Quick notes on some tweaks I had to do to get 3CX’s Firewall Check to pass behind my home pfSense firewall:
- Allow PBX to access Google DNS (8.8.8.8): It seems like 3CX is hardcoded to use 8.8.8.8 at the license validation stage. I had blocked 8.8.8.8 on my end to prevent Android and Chromecast devices from preferring external DNS over my local DNS server and this caused the error License_Error httpsError in 3CX.
- Create DHCP-Static mapping for 3CX server.
- Configure NAT Port-forwarding rules: I used the list at https://www.3cx.com/ports-used-3cx-phone-system-v14-v15/ for reference. Table reproduced below.
Protocol
|
Port (Default)
|
Description
|
Port Forwarding Required
|
TCP
|
5001 or 443
|
v15: HTTPs port of Web Server. This port can be configured.
|
Yes – if you intend on using a 3CX client, Bridge Presence, Remote IP Phones from outside your LAN and 3CX WebMeeting functionality.
|
TCP
|
5015
|
V15: This port is used for the online Web-Based installer wizard (NOT 3CX config command line tool) only during the installation process.
|
Optional – During the installation process when the Web-Based installer is used from external source
|
UDP & TCP
|
5060
|
3CX Phone System (SIP)
|
Yes – if you intend on using VoIP Providers, WebRTC and Remote Extensions that are NOT using the 3CX Tunnel Protocol
|
TCP
|
5061
|
3CX Phone System (SecureSIP) TLS
|
Yes – if you intend on using Secure SIP remote extensions
|
UDP & TCP
|
5090
|
3CX Tunnel Protocol Service Listener
|
Yes -if you intend on using remote extensions using the 3CX Tunnel Protocol (within the 3CX clients for Windows / Android / iOS) or when using the 3CX Session Border Controller
|
UDP
|
9000-9500 (default)
|
3CX Media Server (RTP) – WAN audio/video/t38 streams
|
Yes – if you intend on using remote extensions or a VoIP Provider
|
- Configure Outbound NAT Static rule for 3CX server: Automatic Outbound NAT (Default pfSense config) causes a random source port to be used for requests outbound to the Internet. 3CX doesn’t like this behaviour, so we need to add an Advanced Outbound NAT rule to force traffic coming from the 3CX server to use “Static Port” translation, as seen in the following screenshot. For Source, select “Network” and use the 3CX server IP with a mask of /32 (single host).
After completing these steps, the 3CX Firewall Check passes all green.
I sometimes have to work from home, which means using VPN. Cisco VPN works quite well, but it’s just not the same as being on the corp network.
Using a spare DD-WRT router (ASUS WL-520GU) running the VPN build of DD-WRT, I set up a persistent VPN connection. Now when I connect my work PC to this router, it behaves just like it’s on the corporate LAN.
How to do it
- First, get the recommended DD-WRT VPN build from dd-wrt.com and flash the router.
- Connect the VPN router’s WAN/Internet port to your home LAN.
- Make sure your router’s LAN IP doesn’t conflict with any subnets in the corp network or your existing home LAN. I used 192.168.133.0/24.
- Add your corporate domains and DNS servers to the dnsmasq config (Services tab)
- Next, customize the script at the end of this post and paste in the Administration>Commands section. Click Save Startup.
- Reboot the router. Wait about 5 minutes (it takes a while to start up) and verify you can ping/access servers on the corp LAN.
- Done!
This isn’t exactly the most stable solution, but it works and I haven’t had any disconnects so far. Also much cheaper and much less trouble than setting up a site-to-site VPN using a real Cisco router.
One sticking point is that from now on any changes to router config (DHCP, WiFi, etc.) will require a reboot. Otherwise your VPN tunnel will die and won’t come back for some reason.
Also, speeds are limited by the router’s processor. Mine is only a 266MHz ARM, so IPsec puts quite a load on it, meaning I can only sustain speeds of about 2Mbps – sadly still better than some of our WAN sites that are using T1 lines.
Script
mkdir /tmp/etc/vpnc
rm -f /tmp/etc/vpnc/vpnc.sh
#Create the VPNC startup script in /tmp
echo '
#!/bin/sh
vpn_concentrator="your.vpn.gateway" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="some.server.corp" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="other.server.corp" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="groupname" ##enter the group name here
vpn_grouppasswd="grouppass" ##enter the group password here
vpn_username="user" ##enter your username here
vpn_password="pass" ##enter your password here
#--do not edit this--
#Written by Alain R. 28.Sep.2007
#updated by Matthieu Y. 2012-09-24
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
#Create vpnc config file
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /tmp/etc/vpnc/vpn.conf
# allow dnsmasq to forward dns replies for LAN subnets
sed -i "s/stop-dns-rebind//g" /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
#Check if we can ping the IPs specified above
pingtest1 () {
ping -q -c1 $param1 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
pingtest2 () {
ping -q -c2 $param2 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
doloop=true
while [ $doloop==true ]; do
param1=$vpn_keepalive_host1;
if [ "`pingtest1`" == "0" ]; then
sleep 300
else
param2=$vpn_keepalive_host2;
if [ "`pingtest2`" == "0" ]; then
sleep 300
else
doloop=false
vpnc-disconnect
vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
sleep 1
if [ "`pingtest1`" != "0" ]; then
sleep 10
fi
tundev="`ifconfig |grep tun |cut -b 1-4`"
iptables -A FORWARD -o $tundev -j ACCEPT
iptables -A FORWARD -i $tundev -j ACCEPT
iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
sleep 9
fi
fi
done
return 0;
' >> /tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/tmp/etc/vpnc/vpnc.sh&
References:
Linux, Work
| access, asus, cisco, corporate, dd-wrt, ipsec, remote, router, vpn, vpnc
OK so time to revive my poor neglected blog.
It’s officially summer! Old news, I know, but I have to establish setting for my writing.
Summer means slow days at work, with a parking lot that has considerably more vacancies than usual. It also means we can use the school’s gym at lunch – I played basketball today for the first time since my collar injury and it went pretty well. Good times. From a sysadmin standpoint, slow days are great because there are less people around to complain about things being broken, so we take more liberties and break more stuff. (Usually making sure to fix it fairly quickly anyway though. Usually. )
This week I’m working on archiving e-mails with Symantec Enteprise Vault for Microsoft Exchange. It’s a pretty cool but pretty complex application, and it generally works pretty well. All the same, dealing with Exchange and Outlook and PST files (and a few PICNIC cases…) makes me wish we could use more cloud services. Like Google Apps for education: FREE managed e-mail with oodles of storage. Not to mention the rest of the Apps suite. Or even Microsoft Office 365. Anything but on-prem. This is one reason why I both love and hate working in tech for education.
On the slightly more fun (and not coincidentally, more FOSS) side of things, I just successfully updated our Web server environment to Proxmox 2/Debian 6. Which took a whopping… 2 hours. For 50+ independent sites with MySQL DBs. Do I ever love virtualization and shell scripts. (Sidenote: Firefox’s spell check doesn’t recognize “virtualization” as a word. It’s 2012 guys!)
Anyway, the PST migrator just dinged. Better go check on it.
More summertime stories with less work to come at some point.
Running Apache 2 (Debian) on Windows 2008, and Microsoft IIS on Linux. Like a boss.
via http://uptime.netcraft.com/up/graph?site=www.csdccs.edu.on.ca
Today was quite the day. As the title says, systems were failing all over the place. Our main switch at work (a Cisco 6509) crashed about 3 times this week, causing our vSphere environment to crash repeatedly, taking all the guest VMs with it. We searched for a long while before discovering that a faulty UPS battery was to blame for the switch’s instability. Meanwhile, we’re left with a misconfigured iSCSI SAN and 3 ESX hosts with no storage.
At home, my crazy MythTV/OpenVZ/KVM/PBX/Windows 2003/Seedbox/RADIUS server had to be shut down when my home network started acting up. DHCP stopped working, and the machines that were left had difficulty pinging each other. This time, a Cisco device was to blame. A WRT610N router that I use as an ABGN Access-point running DD-WRT had somehow bricked itself and started broadcasting packets on the network, thus flooding my routers and other computers. Then, I tried booting up my server again. MythTV and OpenVZ started up OK, but the qemu-server/kvm machines didn’t start, throwing “can’t open lock for VM 107 ‘/var/lock/qemu-server/lock-107.conf’ – No such file or directory”. Weird error. The fix is to create the /var/lock/qemu-server folder.
And finally, everything at home is up and running again. We’ll see tomorrow morning how things go at work. David was staying late today on the phone with Dell EqualLogic specialists, so fingers crossed!
With Microsoft set to unleash its latest OS on the world in about a week, the Interweb is buzzing with all sorts of new Windows 7-related material. Some interesting things i’ve found:
Michael Dell says when “you get the latest processor technology and you get Windows 7 and Office 2010, you will love your PC again; we actually have not been able to say that for a long time.” Let’s hope that’s true.
Windows 7 also improves touch and tablet support, bringing a wave of new touch and pen powered devices. You’ve seen the HP TouchSmart PCs, and the old Tablet PCs. Now Acer has announced a relatively cheap (799USD) 15.6″ touchscreen laptop, the Acer Aspire 5738PG. Looks interesting, but I won’t be getting one… my wallet is still hurting after being hit by that MacBook Pro.
On a more personal note, I’ll be heading to Ottawa on the 26th for some training on Windows 7 Desktop optimization… should be interesting; also, Ottawa!
Also, less in the mainstream but equally exciting, only 15 days to go before Ubuntu Karmic!
Someone at the school board received this spam message today. I must say this variation is better than the usual junk about viagra and rolexes ;). But seriously, what are they expecting to get out of this?
bonjour!!! ca va??? je m’appelle Svetlana. j’ai 29 ans.
j’ai deja eu une mauvaise experience de parler avec les hommes dans l’internet.
nous avons eu une correspondance exceptionnelle tres longtemps et je l’ai cru.
j’ai l’habitude de croire les hommes mais cet homme a casse mon coeur.
j’etais choquee et je ne savais pas ce que je devais faire. j’ai cesse a croire les hommes.
j’ai commence a travailler ferme pour oublier tout.
j’ai reussi a faire la cariere mais j’ai compris que la vie ce n’est pas le travail.
je veux etre aimee et je veux offrir l’amour.
je ne sais pas pourquoi je te dis ca j’ai regarde ton prifil et j’ai decide de t’ecrire.
je deteste le mensonge et les jeux avec les gens.
si tes intentions sont serieuses ecris mon email: [email protected]
So now I’m back at work after a good week off. The big project of the summer is Vmware migration, and the new equipment has just started coming in. We will be consolidating 20 servers into 4 VM hosts.
The specs of the system:
4 * Dell PowerEdge R710 servers (2*Intel Xeon X5550, 48GB RAM)
Dell EqalLogic iSCSI SAN 16 x 450GB @15K RPM
We have received the four servers, but can’t start until the SAN arrives…
Quick note:
using LDAP’s default port 389 with a Base DN of the parent Active Directory domain only shows objects from the parent domain. Changing the port to 3268 but keeping the same Base DN allows LDAP access to users from the child AD domain.
So, finally got the Openfire Jabber server to see all users from both domains.
Found via: http://www.igniterealtime.org/community/message/155746
For further reading: http://technet.microsoft.com/en-ca/library/cc978012.aspx
Kind of a lame first post, but hey, gotta start somewhere!