vicidial.org

[spacejanitor]

I'm currently in the middle of writing a small article with some (of my) best practices for managing a VoIP-heavy network.

I would be curious to hear the experiences of others.

Generally, I setup my installations or my clients' installations with a pfSense router. That is, I install pfSense on a PC with dual-LAN for managing the network. Yes, there are more possible points of failure than just grabbing a hardware router but pfSense is far more customizable than even my second-favourite management suite: tomato. If properly managed, a pfSense box should have very few issues.
I don't have any redundancy set up as far as routing goes, although perhaps I should.

When running ViciDial, I always have the server within the same LAN, and use g711 uLaw codec between each station and the Dialer. I use SIP protocol to connect to the dialer, but externally I use an IAX2 trunk to terminate with my carrier. I setup QoS internally for SIP RTP/signaling ports at highest priority, and prioritize all external traffic for IAX2 (4569).

I setup port forwarding usually for HTTP (80) to my ViciDial server, so I can access its data from anywhere just by navigating to the IP of the router. It would probably be more secure to change this port.
I also set port forwarding to the (main) telephony server in my cluster for SSH, as it's usually the one I need to access if something is going wrong, and that way I can quickly SSH into it from my phone or workstation wherever I am.

I run reports from pfSense on usage so I can monitor traffic throughout the day, and if there was a specific point where something happened, like everybody dropping their calls at once, it is easier to pinpoint what it is that failed.


Any input welcome.

[Vince-0]

We always split the LAN into VOIP and 'data' VLANs and use two NICs on each dialer for each VLAN because it is good practice.

[DomeDan]

I'm using pfSense too, had it on a regular PC but was getting some problems with the network interfaces,
it would randomly (about every second month) start dropping all packages from WAN and would have to be rebooted.
Installed it on an old HP Proliant and problem was gone (and an other good thing is that the hardware will last longer then a regular crappy PC)

Was testing QoS but didn't manage to set it up good enough, so I'm running without and never had any sound issues.

My carrier only allows SIP (and uses a huge port-span for RTP) so I setup rules to only allow the carriers IP-addresses to talk to my network and deny all other.

For remote administration I only got one random port open for SSH with "Disable Password login for Secure Shell (KEY only)" and using a password protected key,
and using the power of SSH for all my needs, like be able to access the webbui:
ssh -L 12345:local-server-ip:80 user@external-ip
then I can access the webbui in a browser on http://127.0.0.1:12345 all traffic goes through ssh and thus no clear-text passwords being sent over the internet
(this can be done in putty too for those who dont use a better OS )

or setup a local proxy though ssh:
ssh -D 8080 user@external-ip
now you can access all your webbservers inside your network when you tell your browser to use 127.0.0.1:8080 as a SOCKS-proxy, all traffic securely over ssh!

I even manage to use a IAX2 softphone tunneling over ssh from an other country to make calls from my server (but it was a bit harder then tunneling a single port or the proxy method)

And the local network setup is a bit hard to explain, but the basics is that the agents and admins are separated using rules in the firewall