Asterisk and VRF (Virtual Routing Forwarding)

Hi friends! Here comes a thought: One of my colleagues at work manages a router (Mikrotic RouterOS). He deploys VPNs using the VRF (Virtual Routing Forwarding) tech combined with GRE tunnels, because the router helps you to associate multiple Routers ( which use GRE tunnels) in one VRF instance. To add, we have one VRF per client (at least 14). The thing is some local companies want VoIP and I suggested using FreePBX (Asterisk) to do so. I’ve heard that Linux can use VRFs, but I’m not sure about the FreePBX distro. The idea is to add Asterisk the to a client’s VRF, if the VoIP service is required. Any ideas?

First I’ve heard about almost any of this.

In a general case, you don’t set the server up with the VPN (unless you are doing something through Admin and phones) and let the server handled the P2P connections. If you are using a series of external VPNs which associate with other equipment, the just set up the server so it can talk to the other “local” addresses associated with the VPNs and you should be good to go.

Any url with info about vrfs on linux or tutorials? The is a lite tough for me. And, what about configuring a gre between Asterisk and the Mikrotic Router?

This is the config I did:
The tunnel works fine, but I lost myself in configuring a VRF in Linux. And, it will be a VRF configuration for every VRF created in the Mikrotic

What does this accomplish for you? What is the goal of all this? Are these going to be individual systems or a single single with 14 different routes or something?

I want to register a great number of extensions, mantaining the network infrastructure, which I cannot change. I thought about VRF instances per client and “applying the same formula of GRE tunnels”, cause I don’t have control about the routers, only the PBXs. I asked for a solution to my colleagues and they suggested that, so…

First of all, I’m the kind of person who would does crazy stuff like this, to the occasional consternation of vendors. My advice, in this case, is: don’t.

If your VRFs have overlapping address spaces then no application will be happy dealing with that, your logging and troubleshooting / debugging will forever be an impossible mess, etc. In this case, run multiple lightweight VMs (unless someone has containerized FreePBX?). In theory you could use NAT and publicly routable (or experimental - you’re already into insane territory) address space, but you won’t have useful IP endpoint logging and you’ll hate yourself for that eventually. Just don’t.

If your VRFs don’t have overlapping address spaces (yay sanity) then put FreePBX in a shared DMZ with some ACLs in front of it. Easy.

I’ve read enough about so called “Multitenancy”. Yes, that’s probably what I’m asking for and virtualization could help a lot (containerized Asterisks with a setup script and configuration automated scripts). Like ecarlseen mentioned, a viable solution could be multiple VMs or containers can be done. NAT is harder and hated for “routing guys” here, but maybe the solution. FreePBX maybe is not intended for multitenancy. I’ve read also about SIP-Proxies, but it seems for me the same solution as NAT

Insanity yes. Like you mentioned, NAT, containers or SIP-Proxies (maybe?) could be the solution. Everything WILL overlap here (extensions, IP address and routes). The “routing guys” will hate me but multinenancy is not for FreePBX.

By the way, I’m very thankul for all your posts and answers.It is just priceless and good information. Thanks!!!:grinning:

OK so there is just a lot wrong with this picture. If this is something you’re really going to do you really need to do your homework not only on Asterisk, FreePBX but how Telephony and SIP are done. You are going to need to have a strong understand of a lot of concepts for what you are about to try and do. One of those things is going to be networking and routing. That is going to be very important.

  1. If you are going to be a voice provider in some way, including hosting PBX instances then there should be ZERO NAT in front of your stuff. No serious provider has their stuff NAT’d to their end users. That would just be a nightmare.

  2. FreePBX does not work very well in a container. It’s not designed for that, it’s not supported for that. I would also saying running Asterisk in a container is a bad idea. They just aren’t built for that type of setup and I would strongly recommend against it. If you’re going to do VMs do KVM which is supported.

  3. Having separate VMs for each customer is not multi-tenant, it’s multiple single tenant systems. A multi-tenant system is a single system in which each tenant is isolated but all the resources and core configuration is still shared among them.

  4. SIP Proxies and SBCs require that you have a pretty firm grasp on how SIP works overall and how SIP transactions, routing and various other factors like NAT handling, media proxying and multi-domain/tenant setups work.

So far everything that you have mentioned as possible ways to do this from the networking to the deployment of the actual systems is just not right at all. There is a serious lack of understand and knowledge of the areas that are needed to do this in a proper and suitable manner.

If this is something your company is determined on doing then they need to hire an actual Telephony/SIP consultant/engineer to do it. Otherwise it’s going to be a pure disaster.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.