Confirm i'm planning on doing the right thing?

OK, so I’m not starting a “resolve my audio problems” thread; I’ve read as many of them as I can and I don’t want to appear to be lazy.

What I would really appreciate some help with, is to confirm, if having read all those KB articles and threads, the changes I’m planning to make will make a difference, break anything or could be better made. I’m new to FreePBX (and Linux) so any help is greatly appreciated. So…

System: FreePBX
Asterisk server (really sorry, no idea what version this is), I DO know it is running its own FW… does this have ALG in it???
Firewall (ZyXEL) - it has no ALG on it.
We have a single, fixed external IP.

Changes to FW:
Enable it (yes really… I’ve only just started with this company, so don’t hate me)
Add services for following ports - SIP(5060) Rtp (10,001-20,000)
Allow those ports for all remote VoIP users (they all have fixed IP’s)
Allow all UDP traffic for the IP’s of my VoIP trunks service provider
Remove NAT forwarding rules that currently do (un-securely) all the port forwarding
On FreePBX:
Update /etc/hosts file with new line
" x.x.x.x"(our external IP)
Update SIP_general_custom.conf with
Update /etc/asterisk/rtp.conf with Rtp start port change - "10001"

One final question: lots of these files have commands/configs written one after another, i.e. no tab or ; separator or separate line… does this make a difference to how they are read?

OK that’s it as far as I can tell. However, do I need to restart anything i.e. services, the server… FreePBX? if so which and how?

thanks in advance for any help.

System: FreePBX (as per 1st post)
Asterisk (just did some looking around the various dirs and found the “version” file.)

As for how they are installed. I’m not sure, I don’t believe it was using one of the Distro’s (sadly). It all sits on a network only connected small server. No periferals’ (k’board, monitor etc).

I’m sorry, as I said in the first message, I’m new to Linux and FreePBX (i’ve been a MS IT admin and Cisco Call manager chap in the past). This is just one part of my role and hence me not being a Linux guru… or even a kindergarten Linux student.

My reason for editing the files in notepad is that I don’t know how to edit them in any other way. I FTP them down, update them, then send them back up. I can access the server using Putty but then, I’m kind of lost, no matter what tentative commands I put in. Once I’m there, does typing “Asterisk -vr” give me the equivalent to command line access? If so, could you explain how I load up one of those text editors to edit files?..or even find out which ones are installed on the box?

You might feel like giving up as I’m clearly VERY novice to Linux. This system was set up and left, its a small company and no one really knows anything about it. So I’m finding my feet on my own :slight_smile: Nice challenge, but I don’t want to screw it up :slight_smile:

You have made so many mistakes I don’t even know where to start.

To start with your sip_general_custom syntax is all wrong.


These are just some of the parameters from SIP general. As I always state (this is the third time this week I have posted this info, but what the heck it’s xmas)

It also depends on the Asterisk version.

The simplest way to restart asterisk is to do an amportal restart.

You never even stated what your problem is in your message.

I also don’t know what you are talking about in this question:

One final question: lots of these files have commands/configs written one after another, i.e. no tab or ; separator or separate line… does this make a difference to how they are read?[/quote]

Not sure what files you are talking about and how you are viewing them.

Hi SkyKingOH and thanks for replying and your comments…and the Christmas charity too :slight_smile:

I apologise for not seeing the threads you commented on recently, I’ve honestly been searching through as much as I can, but more so with regards my particular issue as opposed to things “like sip_general_custom”. The changes suggested in my original post came largely from articles such as these:

Anyway, to answer your Q’s first:
My problem is the classic “one way audio” issue; Only on some calls, some incoming and some outgoing. No logic to which calls (that I can tell). Its this that I’ve been searching through the forums and help articles for. Its also from the results of these searches that I’ve formulated the changes I explained in my post.
The “final question” I referred to with the commands and configs written in certain ways is regarding something like this (from Sip_general_Custom):
My fault, though as it’s because i’m reading them in Notepad and its not parsing the separators correctly. My question is how I should best enter my changes into any files. Will I be OK to put each one on a separate line (as i’m used to doing) in Notepad?

With Sip.conf I was under the impression that I should NEVER edit this file? according to hence why I, in order to resolve my audio problems (which are most likely due to NAT’ing) I was going to update the sip_general_custom.conf.

I hope this isn’t too broad or vague a question, but are you suggesting much of what I need to update should be done in Sip.conf?

thanks for your help

You still did not tell us what version of Asterisk and FreePBX you are running and how they were installed.

Each command must be on it’s own line. You should never use Notepad to edit. Why would you download the file to a PC? You edit the files on the server. From the command prompt you can use editors like, nano, pico,vi and my favorite joe (must be installed, yum install joe).

You really need to pick up a book on Linux. What version of Linux is it (redhat, centos ??)

asterisk -r connects to the remote asterisk process and gives you a command line.

WRT the editor, it works like any command line based system, program name and then the file you want to act on so ‘vi amportal.conf’ would open amportal.conf. You either need to type the full path or be in the directory where the file resided.

The FTP method sounds like a sure way to corrupt files.

If it would make you feel more comfortable as you get started with this, download WinSCP on your Windows box and you can browse to and edit files.

It’s just like an FTP client, so if you’re comfortable with that, it might help give you some clarity. Of course you use this client to connect to the Linux server and browse directories. With this you can browse to and right-click edit a conf file. It does not use Notepad to edit files. When you have Linux text files on your windows pc, use wordpad to view them. with WinSCP, dn’t transfer, just edit in place.

WinSCP does NOT give you command line access.

Download Putty to connect to the Asterisk server and gain command line access. For someone not familiar with Linux, the editor “nano” may be better for you as it tells you the functions at the bottom of the screen, for example ^x (control + x) to save and exit.

vi is not difficult, but was extremely confusing to me when I first got into Linux because of how you interact with the program.

Hope this (Linux) information is helpful to you.

vi is very complicated. I only mentioned it to him because it is surely installed on his system and is well documented.

I am an old school wordstar guy so joe is my editor of choice. Nano is very approachable as it has the help bar at the bottom.

Some folks like Midnight Commander. If you are an old DOS guy it gives you Norton Commander interface.

One caution on using winscp to edit files. The default editor will mangle xml files. Download notepad++ and change the editor in WinSCP to use it.

Notepad++ is what I use for everything, but I was trying to keep it simple. I think WinSCP does the Norton Commander style interface as well. I wouldn’t suggest using WinSCP for everything, but suggested that it may help get started.

I became a nano fan early on and use it daily (not just for Asterisk!) I think I will check out joe though, since I never seen it before.

jhotchkiss: let us know if this information has helped you. I don’t do much with SIP yet, but I could surely offer more Linux support if needed.

Hi guys, yes, its been very helpful. I’m getting there slowly :slight_smile: But your tips for editing the files has no doubt saved me a LOT of stress if I’d used FTP and notepad.

Its a LIVE system, so I’m naturally concerned about doing ANYTHING on it, but i don’t have a test system to play with a learn.

It looks like we’ve got nano installed on the box as I’ve found it in the /bin dir. So… if i’m to use this to edit files on the server would i type:
(from within the /bin folder)
nano etc/asterisk/sip_general_custom.conf

Doing this (remember, its from a remote CLI), how would this enable me to edit the file?
Or would i be better (remotely) going down the WinSCP and notepad++ route?

Thanks again

Using nano is going to be your best bet. I suggested the other method just to help you get familiar with the directory structure, the way files should look, etc.

With Linux, either cd into the path you need (just like you would on dos) like:
cd /etc/asterisk

Or, use full paths, which will always start with the root “/”. so, to edit your sip conf file, you could do this from any directory on the system:
nano /etc/asterisk/sip_general_custom.conf

Notice the difference between what I typed and what you typed was that I have the root in my path “/” and you are missing it.

Also, one nice thing about putty is the righ-click paste option and the fact that simply highlighting text in putty immediately copies it to your clipboard.

Excellent… I’m getting the hang of it now :slight_smile: …well kind of.

So once I’ve edited a file like sip_general_custom.conf how do I apply this to the server for the new configs to take effect?
do I need to do a full “restart gracefully” or will simply a “reload sip_general_custom.conf” be sufficient (and the same for any other files such as rtp.conf)

Secondly… with the local firewall:
How do I access IPTables? I can seam to find it as a command in the CLI - does that mean its not how my servers firewall is running? The file that appears to be the same as what I’d expect from an ‘IPTables’ file, is actually called “Firewall”. Having taken a copy to look at, it has a couple of missing rules I’d like to add to a chain. Is simply editing this file in nano, then reloading it, also sufficient for it to take effect?

as ever, thanks for you help. I’m learning a lot… which is always good fun :slight_smile:

Are you sure you need all those ports open on your firewall? Open ports=risks. If all your users are on fixed IPs anyway, why not VPN them to the PBX machine then close all those ports up?

I have remote offices and didn’t need to make any changes to the firewall, other than the VPN of course.

I’m trying to do what I can ASAP. I’ve just started in the role and there’s A LOT to do. Trust me, tying down open ports to fixed IP’s is a MASSIVE improvement in security compared to the current set-up.

I’ll look to get some VPN’s in place soon, but i need to resolve the one-way audio problems first and get SOME security in place before i start implementing VPN’s to everyone who’s remote. Its on the to-do list, but that’s a LONG list :slight_smile:

I understand. You have to start somewhere. Personally I’d worry more about the firewall than the PBX as it’s easier to outsource the PBX to someone else until you have the time to take it on. You could probably even hire someone else to set it up for your company while you’re locking down the firewall. When you have too many critical things than you have time to do them in… outsource.

But that’s only my opinion, and you didn’t ask so I’ll butt out of that now having made the suggestion.

no I agree, but its one of those things where the urgency is more pressing if that makes sense. thanks for the input though :slight_smile:

Besides, I’ve got to sink or swim sometime anyway :wink:

OK… so any thoughts on the IPTables / Firewall Q’s from earlier?


thanks to all your help with how I do various things, I’m now looking at it all and thinking that the crux of the issue is the fact that I’ve got a local FW on the Asterisk server with all sorts of configs in its IPTable as well as a physical FW that has the external fixed IP address on it, but isn’t actually doing any FW’ing. It has NAT and static routes to the internal Asterisk address.

It all just looks a little confusing and messy… TWO firewalls (one enabled, one not but still NAT’ing) seems crazy to me.

Headache time…

I’d like to disable the FW on the asterisk server and enable it on the physical FW box that has the External IP. does this seem sensible and is it possible?
i.e. can you turn off the Firewall/IPtables on the asterisk server?

Ok, for iptables:

at the Linux command prompt do:

iptables -L

and it will list current rules.

iptables -F

will flush current rules. Flushing them will only last until the next reboot. If you want them permanently off, there are a few different ways to do that and I’ll save it for another post.

As for the firewall - if you already have a properly configured fuirewall on the network, then you might be Ok without using iptabels at all. all of these Linux things are easily googleable. you can even Google man pages if they are not installed on your Linux box. So, at a Linux command prompt try:

man iptables

that should tell you plenty about iptables. Or, type the same thing into Google and you’ll get the man pages (the manual).

Something you might want to look at for managing the Linux box itself is Webmin. Not sure what distribution of Linux you are on, but if you can get Webmin installed (preferably via a package manager like yum or apt - which would depend on your distro) then it will be really easy for you to edit iptables rules and do just about everything else on the box that you’ll need to do.

Your syntax is correct for the command line or conversely you could…

cd /etc/asterisk
nano extensions_custom.conf

Putty’s copy and paste is very flexible and intuitive once you get the hang of it.

We are not suggesting to download a file with SCP and edit with notepad.

What we are suggesting is to download a free app to your computer call notepad++ that has XML and other parenthetical syntax annotation and other programmer friendly tools. Then in WinSCP set the default editor to Notepad++. Now you can right click on a file in WinSCP and edit in place.

Thanks mark, very helpful :slight_smile:

I’d looked into the flushing of the IPTables and also doing it permanently (should the testing go well) - I found a decent help article explaining how do do both.

I’ll also look at getting Webmin installed (if not already). Anything that makes my life easier and this learning curve a little easier to climb is a good thing :slight_smile:

Just as a quick change for the IPTables, rather than flushing them (then having to re-boot etc) can I simply stop the IPTables service? I’m wanting to test much of this tonight and a quick change/change-back for the IPTables would be most useful. I’d only do this after fully configuring the externally facing hardware FW first though. :slight_smile: