TIPS What's a good router for PIAF?

I'm looking at a Mikrotik rb450. They are cheap and seem to be praised in the WISP world. I'm not sure however if they have a proven past in Voip and Qos world.

RV082 linksys/Cisco Twin DSL

I highly recommend this router because it will run two DSL's one for regular traffic and the second one for our VOIP traffic on a separate DSL. You can set-up VLAN's also which is what most VOIP PBX Vendors recommend.

The best thing about this router is the reliability and the tech support we have received. AT&T's tech support for DSL is nothing but script readers, but everyone I dealt with at Cisco small business was first class. I have my engineer's email address and we actually have a common interest. He likes Gator football and I like BAMA football. I guess this is our year.

This box is rock solid and the tech support is great. You can configure it with two DSL's or one as the main one and a second one as backup or a DMZ. Also they have VPN's that will work with any other router out there. Newegg had them at $200.00 a couple of months ago but I see they are $259.00 right now. Still a bargain for what you get

WRT54GL+tomato+vpn

First of all a Merry Christmas and a happy New Year to you all.

Have a look on http://www.linksysinfo.org
in the Tomato forum and look for the VPN build with GUI from Sargent Pepper (i think). You can setup VPN as a client or a server if I remember correctly.

I've been using a WRT54GL (the same) with Tomato QOS now for more the 3 years and I'm very pleased how it runs.
(Mind you this is for a home setup, 4 people all online ,one heavy gamer, one you tube fan and VOIP for international calling)

If you want to use third party firmware on a WRT54 and you have to buy a new device now, always go for the WRT54GL It's the wireless router marketed by Linksys for open source firmware.

The cheap Linksys devices (specially the Wireles-G ADSL Gateways) have a tendency to blow a capacitor or two (cheap crappy parts) (I've a defective one on my desk right now) . If your Linksys stops working look for bulging caps on the capacitors, some people got there devices working again after they replaced these blown capacitors.

I second this. We run an RV016 at our office, which is the same as the RV08 with 8 extra ports on it. We run Telco DSL and Charter Cable internet into the office.

I'm able to specify what kinds of traffic I want on each provider, and it automatically fails over to the working connection if one of the services fail. The QoS has worked great and have never had a problem with voice quality because other services were hogging bandwith.

Hi everybody. Thanks for all your good advice.

Based on what y'all said, I tried pfSense. It's fantastic. It does everything I want it to do, and much more, and it's STABLE!

Woops -- I lied: It doesn't quite do everything I want. It won't do loopback port forwarding.

It has something called nat reflection which is supposed to kind of do that, and I tried that, but couldn't get it to work.

This is almost a dealbreaker for me. We use softphones on our laptops, and they address the external ip on the routeer (which has 5060 & 10000-20000 forwarded) so that the phones will connect from anywhere.

Now that I'm running pfSense, I'm having to go into the softphone config and change the domain address from the router's external ip to the lan address of pbx.local every day when I get to the office, and then change it back again when I go home, because pfSense won't do loopback port forwarding.

And it has the same effect on other services. I can't test our FTP server, for instance, without leaving the building.

Has anybody else dealt with this? Any workarounds?

Also, what about other open source firewalls -- smoothWall, ipCop, etc? Is pfSense the best of the lot?

Thanks a lot.

Regards,

DF

I think you turn on Nat Reflection and turn off the switch that blocks private IP from coming in on the external interface. I am fairly sure that I have this working.

You could use a workaround if you like. Set all of your softphones to use a DNS name for the server; something like DFPhones.dyndns.org.

Then set BIND up on you phone system and use it as your internal network's DNS server. Put a manual entry in the host file of BIND that points DFPhone.dyndns.org to your phone server.

Most Firewalls won't allow you to do that as far as I know, but there are a couple of ways you can deal with this.

Solution 1:
Like jmullinix said, turn on nat reflection and disable the block of private ip addresses on wan.
This brings some issues with it though, like there's a limit on the range of ports before it fails.

Solution 2:
Deploy a internal DNS server adding records for your internal servers ip addresses.

Soution 3:
Inside PFSense under the DNS fowarder services tab, add host exceptions and point them to your inside servers.

I use solution 3 at home and solution 2 at work.

Sacrilego's, Solution 3 is what you're looking for if you don't already have an internal DNS server in your environment. Have your soft phones connect to your external DNS host name and use PFSense to effectively "re-write" the IP for that host to the inside address. As long as you use the PFSense Box as your DNS server then the change should be transparent.

Mikrotik ftw ... but wait

I just installed Proxmox running under a mikrotik in a datacenter. Is there anything specific one must know for this router if I want to do port forwarding, or is it better to get a static IP per template.

Hi

IP address per template

Joe

That convinced me Joe and I am set on a Static, but our NOC guy asks me why I can't just port forward the vm's. Unfortunately I am not as convincing as you in this matter. Is there anyway you could clarify why it would be better to pair up the vm's with IP's?

Thanks!

Hi

Because there are a load of ports to forward, and you are going to lose track. Taking SIP + RTP for instance, it's easy enough to forward 5060 to one container, and 5061 to another, then remember which port you are going to use at the customer end, but what about the RTP stream, 10000 > 20000. You are going to use a whole load of ports.

If he won't forward the IP addresses, then you may be best putting a Session Border Controller (OpenSBC) in front of your virtual PBX systems, then you can have each container on it's own private IP address, which is a nice solution, and hides the contents of your infrastructure, but...

Then that gives you a problem with accessing the containers from the outside world using web access, but at least you can easily port forward to each system, with a port redirected to port 80 on the container.

If he does not forward the IP address all to Eth0 of the Host Node, then that is going to give you admin issues for the rest of the life of the service.

Joe

You want to use DNS for what you're trying to do. That will make your life a thousand times easier.

On PFSense Services->DNS Forwarder put the DNS entry for your server's internal address

Then outside you need to set up the same DNS name for the external IP address of your PFSense box.

Problem solved.

I'd mentioned in another thread the Linksys RVS4000/WRVS4400N Gigabit Security VPN routers; both of them have 4 10/100/1000 ports, to include do "QoS" and "Vlans."

I'd forgotten to mention that the Cradlepoin MBR1200 Wireles-N Gigabit 3G router does QoS and Vlan as well (costs A LOT more than the other two, though). Definitely pick up a router that does QoS and Vlans...

Jay

I'm a fan of Mikrotik routers. You can buy their Routerboards (routerboard.com) or plop the s/w onto a PC based machine and the firmware license is like $43. It is a fully featured router/firewall/etc. Has VPN, DNS, Hotspot, anything you can think of built-in. I'm running the distro on an old Watchguard X1000 chassis using a laptop 40 gb drive. I've run it on an old IBM Intellistation dual PII/600 as well.

I've also got PFSense here on another old Watchguard x1000 chassis with another laptop drive. That eventually will be my firewall as I want to offload the Mikrotik to do routing, VPN, hotspot only.

Leon

Why Dlink or any other router?

I'm having primarily one-way audio issues, so I have a few router questions:

DLink WBR-2310 and DGL-4500 are strongly recommended by Ward, for a specific feature like SPI or a particular type of (sip aware) NAT, or exactly why? I'd like to know to compare to other routers I have/work with.

ZeroShell (IPtables firewall) is what is installed and in question. We're port forwarding 5000-5082u, 10000-20000u to the pbx that's it at the moment, no QOS, VPN, LB or anything else. Requirements are low, 10pcs+10phones, 2-3 active at a time. It's on a VIA C3 500Mhz bookPC with 512MB which seems fine but I guess there could always be some compatibility issue. ZS was chosen for it's features, even MLPPP which we're thinking about trying, but I'm wondering if we may have better luck with another http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions such as pfsense or ClearOS? Or I will inquire about whatever feature is required as mentioned above.

Separate networks is my other option for now as there are two WAN connections, VLAN switch etc, and I will throw a DLink on there. As long as the phone PC passthrough works with it, as it PCs and phones have to share a cable.

I'm trying to understand why it seems to just work for many (to the point of voip/sip not even being mentioned in support), and impossible for others (to the point of additional hardware/software requirements ie. http://siproxd.sourceforge.net/).

Thanks in advance for any useful input..

opinions/experiences with pfsense 2.0?

Has anybody tried the new release of pfsense 2.0 RC1? It is supposed to be pretty stable, as well as highly configurable. A couple desirable features come to mind:

Traffic shaping is supposed to be one of the most flexible implementations available. I was never able to get my Draytek Vigor 2130 to work 100% in this regard. I just had to make sure never to allow bandwidth hogging P2P or other downloads to use too much. Router seemed unable to handle it on it's own.

The other trick I want to happen is to just be able to use a single server address and account on my smartphones whether registering from inside my network or remotely; mydomain.dyndns.org. I understand I can intercept this domain within the DNS server of pfsense and route it directly to asterisk IP, rather than have it go outside my network and come back in adding latency.

Anybody care to share experiences with pfsense and PIAF?

Edit: Oh, here's the pinnacle of router annoyance. When using two different Bria smartphones at the same time, the audio on the second phone to make a call gets routed to the first phone. How annoying. Obviously, Bria requests the same RTP port and the foolish router agrees. The folks at Counterpath called it "port overloading" and blamed the router. Which seems the most likely answer to me . . .

I'm still on a slightly older beta, but it's been very stable so far for me. I'll be upgrading to RC1 today.

Traffic shaping works for me as it should.

For DNS, you can override the ip address returned for a host from the fowarder, this way you can just add the IP of your internal PIAF box and have the clients register to the same host name inside and outside.

Depending on the client though, you might need to first flush dns cache. I have this issue with a portable sip phone, but it's ok with my windows softphones.

About the RTP issue, I don't think I've had that issue with x-lite myself, but I know what you're talking about.
The issue could probably be worked around by limiting the ports used for RTP on the softphones and use ranges that do not overlap between them.

There's also a sip proxy package you could add to pfsense that can help with this.

Howdy,
You are asking about a router, and this encompasses both hardware and software. I use IPCOP and have been very pleased with it. It is the software component and I run it on a box designed to be a commercial firewall/router using different software. It has all the features you ask for, except for built in wireless.. It is very stable. When I want wireless, I plug a Linksys access point running DD-WRT into its blue zone. That keeps the wireless traffic completely isolated from my home LAN, but lets it connect to the outside world. DD-WRT is quite stable on the Linksys hardware, but not nearly as good when running on my first hacked wireless router, which was a Airlink 101 AR430W. The Airlink was real cheap and good to learn on, but it crashed when loaded for a while. The Linksys hardware has never crashed on me. Other hardware, such as Buffalo and ASUS, and Soekris have more features, and might even serve better. I know how I would address your setup, but I am probably more willing to tinker than the average geek. I don't know how simple you need to keep it. I have learned a good deal messing with routers. It even helped once when I talked to my congressman. He started telling me that the NSA could not keep up with the data it is reported that they tap. I knew enough to tell him where he was wrong.
Have fun