blog.myitdepartment.net

Remembering when I had a problem with my first pfSense installation, I had some help from a friend who did a quick packet capture. it seems the ITSP, even after being told three times they were, was still not sending signalling to sipXecs on port 5080. It was being sent to 5060.

In doing a quick packet capture, Diagnostics>Packet Capture, it was very easy to turn capture on for the WAN port, call the system from the outside and stop the capture. Then download the capture file and open with wireshark on your PC.

Don’t have wireshark? Go get it from the wireshark.org download page!

In my case, looking at the capture file showed the signalling still being sent to port 5060. So that explained a lot. While there are a lot of firewall packages I like, a lot of them lack this feature.

GO PFSENSE!

Recently, I took a look the traffic shaper wizard in pfSense (1.2.3Prelease version).

I liked the fact that they had an easy to follow definition in there. I tinkered with two files that defined the protocol/port and name of VOIP related services so it would work well for sipXbridge in an ITSP trunking role and for remote workers coming into the network.

If you’d like to try, replace these files located in /usr/local/www/wizards (winscp makes that easy):

traffic_shaper_wizard.inc

traffic_shaper_wizard.xml

If you start the wizard and state your connection upload/download speed, it will allow you to do four things:

1. Prioritize VOIP over all other bandwidth.
2. Choose your VOIP provider (in this case you choose sipXecs). Specifying sipXecs specifies the ports/protocols used by sipXecs for trunking and remote workers.
3. Specify the internal IP address of your sipXecs installation
4. Set the total amount of reserved bandwidth to 80% from a dropdown box.

The overall rates can be adjusted but the margins (80%) cannot.  I would encourage some feedback on the sipx-users list to modify this so it can be included on a wiki somewhere. What I find is if I have a pipe almost solely dedicated to voice traffic, I have to overstate my upload speed in order to specify MORE bandwidth for voice traffic to free up the last 20% and prevent data from over-running my voice.

Even if your circuit is completely dedicated to voice for sipXecs, there is still DNS and voicemail to email traffic as well as remote UserUI traffic happening, and I want voice traffic prioritized FIRST.  You can also preset the bandwidth amounts in the “inc” file to make it brainless for your installs. I have already approximated 86k of bandwidth in increment steps (so you can prioritize by the number of calls you will have at your site).

Example: I have a 7100k (7.1Mb download) and 768k upload DSL connection, you should use this as an example.

Here I say I have a 7100k download speed and a 1200k upload speed (I have to fudge the upload to get the most out of my upload bandwidth, since that’s the more limiting factor here). The Real-time control over shaping only allow you to state 80% of your total bandwidth in either direction for shaping.

Here you state your desire to prioritize VOIP, choose sipXecs as the provider, put in your sipXecs IP address on your LAN, and choose your nearest “best guess” of total VOIP bandwidth (number of call times 86k) and choose the best selection from the drop down box. (Hint: For four calls simultaneous from the outside, select the fourth speed in the list).

Now this will finish, hopefully without an error. If you get an error about exceeding “80%”, start over and REMOVE SHAPER. State a slightly higher upload speed than you really have if you need to.

WAIT! A bug in their shaper doesn’t actually activate it until you apply it, so. What i do is go back to the FIREWALL>SHAPER screen and edit the description of the rules with the “e” edit icon. By default it will have VOIP adapter. I just scroll to the bottom and change it to VOIP then click “SAVE” and APPLY SETTINGS button at the top which actually starts to run the shaper (a bug with the wizard).

You can go to STATUS>QUEUES and watch the rules in action now!

Thanks and ENJOY!

Published a new basic guide on setting up sipXbridge with bandwidth.com.

This is my first attempt at a how-to, and while it might not meet every need, should be handy for folks connecting to bandwidth.com who need a basic step-by-step guide. I’ll be polishing this up after I get some feedback.

Three_things_I_really_like_about_sipXecs_4.pdf

Call-Setup-Example-sipXecs-through-ITSP

sipx_bridge_pfsense_bandwidth-dot-com.pdf

What I have found works, and works well. Your Polycom phones should be at Bootrom 4.2 and Firmware 3.1.3RevC (no later!).

Have MOH disabled in Polycom phones. Have MOH enabled on the SBC. Apply this patch for sipXbridge.

From the sipx console,

mkdir /bridgepatch

cd /bridgepatch

wget http://track.sipfoundry.org/secure/attachment/22062/patch14.zip

unzip patch14.zip

cd patch

chmod +x runme.sh

./runme.sh

You should check that

/usr/share/java/sipXecs/sipXbridge/sipXbridge.jar

and

/usr/share/java/sipXecs/sipXcommons/jain-sip-sdp.jar

are brand new files, backup copies will be in the saved-files directory relative to your patch in the event you need to get back to where you started..

Now restart sipxbridge (ITSP TRUNKING) and sipXconfig from services and see how it works!

This post will be updated to show MOH on in the Polycom phones, the necessary steps and bandwdth.com configuration, and will all move to the sipfoundry wiki.

Most firewalls randomize ports (rewrite the source port) of outbound traffic. This is problematic for some protocols (like PPTP, IPSEC and SIP).   sipXbridge needs static port NAT, or symmetric signalling in order to work properly. This means when sipXbridge makes an media connection at port 30001, it must be sent out on port 30001 (not rewritten by the firewall), and also come back on the same port. This is done by choosing “Firewall>NAT>Outbound” and selecting “Manual (AON)”. I’ve tried to make it easy by providing a sample setup which can be edited in a word process or (like Wordpad) and uploading to the system.

A friend of mine helped me to get this implemented, and so I thought I’d share.

After doing a basic install of pfSense,  login to the webgui and go to “Diagnostics>Backup and Restore”. Do a backup and open the config.xml in wordpad or other basic text editor. Then grab this file and do a find/replace to match your settings ( IP addresses, etc.). After that, restore the new config file to your system.

Find and replace commands:

1. Domain name – mydomain.com with your domain name like example.com
2. DNS – Change 198.6.1.2 and 198.6.1.5 to some of your own liking that will work with your ISP.
3. pfSense Webgui – I have it set for https on port 10443, change it to something you want, but remember stay away from: 80,8443, 5060-5080, 30000-31000.
4. LAN IP – I have pfsense here on 192.168.2.1, I also have sipXecs at 192.168.2.10. Change these as needed to suit your needs, don’t forget to match your mask.

I think if you properly do a find/replace on your IP’s/mask/gw’s it should be fairly straightforward.

After restoring, you should go to the CLI and reset the password, which will be “pfsense”, then go to SYSTEM>PACKAGES>INSTALLED and remove any that are there.

This pfSense config does not include vlans or traffic shaping, and is a basic config. More complex use cases might be coming later, but that’s it for now. Hope to post a complete step-by-step how-to on the sipx-wiki.

Here’s a basic step-by-step guide to getting pfSense installed:

If you need a VMWARE image, go www.pfsense.org and grab the vmware image. In the meantime, if you are installing on an standalone PC, use this ISO image. After installing the VMWARE Image, you should remove any installed packages and install the VMTOOLS package (to get timesync correct, and set you correct timezone (ex: America/New_York).

http://files.pfsense.org/mirror/downloads/pfSense-1.2.3-RC3-LiveCD-Installer.iso.gz

First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and at least two Network interfaces in your target machine. Do not install any unnecessary hardware like a modem because Pfsense cannot use it.

The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without any problems.

Next, take the downloaded ISO file and burn the CD as an ISO (not a file copy).

Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network interfaces. If you managed to make that far the rest of the installation, most likely, will be successful.

Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n.

Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if more than one computer will be accessing the pfsense to get to the internet. To select this interface use the automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this interface as the LAN interface.

Next it will ask you to select the WAN port. If you have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface as shown on the display. This interface can be changed later on.

Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem with the FreeBSD operating system.

Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and once complete you’ll see FreeBSD loading. The loading will take some time .

At the CLI you will have an option to set the LAN IP address, go ahead and make sure you can connect to that IP with a web browser from a PC on the LAN. Now run through the wizard and set a password, etc. In Diagnostics, go to grab a backup (config.xml) and start putting your password, ip/mask/gateways and domain name into the one posted here and do the restore.

Remember to use a port for pfSense to connect to (the example we’ve provided is 10443 as https) and connect to it after the restore has occurred.

Coming Up – Setting Up Example siptrunk with ITSP Bandwidth.com via sipXbridge! Soon afterwards, traffic shaping for sipXecs and pfSense!

That’s right, now you can use Skype for business as a gateway type in sipXecs 4.02. What does this mean? We’re not exactly sure as we have not navigated the whole Skype thing yet.  We simply have not had time to see how reliable their platform is, and whether their call detail systems are business worthy, etc.  Stay tuned. If sipXecs only had a GoogleTalk gateway.

http://www.skype.com/business/products/pbx-systems/sip/