Maybe a web-based front end to iptables like webmin would simplify what you want to do for traffic shaping and QoS? I’ve never used it so don’t know how useful it is for that purpose. VPN can be added by installing a package such as openvpn or openswan/strongswan. I imagine configuration would be scary, unless webmin can do that too. But an end user should probably not be setting up IPSec, especially in a legal setting.
As well, most people will tell you that a PBX isn’t a firewall/router and you shouldn’t use one box for both purposes. Whether they’re right or just being dogmatic is up to you to decide
The IP forwarding would be the part I would worry about. It would put the box in a unique position to do QoS. The policing would have to be done with iptables as would NAT.
Turning on IP routing is simply a matter flipping a switch in etc/sysconfig.
I could imagine a 20-30M circuit with software forwarding could kill an Atom proc. I have no data to back this statement up.
As an engineer it’s actually a fascinating test.
As was mentioned, none of the Linux VPN packages are going to be end user friendly.
If you are a good hack at iptables and understand Redhat Linux routing tables have a go of it and let us know how it works.
Oh, at a most basic level I would not even consider doing this without 2 Ethernet interfaces. If it happens to be DSL I would go treasure hunting on FleaBay and find a PCI DSL modem that has Linux support.
Lastly if you need PPPoe configure modem in bridge mode and terminate in a tunnel interface on Linux box. You don’t want to double encap or have IP fragmentation issues the decap process.
SME server is nice and has a solid firewall and router and lots of goodies like ldap and windows domain services, but although Centos Based it is very different from most of its peers, for example it runs in run level 7 and many “normal” things like yum are heavily modified through the system, to the point that normal methods of maintenance won’t work as described.
There are versions 7 and 8, 7 is a few years old 8 newer but there is less support for it
It is real tempting to give SME Server a shot. My small office wouldn’t overtax any system.
My phones, router and calendar server are all running on separate machines - machines that Goodwill would have turned down 5 years ago. All of them replaced with one PowerEdge 2850 in a rack (with a mirrored PE in standby right under it on the rack) would let me sleep a lot better at night. Going from 1997 tech to 2005 tech makes all the difference, right?
I had a scare last week - the pfSense router kicked up an error reading the compact flash drive I installed in 2006 and it took me out of the internet/phone/email/calendar/IM business for half a day. Gotta do something.
If I devote some time to this project, get in over my head, but see light at the end of the tunnel - and assuming I can get the thing to the point where somebody can telnet or SSH into it from the interweb - is there anyone I could pay on an hourly basis to help me?
I don’t know if the Tango/Schmooze people would want to mess with it or not, and I don’t want to sign up for a contract if I’m not sure I going to keep the thing or just update/replace the old computers.
Given that FreePBX runs on a CentOS, generally speaking what you want to do is certainly possible.
However, I think that your PFSense box is certainly more geared towards what you’re trying to accomplish, and it’s an excellent solution for network infrastructure.
Have I misunderstood you or do you wish to decommission the PFSense machine?
If you want to add VPN, you should check over at PFSense.org, because like I said, that machine is certainly a thousand times more suited for the task than the FreePBX distro.
According to the powers that claim to be, the SME Server distribution has a builtin router and firewall and can do a slightly dated plug-in version of FreePBX with Asterisk 1.6.
Doing this would allow me to retire 3 or perhaps even 4 “servers” (a PII dedicated FreePBX Packard Bell tower that cost me $1500 on my Sears card in 1998, a Duron pfSense router I made from a PC that I picked up at a thrift store for $25 six years ago, and my newest machine - the pride of my server farm - a P4 with 512 megs of ram running my Zimbra mail/calendar server).
I have two old PowerEdge 1850’s that I picked up at auction for $45 - both in good shape presently loaded with a clean install of Ubuntu Server 12.04 LTS.
As I wrote earlier, my heretofore bulletproof router crapped out on me last week (as unforeseeable a tragedy as that was), and I have to do something. My irresponsible slackness is hitting the bottom line. Phones = $$$$$$
By all accounts, the PE 1850 could handle 10 times the combined work that all four of my current machines are currently doing and I’m thinking that if I could figure out how to consolidate my machines onto one 1850, I could probably also figure out how to backup/mirror the running 1850 onto the other one for use as a standby.
That’s why usually virtualization is such a wonderful thing. However, it usually doesn’t get along well with VoIP, but people have made it to work on VMWare ESXi with a little bit of tuning, especially with no more than 20-30 simultaneous calls. ESXi also has free licenses limited to 8 cores.
I’m not saying you must or should go the virtualization route, but in my opinion that gives you plenty of flexibility with limited hardware - especially in the future when new requirements arise that you cannot currently foresee.
That way you could set up your FreePBX, PFSense, and SME as VM’s, and use whatever is most appropriate.
PFSense also makes it a cakewalk to configure CARP, which means that you can set up a cluster of routers across both 1850s, so if one fails, the slave machine will fail over (statefully!).
Again, not saying you have to do it this way, but just my 2 cents on how I’d try it. Modularizing seems to avoid the hodgepodge of “this server does mail, file, printing, phone…” and makes upgrading easier.
Needs like yours and two machines like what are begging for drbd/corosync over sme server 8.0. An easier solution and pretty well OOTB, would be to just run “affa” (that’s an sme server kind of thingy) on the two boxes, a warm spare available up and running in a few minutes. Total cost = $0, total time = a few hours.
Zimbra could run under virtualbox on the running server if it is lightly used.
I could do old versions of xen or esx on a PE 1850, but not KVM or anything else that requires hardware acceleration, and I’ve heard that people who have tried such operations on unaccelerated hardware have seen all kinds of trouble in all kinds of wierd and unpredictable ways, especially, as you note, with VOIP. My IT guy… c’est moi… And he’s dumb as a box of hammers, and also not really in a position where he can just drop what he’s doing and put out tech fires.
I’m not trying to be cheap for its own sake - I had an IT contract and leased a Nortel system early on - I just took over the IT as purely as a stopgap measure when our IT company went bankrupt in 2007 and one its creditors tried to repor our phone system. I resolved then to own my own hardware and I have been hobbling along on my own since then, largely because FreePBX and pfSense are so easy to keep running, thanks to you guys.
The attractive thing to me about this SME Server notion is that it is a Linux-based (CentOS, to boot) distribution with its own router, as opposed to a FreeBSD-based router, like pfSense. This means, in theory, as I understand it, that I should be able to get anything I need directly on the OS from the get-go with the right yum and with minimal networking hassle (ideally with just a bit of creative port-mapping).
Nothing against pfSense… It’s a great product that has served me well - but my dinky office (12 people) doesn’t use any of its advanced features (except IPSEC for a remote office). And if I can replicate the basic routing I do with pfSense and get a VPN up an running on Linux with one reliable real Dell server doing all my work secured in a rack with a backup at the ready, I think it’s a no-brainer.
I’m inclined to try it (unless it really is just a stupid or futile idea) and if I do try it and find I can’t do it myself, I figure I’ll either try to hire somebody to help me, or else give up and replace the computers I have now with individual machines. I have to do something, that’s for sure.
The DL360G5’s are darn nice machines, I have some of them, as well as some 380G5’s for some database stuff, they really run, and make on hell of a PBX for sure with lots of CPU left over. I like running RAID6 on them, and you can mirror the memory for a real reliable machine.
I actually also have some PE1850’s as well, they run well, don’t get me wrong, but the DL360’s will walk all over them. I have some PE1850’s running stuff like DNS servers and network monitoring, and they have run well for a few years. I haven’t tried to run Asterisk on one yet, but I don’t see any reason it wouldn’t run like a champ…
Also, for routing or other network infrastructure in low to moderate usage, you may want to look into an embedded system like this: http://pcengines.ch/alix2d13.htm
They’re available at a number of outlets, and PFSense mounts the media read-only in order not to wear it out. We have 30 of them as VPM gateways in remote offices, access points, stuff like that, and they all run superwell and really stable.