The Incredible PBX: Safely Interconnecting Asterisk Servers


 
WOW! What a couple of weeks it has been. The response to Incredible PBX for Asterisk® 1.8 has been, well, incredible. Just last week, SlickDeals and FatWallet introduced over 50,000 bargain hunters to the beauties of Asterisk and Google Voice using Incredible PBX. They joined our regular 50,000 weekly visitors in discovering what may be the best VoIP calling platform on the planet, free or otherwise.

But we’ve also heard from long-time users of PBX in a Flash: “How can we take advantage of this new Google Voice technology without breaking our existing server?” Well, starting today, it’s easy! We’re going to show you how to interconnect as many Asterisk servers as you like using a simple FreePBX tweak to make free calls using your Incredible PBX. To begin, just set up a second server or virtual machine running Incredible PBX 1.8. Then we’ll walk you through interconnecting it with any other Asterisk server that’s running FreePBX. It really is a 5 minute project… once you’ve finished reading this article.

Don’t be intimidated by all of the screen shots shown below. We’re just showing multiple ways of doing the same thing. So you don’t need to use all of them. Once you’ve added one trunk entry on each of your servers and an outbound route on your existing Asterisk server, all of the users on your primary server can instantly begin making free outbound calls through the Google Voice setup on your Incredible PBX. Keep in mind that, at least for now, there is no limit to the number of simultaneous (free) outbound calls you can make within the U.S. and Canada using the Incredible PBX 1.8 platform. And you can interconnect as many Asterisk servers as you like assuming you have the 100kbps VoIP bandwidth to support each simultaneous call.

To get started, follow our last article to get an Incredible PBX 1.8 server set up. As shown in the diagram above, we’re going to assume you’ve got both your new and old Asterisk servers running on the same subnet behind a very secure hardware-based firewall. But this isn’t really required from a technical standpoint. One or more additional servers could be strung all around the globe if that’s your requirement. Or you may wish to take advantage of the incredible deal at RentPBX.com and let them host Incredible PBX 1.8 for you at $15 a month. Just use this special coupon code: BACK10. Then all of your other Asterisk servers can take advantage of today’s free-calling solution. We would hasten to add that, once you’re using the Internet as the transport mechanism for interconnecting servers, we recommend you read and use the secure VPN setup outlined in our VPN in a Flash knol, but the IAX setup outlined below is secure except your voice data is not encrypted. So that’s your call to make.

Today’s Drill. We’re going to show you how to make calls from your existing Asterisk server through The Incredible PBX today. We’ll leave it to you to get things working in the other direction if that is a requirement for your project. First, we’ll create a new trunk on The Incredible PBX, and then we’ll create both a new trunk and a new outbound route on your existing server. We’ll also cover two different interconnection setups. First, we’ll do it using SIP. And then we’ll show you a similar setup using Asterisk’s IAX.

If both servers are sitting on the same private LAN, then the SIP setup is a little easier because the Linux firewall running on Incredible PBX allows SIP traffic to flow freely without any adjustment. It assumes you have added the recommended hardware firewall layer of protection with SIP access to your servers closed off. If one or more of your servers are outside the hardware firewall that is protecting Incredible PBX 1.8, then we recommend the VPN solution referenced above first and the IAX solution outlined here as a second option because the data is unencrypted. Both of these options avoid having to open up any SIP ports on your hardware firewall, and require only a minor adjustment to IPtables, the Linux-based firewall running on The Incredible PBX.

Naming Conventions. To keep things simple, we’re going to refer to the two servers in our example as incredible-pbx and piaf-main where incredible-pbx is your new Incredible PBX 1.8 server that will host the outbound Google Voice calls for users on your piaf-main server. You can obviously adjust these names in any way you like. The only gotcha is that Asterisk attempts to match an incoming call’s username against one of its corresponding trunk names before allowing the call. If there’s no match, the call will fail. So make sure that, if you change the names in the example, do it for both the username and trunk name entries on both servers. Better yet, follow the naming convention in our example, and it just works. :wink:

Security Implications. If any of your Asterisk servers allow direct SIP traffic from the Internet, then you need to be extra careful in setting up this interconnectivity since it may allow anyone to attempt to make calls through your Incredible PBX depending upon how your primary server’s dialplan is configured. For example, once a server is interconnected with Incredible PBX, anyone could dial 6789876543@youripaddress and the call might be processed by Google Voice. To avoid this, the simple solution is to password-protect every Outbound Route on your Incredible PBX by adding a Route Password. Or, better yet, don’t expose any of your Asterisk servers to Internet SIP access. Whatever you do, be sure to test making a SIP URI call such as the one shown here once you have all of the pieces in place. Then you’ll know whether you have a security issue or not.

Setting Up Incredible PBX for Interconnecting Servers. Let’s set up a SIP and IAX trunk on your Incredible PBX first. You really don’t need both of these. To repeat, if The Incredible PBX is located on the same private subnet as your other Asterisk server, just use the SIP trunk. If you need access from an Asterisk server outside your private LAN, use the IAX setup. To begin, login to FreePBX using maint and the password you set up with passwd-master. To create a trunk, first choose Setup, Trunks.

To create a SIP trunk, click Add SIP Trunk. For the Trunk Name, enter piaf-main. Then skip down to the Outgoing Settings and use the following as a guide. Then clear out the Incoming Settings, leave the Registration String blank, and click Submit Changes. Replace 192.168.0.50 with the actual IP address of your piaf-main server. Replace password with a very secure alphanumeric password. Leave the other entries as they are.


 
To create an IAX trunk, click Add IAX2 Trunk. For the Trunk Name, enter piaf-main. Then skip down to the Outgoing Settings and use the following as a guide. Then clear out the Incoming Settings, leave the Registration String blank, and click Submit Changes. Replace 192.168.0.50 with the actual IP address of your piaf-main server. Replace password with a very secure alphanumeric password. Leave the other entries as they are.

With either or both trunks, you have the option of tightening up how calls placed from the other server are routed. To force all calls to go out through the Google Voice trunk, just change context=from-internal to context=gvoice. If you want extensions on the other server to be able to call extensions on The Incredible PBX directly, leave the context entry the way it is shown.

While we don’t recommend it, if you’re going to have multiple Asterisk servers connecting to The Incredible PBX to place Google Voice calls and you’re too lazy to create separate trunks to support each server, you can eliminate the IP address checking mechanism in Asterisk by replacing host=192.168.0.50 with insecure=port,invite. The security implications should be obvious.

Setting Up The Other Asterisk Server. There are two steps in setting up any other server that you wish to interconnect with The Incredible PBX. First, you have to create a compatible trunk to handle the calls. Then we’ll add an Outbound Route to send certain calls to Incredible PBX for processing. If you’re using SIP on the Incredible PBX, then you have to use SIP on the other Asterisk server. Same goes for IAX. We’ll set up both a SIP and IAX trunk on the PIAF main server just to show you what the entries should look like. And, to repeat, you really don’t need both of these. If your other Asterisk server is located on the same private subnet as Incredible PBX, use the SIP trunk. If you need access to Incredible PBX from elsewhere, use the IAX setup. To begin, login to FreePBX on your other PIAF server using maint and the password you set up with passwd-master. To create a trunk, first choose Setup, Trunks.

To create a SIP trunk, click Add SIP Trunk. For the Trunk Name, enter incredible-pbx. Then skip down to the Outgoing Settings and use the following as a guide. Then clear out the Incoming Settings, leave the Registration String blank, and click Submit Changes. Replace 192.168.0.212 with the actual IP address of your incredible-pbx server. Replace password with the same secure alphanumeric password you used on the Incredible PBX SIP trunk to which you will be connecting. Leave the other entries as they are.


 
To create an IAX trunk, click Add IAX2 Trunk. For the Trunk Name, enter incredible-pbx. Then skip down to the Outgoing Settings and use the following as a guide. Then clear out the Incoming Settings, leave the Registration String blank, and click Submit Changes. Replace 192.168.0.212 with the actual IP address of your incredible-pbx server. Replace password with the same secure alphanumeric password you used on the Incredible PBX IAX trunk to which you will be connecting. Leave the other entries as they are.

You’ll notice in the Dial Rules, we’ve used 48 (which is GV on a phone) as the prefix to be dialed on your other Asterisk server to route calls out through Google Voice on The Incredible PBX. So, to place a call from your other Asterisk server via Google Voice, a user would dial something like this: 48-678-987-6543. Before the call leaves the Asterisk server, the 48 prefix will be stripped off. You can make this prefix anything you’d like. Just be sure to use the same prefix when you set up the Outbound Route in the next step.

Adding an Outbound Route. The final configuration step is to add a new outbound route on your other Asterisk server to actually send calls to The Incredible PBX. As noted, we use a dialing prefix so that we can identify the calls to be sent. Create a new route called GoogleVoice and make your entries look like the following if you’re using IAX. If you’re using SIP, just change Trunk Sequence 0 to SIP/incredible-pbx. Click Submit Change and reload FreePBX when prompted.


 

Keep in mind that FreePBX processes Outbound Routes in top down order, and the first matching route is the only route that is used to place the call even if the call fails. So the trick here is to move your new GoogleVoice route up the list so that it’s at least above the default calling route (which is a route with no specified dial patterns to match) and any other routes consisting of 12 or 13-digit dial strings which might match our GoogleVoice dial patterns.

IAX Firewall Adjustments. If you’re using the IAX method above, you’ll need to adjust the IPtables firewall rules on Incredible PBX to allow communications with your other Asterisk server. If your other Asterisk server is PBX in a Flash, you may need to add a similar entry in the IPtables rules on that machine as well. In addition, you’ll need to map UDP 4569 on your hardware-based firewall to the private IP address of your Asterisk server. Otherwise, calls will never make it past your firewall.

On each server, edit /etc/sysconfig/iptables and add an entry with the IP address of the other server with which you’ll be communicating. If your Incredible PBX is on a different public network than your other server, we’d need to add an entry near the end of the file and above COMMIT allowing IAX communications with the public (not private!) IP address of the piaf-main server assuming that server is outside the LAN, e.g. something like this:

-A INPUT -p udp -m udp -s 222.68.100.150 –dport 4569 -j ACCEPT

If you’re using IAX and both servers are on the same private subnet or interconnected private subnets, then the entry might look like this:

-A INPUT -p udp -m udp -s 192.168.0.50 –dport 4569 -j ACCEPT

Once you’ve saved your change, restart the firewall: service iptables restart

Testing Things Out. Now you’re ready to place a test call. Pick up an extension on your piaf-main system and dial 48-800-322-7300. You’ll be greeted by American Airlines courtesy of Google Voice. The CallerID of your outbound calls will be your Google Voice number regardless of the extension or server from which the call originates. Enjoy!

Originally published: Monday, November 15, 2010


Introducing The Incredible PBX for Asterisk 1.8

Adding Skype to The Incredible PBX

Adding Incredible Backup… and Restore to The Incredible PBX

Adding Remotes, Preserving Security with The Incredible PBX

Remote Phone Meets Travelin’ Man with The Incredible PBX


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Be Sociable, Share!

5 Responses to “The Incredible PBX: Safely Interconnecting Asterisk Servers”

  1. Sergio Cury says:

    Ward; I have my IAX2 trunks setup very similar to yours, but I can’t get two way video to pass through. I don’t know if it is my asterisk version or not, but I am using your locked 1.4 version. Any thoughts?

  2. thegreatfixer says:

    thanks for the updated info

  3. Trousle Undrhil says:

    Ward, you make this look so easy! (And, of course, it *is* easy, but that’s beside the point.)

    Thanks for this. I have been trying to get it to work and now I know why I couldn’t get it to work (iptables.)

    Can this type of setup for used to allow the (new) Incredible PBX build to be just a dial-tone carrier for another Incredible PBX which hosts the extensions?

    [WM: You bet!]

  4. ward says:

    From our pal, Tom King, who is away from the Internet at the moment:

    A popular feature I use with my iax trunks between asterisk servers is the following:

    encryption=aes128
    auth=md5

    must be in both peer and user sections

    maxauthreq=3

    must be in user section

    this actually does work.while it is not very strong and it is subject to man in the middle attacks it seems to make it a little more difficult to hack. this is on a 2.5 version of freepbx but I don’t think there has been any changes to iax2 in a long time except for the require token option.

  5. ward says:

    A major SIP security vulnerability was discovered in all versions of Asterisk today. You can read all about it here.

    We have developed a script for Asterisk 1.8.x which will quickly patch your system and eliminate the problem. Log into your server as root and issue the following commands:

    cd /root
    wget http://incrediblepbx.com/sipfix
    chmod +x sipfix
    ./sipfix

    Please apply this patch immediately to protect your server!

Ringbinder theme by Themocracy