vicidial.org

[tradecomedia]

Vicibox 6 from .iso | Vicidial 2.12-538a Build 160122-1401 | Asterisk 1.8.32.3-vici | CLuster setup: 1 web 1 DB 5 telephony | No Digium/Sangoma Hardware | No Extra Software After Installation


hi,

so here is the deal. Did a fresh install about a month back and have had carrier issues since day 1. The Carrier would register and make calls but under high call volume we would lose sound. We have searched the forums and have narrowed down the problem to our untangle firewall which has all the nodes (1web, 1DB and 5 telephony) behind it. In continued investigation we have determined that our best option is to configure an external ip to the 2nd NIC so the carrier can communicate with the telephony nodes w/out untangle and our phones could also from within our local network. In all the forum posts that i have read it says that this will work but i have a few questions.

1) Could this be done without a complete scratch install? my concern is the 100 + hours of configuring phones, users, DID's , Ingroups.. and so on.
2) Would ALL the nodes have to have an external ip? Or can just the telephony servers have ext and the Web and DB nodes not have ext only int?
3) in the posted williamc consistantly says to set up the telephony server first with the ext ip and make sure that it works correctly then configure the 2nd NIC with the internal IP.. how can this be done if it doesnt have an internal ip and the DB doesnt have any external ip? One of the last questions in the install process asks for the DB ip address.

Any assistance or insight would be greatly appreciated!

[williamconley]

Please include the full installer version. Vicibox 6 had at least four releases. Some had known bugs ...

Please note: This method should only be used if you have TWO network cards installed. One for public and one for private.

1) Could this be done without a complete scratch install? my concern is the 100 + hours of configuring phones, users, DID's , Ingroups.. and so on.

Absolutely. No need for a reinstall.

2) Would ALL the nodes have to have an external ip? Or can just the telephony servers have ext and the Web and DB nodes not have ext only int?

Just the Dialers making contact with the Carriers. (IE: If you have "agent only" dialers, or dialers that don't directly connect to a carrier for some other reason, they can remain "private IP only".)

3) in the posted williamc consistantly says to set up the telephony server first with the ext ip and make sure that it works correctly then configure the 2nd NIC with the internal IP.. how can this be done if it doesnt have an internal ip and the DB doesnt have any external ip? One of the last questions in the install process asks for the DB ip address.

This is the way we normally set up networking during a buildout. But since you already have servers, that's not going to be the case today. In many cases this is merely to ensure the public IP works ... because without it, it's time to stop and have a discussion with an ISP. LOL

Note that Vicidial servers will always communicate with each other on the Private IP ... except for loading the audio store. As such: The Audio Store Server's firewall must include an exception to allow the Dialer's Public IP. We usually use DGG and add all server's public IPs to the whitelist.

Technically, all you need to do is:

• Add the 2nd NIC (Physically) if you have not done so already. This will require a reboot to verify that both internal and external NICs are recognized by "yast network" and that the original NIC does not lose configuration (OpenSuSE can be finnicky, we've had many situations where we had to delete all NICs in the yast network interface, reboot again, and re-add them all to get it working properly and "reboot-stable", sometimes more than once!)
• Once yast network recognizes both, and the original is working as it used to, configure the 2nd NIC to the external IP and be sure to move the gateway and DNS to the new NIC/external IP. This only counts as "done" when both network cards are working (demonstrated via agents still being able to register, local ssh still works and "wget ip.whowebwhere.com" results in the public IP of the server, if you get the private IP, your gateway was not changed).
• Then you change the "externip" value in sip.conf to the public IP (or comment it out entirely, up to you).
• Now you'll need to investigate the Admin->Server settings for public access to any web links. If you always access these locally, no worries. But if you want to access them outside the local networks, those local IPs in links for recordings will fail. So some modifications here will provide appropriate external IPs/domains to access those recordings.
• Be SURE your servers with external IPs have whitelist firewalls installed and ACTIVE! Dynamic Good Guys is a great free tool for this (although I don't think we've updated it yet for Vicibox 7, there are some instructions on this board for adjustments!). The instructions for installation of DGG have a "pre-" section showing how to lock down. DGG is merely for "ease of later management" of the whitelisted system. So those instructions are often all you need, without the DGG install.
• If you just activated iptables firewall for opensuse, ensure that the public/external IP is listed as "External" in the "yast firewall" Interfaces tab, and that the internal network is listed as an Internal Zone ... and that the Allowed Services tab does not have "Protect Firewall from Internal Zone" checked. This allows full speed communications on the local network with no dropped packets.

[tradecomedia]

Thank you william! .. we will try this and post our results

[tradecomedia]

ok 2 more questions for you ... since they will be accessible to the net can we block port 80 on them? and since they are telephony servers does apache need to be running?

[williamconley]

Whitelist firewall. Blocking only port 80 is like saying I didn't leave the keys in the car, so they can't possibly steal it. LOL

Have a look at Dynamic Good Guys firewall. Instructions before installation provide whitelist lockdown. DGG is extra work ... just to be able to easily add new IPs to the "allowed" list.

Turning off Apache (and other such extreme lengths to modify the servers after buildout) is cool. Just remember: If you should EVER need these servers to operate in another role (agent web, for instance), you'll then need to reactivate those services. We usually do not bother with making extra work for what may or may not turn out to be optimization. Apache (when not in use by any web browsers) really doesn't take up any CPU power. But having it ready without calling IT is very handy (! Web server 2 is down and web server 1 is overloaded! No biggie, put a few users on web for a couple of the other dialers, then call IT and see what's wrong with web server 2 ...). *) (IMHO)

[tradecomedia]

"Then you change the "externip" value in sip.conf to the public IP (or comment it out entirely, up to you)."

where is this .conf file located? is it within each node or in the DB? We managed to get it as far as both internal and external access via SSH, pingable and phones and carriers to register on it but unable to make calls.

[williamconley]

When looking for a file in a linux based system, the easiest method to find the file is often:

Code: Select all

locate {filename}

In this case

Code: Select all

locate sip.conf

There may be several on the drive, the one you seek is /etc/asterisk/sip.conf

[tradecomedia]

we ended up solving this by editing the sip.conf file for each node setting the external ip to match the 1:1 nat and it works perfectly now .. thank you for your assistance!