SUGGESTIONS How to deal with endpoints that move networks often

Tyler

New Member
Joined
May 22, 2013
Messages
14
Reaction score
0
So I have run into a bit of a conundrum and figured I would see if anyone on here has a suggestion or has run into a similar issues.

Here is the situation, I have a company that works in places like theaters and sports arena. We move around A LOT!! Sometime in different cities each day for weeks at a time. At each location we want to setup an office and one of the things we want to use are our VOIP phones. We use only Aastra phones, 6739i, 6757i, and 600 series DECT. Our server are running PIAF Green (Asterisk 11.3/FPBX 2.11) and hosted by RentPBX. I should note that we have Travelman3 installed and also use/rely on iSymphony as our FOP.

Now at our main office we have a static IP which has been whitelist in IPtables and everything is hunky-dory for the most part. Now when we move around to different cities (i.e. different networks) there is no telling in advance what IP will be or if it will even be static. Now I know what you are probably thinking, "why don't they just use their smartphones with travelman". Well I'll tell you why, we like good (kinda) ol' fashion hardwire phones – and personally if you knew some of the people we had to deal with you wouldn't want to give out your cellphone number either.

That being said, I need suggestion for how to deal with traveling with our SIP phones to different cities, allowing them to connect to our PBX without fully exposing port 5060 to every SIP hacker, and without having to jump threw a million hoops (or would that be hops). One thought I had was bring a VPN with us and doing a PPTP back to the PBX. We've had wonderful success with Peplink Balanced 20 routers. The only issues there is we could get caught up in some very nasty double-NAT scenarios as we aren't always able to connect to the network at the WAN head and end up somewhere down the line on a managed switch.

So, anyone have any thoughts....
 

matthew

Guru
Joined
May 22, 2013
Messages
83
Reaction score
26
We use snom 7x0 phones that VPN back to a pfsense box. Take the phone anywhere...
 

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
Sure, I do similar things ---

I have a pfSense Firewall in front of my PIAF server -- an a pfSense firewall in my mobile rack. There is a IPSec VPN configured between the two and all the phones are on the private IP network routed via the tunnel.. I use Soekris hardware for my pfsense units, but there are many various options..

Once setup I need only get the IPSec active and everything else just plugs and plays.. From phones, to workstations, to printers...

Of course the RentPBX solution may take a little more work..

Good luck ---
 

Porch

Guru
Joined
Jul 5, 2013
Messages
135
Reaction score
15
A router that will make a VPN bridge back to your PBX seems like a good idea. No SIP over NAT to deal with.
 

Tyler

New Member
Joined
May 22, 2013
Messages
14
Reaction score
0
Sure, I do similar things ---

I have a pfSense Firewall in front of my PIAF server -- an a pfSense firewall in my mobile rack. There is a IPSec VPN configured between the two and all the phones are on the private IP network routed via the tunnel.. I use Soekris hardware for my pfsense units, but there are many various options..

Once setup I need only get the IPSec active and everything else just plugs and plays.. From phones, to workstations, to printers...

Of course the RentPBX solution may take a little more work..

Good luck ---


Yeah so it seems like my two major hurdles are going to be hardware and direct WAN access. As I mentioned most of places we go to we aren't able to get to a direct WAN access and will sit somewhere down the line on the in-house LAN. I'm not sure how this will impact using a router we with us and (blindly) plug-in into the foreign network. The issue of hardware falls obviously at the RentPBX level. As we are using a hosted virtual machine and have no access to physical hardware we are a little bit more limited on VPN options and will have to use a software based VPN. However, as odd as it may sound we happen to have a MacPro 1,1 that is quietly dreaming of electric sheep in a pelican case. As I mentioned before our office is on a static IP and we have a 50MB symmetrical fiber connection. Would it just be a lot more sensible to install PIAF on the MacPro, use our existing Peplink VPN/Router, thus having full hardware control over the situation? Then I can get another Peplink Balanced 20 VPN/Router to PPTP back to our office router.
 
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
Yealink phones can do VPN also.
The whole security thing really depends on the cost of your exposure and your calling volume. You could set up a totally exposed server with no standard ports (not 5060) , long passwords and no trunks that then has to connect to another more secure box with long account codes or other validation mechanisms for trunk access. Or have the first box connected to SIP trunks with very low dollar caps on them.
So the security issue comes down to cost exposure and preventing access to your larger network if the server isn't isolated.
 

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
Tyler,

pfSense installs in a VM, so you should talk with RentPBX about the options, I don't like hairpin routing if it can be avoided..

We usually have show management right the single drop / Firewall router requirement into the agreement, and our rack / pelican sits in the "show Office". The beauty of this solution is that except in vary rare cases we have never had to touch our network configurations beyond the vpn settings. Back up depending on budget could be a VSAT from one of your haulers / offices an AVL has some interesting new options for bandwidth in that area as well as of course 4G LTE.

================
 

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
Correction

We usually have show management right write the single drop / Firewall router requirement into the agreement,

:oops:
 

Joe the geek

New Member
Joined
Jun 11, 2013
Messages
12
Reaction score
3
Isn't this the same as running a "hard phone" at a location with a dynamic IP?

All you need for Travelman 3 to "whitelist" your IP is a dyndns that gets updated to the IP address from which your "hard phone" connects.

The phone and the DynDns client can be on separate devices,
in other words, run a DynDns client on a laptop, cell phone, raspberry, etc. that connects thru the same network as the phones.
The dyndns client will whitelist all connection from the public IP of your theater/sports arena.
This works also, if you are tethering through your cell phone...
 

atsak

Guru
Joined
Sep 7, 2009
Messages
2,381
Reaction score
436
I have some similar setups.
Juniper SSG5 connected to any LAN with NAT Traversal enabled and VPN to the firewall in front of my PBX
Plug phones into SSG5 (has 7 ports, or get a PoE switch)
Dynamic DNS name is supported using Aggressive mode on the SSG series.

No NAT, no hassle, no problem.

Now you're using a RentPBX so you'll have to do something with OpenVPN - find a firewall with OpenVPN support and set that up, or NAT all outbound traffic through your office which is already permitted to the RentPBX setup.

Or you can inhouse your PBX as another option.
 

Tyler

New Member
Joined
May 22, 2013
Messages
14
Reaction score
0
Wow! Lots of food for thought. I appreciate all the feedback. I'm going to investigate the OpenVPN solution.
 

Dan Lawrence

Member
Joined
Jan 4, 2008
Messages
47
Reaction score
9
Please update us if you find a RentPBX VPN solution. I'm interested in doing the same thing with a RentPBX virtual host.
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
Isn't this the same as running a "hard phone" at a location with a dynamic IP?

All you need for Travelman 3 to "whitelist" your IP is a dyndns that gets updated to the IP address from which your "hard phone" connects.

The phone and the DynDns client can be on separate devices,
in other words, run a DynDns client on a laptop, cell phone, raspberry, etc. that connects thru the same network as the phones.
The dyndns client will whitelist all connection from the public IP of your theater/sports arena.
This works also, if you are tethering through your cell phone...
As Joe has stated, isnt this one of the beauties of travelinman 3.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
I was able to simply install openvpn on one of my RentPBX accounts (purple). On another, new RentPBX, Scientific Linux system it wasn't in the repos, but I was able to install it by following a HOWTO I found on the internet. On that machine, however, my certificates didn't work with a Yealink (they worked with all other computers/phones). I don't know if it was a date 'thing' or something else.

I ended up just copying certificates from another, unrelated machine, and those work perfectly with the Yealink.

Andrew
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Wow! Lots of food for thought. I appreciate all the feedback. I'm going to investigate the OpenVPN solution.


Why not stick a Raspberry Pi with WiFi in your suitcase and set up an Asterisk server at the remote site when you get there. Interconnect it to your server at home or in the Cloud, and you've got the best of all worlds.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top