linode PIAF instance, but that would require a box of some sort on site to introduce that routing - which I'm trying to avoid (thus the hosted PBX, no hardware to fail onsite beside the phones). I could also put a box on site to serve as a local t*f*t*p point, but that would still introduce having to put another piece of equipment on site.

I've searched the forums and read through a few different trials and tribulations with hosted solutions, but didn't come up with anything that addresses the t*f*t*p point. Any thoughts?
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
t*f*t*p was never designed to work on the open internet. Most firewalls block that traffic on the wan interface, because it's never supposed to see that traffic on that interface. Also, t*f*t*p doesn't really work with NAT, at least that's what I've come to learn from my own experience.
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
Remote SCCP phones, running on call manager usually connect back to the phone system via an IPSec tunnel, which is hosted on the call manager.

I would ping the chan-sccp guys and see if they've implemented any sort of IPSec provisioning in their channel driver.

Last time I checked, it wasn't. Cisco 79xx series phones have native code to connect to a call manager via IPSec.
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
t*f*t*p was never designed to work on the open internet. Most firewalls block that traffic on the wan interface, because it's never supposed to see that traffic on that interface. Also, t*f*t*p doesn't really work with NAT, at least that's what I've come to learn from my own experience.
Definitely appears that it's an uphill battle. Considering that the t*f*t*p response delivers itself on a random port, there's just no way to account for the response. I've seen that there's such a thing as t*f*t*p Proxy that you can enable on pfsense, but haven't given that a shot yet.

The customer's environment this is getting thrown in at has a Sonicwall, which I've always heard bad luck on the VoIP combination with), so wanted to test it on my end before putting the pieces together. Using t*f*t*p over the internet was my last resort, of sorts, considering the customer's IT guy has "security concerns" with setting up an ipsec tunnel to my Linode instance. Even considering the fact that he can ACL off just the phones to ride the tunnel...
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
Remote SCCP phones, running on call manager usually connect back to the phone system via an IPSec tunnel, which is hosted on the call manager.

I would ping the chan-sccp guys and see if they've implemented any sort of IPSec provisioning in their channel driver.

Last time I checked, it wasn't. Cisco 79xx series phones have native code to connect to a call manager via IPSec.
Good point. I meandered around the mailing list in an effort to see if this is a possibility, but it doesn't appear that they've implemented this. Seems like they have no interest in doing so, as they do with some things that get brought up. Even so, probably 13+ individual ipsec connections to a 1GB'd RAM Linode would probably tax memory quite a bit. I've been wrong before though.

I'll see if I can poke them for the latest as to if it's a possibility or someone has done it. Good idea, though!
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
I am dealing with a client that has an IT guy with similar beliefs about vpns to hosted services.

It makes my job that much harder, because I have to engineer around his "security concerns". I had to literally build a second network at a location for a new phone system, because the IT consultant thinks that vlans are insecure. :)

In regards to t*f*t*p, could you put a raspberry pi on the network acting as the t*f*t*p server? Since it'll be mostly sending files, the SD card would last a really long time. All you would need is for the IT department at your client, configure a dhcp option, and you'd be a all set.

Have the pi connect to an openvpn server, so you can manage it remotely.
 
Joined
Apr 17, 2009
Messages
829
Reaction score
9
I would also be curious as to a solution to this as I'm thinking of using digital oven for some deployments and rent pbx and use some Polycom IP335 phones.
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
I would also be curious as to a solution to this as I'm thinking of using digital oven for some deployments and rent pbx and use some Polycom IP335 phones.

With polycom phones, they can provision with either ftp or http. No need for t*f*t*p.
 
Joined
Apr 17, 2009
Messages
829
Reaction score
9
And the endpoint manager will / can do this type of setup? Guess I've never seen those options before or maybe I should say... I've never paid that much attention to the other options
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
Of course not... :).

When I had polycom phones at one site, I had to build one xml file manually, as a master, and then manually change it for each extension.

The polycom administration guide is very informative. Learned a lot of what these phones could do.

With certain types of pbx's they even support shared lines...
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
You just need to add the address to the phone, via the keypad, and reboot. It should then pull configs from the web server.
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
I am dealing with a client that has an IT guy with similar beliefs about vpns to hosted services.

It makes my job that much harder, because I have to engineer around his "security concerns". I had to literally build a second network at a location for a new phone system, because the IT consultant thinks that vlans are insecure. :)

In regards to t*f*t*p, could you put a raspberry pi on the network acting as the t*f*t*p server? Since it'll be mostly sending files, the SD card would last a really long time. All you would need is for the IT department at your client, configure a dhcp option, and you'd be a all set.

Have the pi connect to an openvpn server, so you can manage it remotely.
Definitely a good idea to throw a Pi on site - thanks for the recommendation. That might be my #1 backup plan if I 1) can't get the IT contact to allow the tunnel, or 2) they won't let me replace the Sonicwall with something else (preferably pfsense ;) )

One thing I'm encountering issues with now is no audio on the remote registered phone when testing in my home lab to Linode. I have the ports forwarded (5060, 10000-20000, 5004 and 2000 for the SCCP traffic). Phone registers, but not getting any audio on call attempts. Something else to troubleshoot this week.
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
Do you have another phone system in your home lab? If so, are you port forwarding incoming RTP ports to it?
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
Do you have another phone system in your home lab? If so, are you port forwarding incoming RTP ports to it?
That was the culprit. I needed to move my NAT rule up the list a little in pfsense to be processed. I like to allow only certain IPs in my rules (where I can), and the Linode instance IP variation of the rule was further down the list. After I changed that, I'm able to make and receive calls without issue. Audio is clear, hooray! :)

However, I believe the next challenging item is going to be the fact that yes, one phone is going to work behind NAT, but how am I going to account for other phones in my planned setup sitting behind NAT. In this situation with pfsense, I had to forward the RTP port range to the local IP address of the single phone I'm testing with. I imagine I'd have to do the same thing if the Sonicwall stays in place at the customers environment (or really any router/firewall combo unit that I would run into in any other customer's as well) and would have to forward for every phone. Maybe pfsense and it not being very forgiving is making me over think this - but without something like RTPProxy and SipProxd to re-write the destination per phone...I think I can't scale beyond one phone in this type of NAT situation, right?

From the way that others threads on the topic have read to me, this seems like it wouldn't necessarily be the case...but wanting to be sure.
 

rjaiswal

Active Member
Joined
May 24, 2013
Messages
438
Reaction score
58
SipProxd is only needed if you connect to multiple external sip servers. All your phones should be fine connecting to the hosted pbx. You should not need to do any port forwarding. NAT should route traffic back to the appropriate endpoint. You might need to allow connection from your linode instance through your firewall.
 

Members online

No members online now.

Forum statistics

Threads
25,781
Messages
167,507
Members
19,201
Latest member
troutpocket
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top