Best Firewall/Router Colo Setup

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Best Firewall/Router Colo Setup

Postby perci100 » Mon May 19, 2014 12:23 pm

I am using a Zywall USG100 "unified security gateway" right now on our in office setup (about 35 agents Inbound/outbound blended around 100-200 channels at one time max. ) . Seems like when I get about 50 agents across the two telephone servers the zywall processor is maxed out.

We are going to move this cluster to a datacenter very soon. I am in the process of researching/buying hardware now.

I expect this cluster to handle 300-500 agents. Cost is not a huge factor but I don't want to go crazy buying things i don't need.

Having never put anything in a datacenter before I am looking for some advice on enterprise level equipment. Gateways that are best suited for VOIP/vicidial. My thought was to stay with what I know and go with the Zywall USG2000. Seems like it would have enough throughput but I would really hate to drop 2-3k on something like that to find out its just not going to handle the load. Can you maybe recommend some enterprise hardware that works well at the 300-500 agent level?

What would you use on a setup like this? Looking for fast deployment ( fyi, I am not a cisco expert but I learn quickly if i need to)

Thank you,
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby geoff3dmg » Tue May 20, 2014 6:17 am

Personally I'd roll my own with generic server hardware and pfSense.

https://www.pfsense.org/
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Best Firewall/Router Colo Setup

Postby perci100 » Tue May 20, 2014 9:10 pm

Ive seen alot of back and forth on this forum about it working well at higher volume. Maybe they have improved it a bit? Have you tested this on a cluster with 200+ agents? Im all for this if it works. I just need it to be reliable.
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby geoff3dmg » Wed May 21, 2014 3:48 am

I'm only at 90 seats, so I can't say for that volume.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Best Firewall/Router Colo Setup

Postby perci100 » Tue May 27, 2014 9:06 pm

Good enough for me to give it a shot. thanks! Might go with a fortinet 200d
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby Acidshock » Wed May 28, 2014 10:58 am

I prefer Mikrotik. I can get a dual core model with 2GB of ram and can handle 1M packets per second for under 350.00. It has all the major features you would want in a router/firewall. It doesn't have an IDS but I setup a separate box for that and mirror ports on the switch. All sorts of traffic shaping options and logging/data collection.

http://www.newegg.com/Product/Product.a ... 1EA0V54811

Just an FYI it takes a bit to get used to setting up. However once you get familiar with it you have all the performance and features of a 10-15k unit for 350.00
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
Acidshock
 
Posts: 428
Joined: Wed Mar 03, 2010 3:19 pm

Re: Best Firewall/Router Colo Setup

Postby GaD » Fri Jul 11, 2014 4:49 pm

For the public end of the telephony, why not just put the servers directly attached with the public IP and use IPtables to manage the access? I worked in a callcenter where we would have say 500 calls (being very modest, our call centera had over 800 seats plus offsshore agents) and we also had Fortinet firewall (two of the: master/slave, I don't remember the model, but it could be the 200). The firewall went crazy stupid and stuck in several occasions, we instead gave the media gateways public IPs and voilá...., Fortigates were cool again...

You might want to benchmark and research your equipment very well before you actually buy it. Forti is not exactly cheap and we weretold by our salesguy that "of course they would hold such traffic". He could've not been more wrong...., jeje We still kept them (the Fortis), but only for non-voice traffic.
GaD
 
Posts: 195
Joined: Fri Jul 08, 2011 3:56 pm

Re: Best Firewall/Router Colo Setup

Postby perci100 » Fri Aug 15, 2014 9:45 pm

I ended up going with a zywall USG 310 , throughput and sessions looked pretty good. It might be a bit of overkill but Im running a cluster with 100 agents at the moment with no trouble. 25% cpu maybe 3% connection limit Well see what happens as we scale up.

Wouldn't I need to change the IP tables on every server every time I need to allow someone? Maybe I am missing an obvious way to do this in linux.
Thanks for the heads up though. If i run into trouble thats the first thing im doing.
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby geoff3dmg » Wed Aug 20, 2014 3:01 am

Yes you would. but once you have more than a handful of servers it's worth implementing configuration management systems (so you run the process once, and the config management system applys it to all the servers consistently). Chef, Puppet, Salt etc are all worth considering.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
geoff3dmg
 
Posts: 403
Joined: Tue Jan 29, 2013 4:35 am
Location: Lancashire, UK

Re: Best Firewall/Router Colo Setup

Postby perci100 » Thu Aug 28, 2014 10:27 am

perfect, thank you for that I didn't realize these management systems existed (learning as fast as i can lol) It makes sense though. im going to test this out. I thought i knew linux fairly well but the more I learn the more i like it. :D
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby williamconley » Wed Sep 03, 2014 10:18 am

Dynamic Good Guys allows sharing a DB with allowed IPs. We have published this for public use. With a little tweaking, you can convince ONE login to DGG to allow the user on all servers immediately. We charge to perform this tweak because it requires creation of trust between the servers to allow execution of code on the other servers at the moment of login (ie: re-load your GOOD IP list right now!).

DGG is on ViciWiki.com http://www.viciwiki.com/index.php/DGG

Short of hardware-based VPN (which requires a bit of power), this has proven to be the best solution to date. In fact, we HAVE had a VPN using client attacked (through the VPN router!), but to date we've never had someone attacked from the outside using DGG.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Best Firewall/Router Colo Setup

Postby perci100 » Wed Sep 17, 2014 10:14 am

I need to brush up on my networking skills a bit. I've yet to set up a VLAN :( , feel like im missing the party and the boat at the same time but thank you William for the information. I checked out DGG , im going to give the setup a try on my home system and see how it goes. The zyxel USG appliance seems to be doing a good job with 100 agents however I just got a report from my carrier that I am dropping some inbound numbers. Seems like when we get a ton of inbound's this happens (my carrier round robins the DIDs to each server)
8 server cluster web/tel x 5/db/archive(rec only) in production inbound/outbound/AMD/full recording |Vicibox 5.0.3 Standard ISO | VERSION: 2.12-549a BUILD: 160404-0940 | Asterisk 1.8.25.0-vici | No added software all servers in RAID 10
perci100
 
Posts: 74
Joined: Thu Feb 09, 2012 1:47 pm

Re: Best Firewall/Router Colo Setup

Postby williamconley » Wed Sep 17, 2014 10:49 am

Even if you don't do the DGG portion, the whitelist setup it walks you through before you begin is a very powerful firewall. Just not as easy to add "good" IPs as the DGG setup is.

The most secure version is whitelisting. If all you add at that point is Good Guys (skipping the dynamic portion, leave port 81 closed), you'll have a pure whitelist system with an easy-add web page for new good IPs. Have not yet had a single breach of this wall once constructed.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 84 guests