John: Did you look at https://didlogic.com/business/sip-termination?
Thank you for your comments.
I have to add.
I use only VOIP and have been with this provider for 4 years with no issues, so no cards for pstn.
I am currently running over Comcast Cable and ATT DSL as a backup. Therefore I add a 2 port nic to the server so I can use the pfsense as a load balance or failover. I would have no problem to use IPCop (I’ll have to learn anyways)
I was more interested in reading opinions and recommendations about the hardware and software setup (VM for all in one box, maybe VM for WinServer and another box for firewall and pbx or plain 3 boxes one for each service.)
Moreover because one year and half later is a lot of time in terms of hardware and software.
Thanks for your time.
I don’t think there would be any problem running the PBX and a Windows server on one box as long as you make sure that one VM doesn’t dominate. So don’t give all core to all machines (e.g. If you have 2xquad core processors give maybe 3-4 cores to the Windows machine and 1-2 cores to FreePBX - it’s not a resource hog like Windows).
If you have a virtualised firewall then there is no reason you could not run this on the same box as well but give it maybe 1-2 cores only. Also you might want to look at adding additional network adapters to the config to allow the firewall to have dedicated network adapters for Internet facing services.
Sorry I’ve been away from the conversation yesterday… was in a boating accident this weekend as was dealing the Coast Guard and the insurance people all day.
First question; do I know of any suppliers that do encrypted VoIP service - Yes and no, it depends on what kind of encryption method you are trying to employ. One method is via IPsec VPN: There are more than a few providers that will setup an IPsec VPN tunnel to their termination servers. IPsec encryption is based around a RSA keying methodology so it isn’t as secure as something based on a vector set would be but if you aren’t having conversations that require government clearances you should be ok. My supplier, VoIPStreet.com used to do it, I don’t know if they still do or not.
Another possible option: A secure RTP methodology such as TLS or SRTP. The only problem there is that the encryption is setup and torn down for every call in real time, and that makes for a significant amount of processing overhead AND this methodology only covers the media stream and leaves the sip signaling stream in the clear. This offering is kinda a new option in the provider world so ask your provider.
Second question; does processor loading in ESXi affect timing (I’m assuming your asking specifically about timing in the horological sense ie system clocks). The simple answer is yes. ESXi virtualizes the ENTIRE machine - that means the BIOS and the system clock too. As processor loading goes up and wait time for processor resources increases this means the system clocks for POWERED ON machines do indeed slow down. If a system is POWERED OFF, its virtualized clock will STOP completely! Because of this, you ABSOLUTLY need an independent timing source. I recommend setting your router up as an NTP client and pointing it so an NTP pool then also setting up your router as an NTP server - very very easy in IPCop. Then when you build your DHCP scope you just add and option to point to your router as an NTP source and have your servers and clients do an NTP update every 10-15 minutes.
Third question, hypervisor resource management; this is almost stupidly easy with ESXi. When your building the machine, you can specify how many virtual sockets (virtual CPU chips) you want the machine to have and then you can specify the number of virtual processor cores allocated to that machine. All of my home servers, except the file server / back-up domain controller all run on the same hypervisor with no issues what so ever.
Forth question, virtualizing your firewall/router on the same hypervisor as your servers; THIS IS A VERY BAD IDEA! Yes, it is easily done, it would just be another virtualized machine with hardware redirection to a multi-port NIC. However, the implications on edge-security and informational assurance risks are horrible. Hypervisors also virtualize part of your switching network; as such, if someone was able to make it past your firewall/router or compromise your NIC hardware they would have direct and unfettered access to you network via the virtual switch(s) provided by your hypervisor - it would be exactly the same as if they were physically connected directly to a hard switch port inside your network. Yes you can somewhat mitigate this risk with white/grey/black listings and Radius type methodologies but the trade off in increased administrative workload just isn’t worth the cost of running another physical machine… in my opinion
If you’re looking for advice on something like an all-in-one plug it in and turn it on infrastructure appliance send me your email address in a private message as that discussion is both beyond the scope of this thread and beyond the scope of this forum. I would be glad to help and offer any advice that I can.
-Chris
Sorry I’ve been away from the conversation yesterday… was in a boating accident this weekend as was dealing the Coast Guard and the insurance people all day.
First question; do I know of any suppliers that do encrypted VoIP service - Yes and no, it depends on what kind of encryption method you are trying to employ. One method is via IPsec VPN: There are more than a few providers that will setup an IPsec VPN tunnel to their termination servers. IPsec encryption is based around a RSA keying methodology so it isn’t as secure as something based on a vector set would be but if you aren’t having conversations that require government clearances you should be ok. My supplier, VoIPStreet.com used to do it, I don’t know if they still do or not.
Another possible option: A secure RTP methodology such as TLS or SRTP. The only problem there is that the encryption is setup and torn down for every call in real time, and that makes for a significant amount of processing overhead AND this methodology only covers the media stream and leaves the sip signaling stream in the clear. This offering is kinda a new option in the provider world so ask your provider.
Second question; does processor loading in ESXi affect timing (I’m assuming your asking specifically about timing in the horological sense ie system clocks). The simple answer is yes. ESXi virtualizes the ENTIRE machine - that means the BIOS and the system clock too. As processor loading goes up and wait time for processor resources increases this means the system clocks for POWERED ON machines do indeed slow down. If a system is POWERED OFF, its virtualized clock will STOP completely! Because of this, you ABSOLUTLY need an independent timing source. I recommend setting your router up as an NTP client and pointing it so an NTP pool then also setting up your router as an NTP server - very very easy in IPCop. Then when you build your DHCP scope you just add and option to point to your router as an NTP source and have your servers and clients do an NTP update every 10-15 minutes.
Third question, hypervisor resource management; this is almost stupidly easy with ESXi. When your building the machine, you can specify how many virtual sockets (virtual CPU chips) you want the machine to have and then you can specify the number of virtual processor cores allocated to that machine. All of my home servers, except the file server / back-up domain controller all run on the same hypervisor with no issues what so ever.
Forth question, virtualizing your firewall/router on the same hypervisor as your servers; THIS IS A VERY BAD IDEA! Yes, it is easily done, it would just be another virtualized machine with hardware redirection to a multi-port NIC. However, the implications on edge-security and informational assurance risks are horrible. Hypervisors also virtualize part of your switching network; as such, if someone was able to make it past your firewall/router or compromise your NIC hardware they would have direct and unfettered access to you network via the virtual switch(s) provided by your hypervisor - it would be exactly the same as if they were physically connected directly to a hard switch port inside your network. Yes you can somewhat mitigate this risk with white/grey/black listings and Radius type methodologies but the trade off in increased administrative workload just isn’t worth the cost of running another physical machine… in my opinion
If you’re looking for advice on something like an all-in-one plug it in and turn it on infrastructure appliance send me your email address in a private message as that discussion is both beyond the scope of this thread and beyond the scope of this forum. I would be glad to help and offer any advice that I can.
-Chris
Sorry I’ve was away from the conversation yesterday… I was in a boating accident this weekend and was dealing the Coast Guard and the insurance people all day.
First question; do I know of any suppliers that do encrypted VoIP service - Yes and no, it depends on what kind of encryption method you are trying to employ. One method is via IPsec VPN: There are more than a few providers that will setup an IPsec VPN tunnel to their termination servers. IPsec encryption is based around a RSA keying methodology so it isn’t as secure as something based on a vector set would be but if you aren’t having conversations that require government clearances you should be ok. My supplier, VoIPStreet.com used to do it, I don’t know if they still do or not.
Another possible option: A secure RTP methodology such as TLS or SRTP. The only problem there is that the encryption is setup and torn down for every call in real time, and that makes for a significant amount of processing overhead AND this methodology only covers the media stream and leaves the sip signaling stream in the clear. This offering is kinda a new option in the provider world so ask your provider.
Second question; does processor loading in ESXi affect timing (I’m assuming your asking specifically about timing in the horological sense ie system clocks). The simple answer is yes. ESXi virtualizes the ENTIRE machine - that means the BIOS and the system clock too. As processor loading goes up and wait time for processor resources increases this means the system clocks for POWERED ON machines do indeed slow down. If a system is POWERED OFF, its virtualized clock will STOP completely! Because of this, you ABSOLUTLY need an independent timing source. I recommend setting your router up as an NTP client and pointing it to an NTP pool then also setting up your router as an NTP server - very very easy in IPCop. Then when you build your DHCP scope you just add an option to point to your router as an NTP source and have your servers and clients do an NTP update every 10-15 minutes.
Third question, hypervisor resource management; this is almost stupidly easy with ESXi. When your building the machine, you can specify how many virtual sockets (virtual CPU chips) you want the machine to have and then you can specify the number of virtual processor cores allocated to that machine. All of my home servers, except the file server / back-up domain controller all run on the same hypervisor with no issues what so ever.
Forth question, virtualizing your firewall/router on the same hypervisor as your servers; THIS IS A VERY BAD IDEA! Yes, it is easily done, it would just be another virtualized machine with hardware redirection to a multi-port NIC. However, the implications on edge-security and informational assurance risks are horrible. Hypervisors also virtualize part of your switching network; as such, if someone was able to make it past your firewall/router or compromise your NIC hardware they would have direct and unfettered access to you network via the virtual switch(s) provided by your hypervisor - it would be exactly the same as if they were physically connected directly to a hard switch port inside your network. Yes you can somewhat mitigate this risk with white/grey/black listings and Radius type methodologies but the trade off in increased administrative workload just isn’t worth the cost of running another physical machine… in my opinion
If you’re looking for advice on something like an all-in-one plug it in and turn it on infrastructure appliance send me your email address in a private message as that discussion is both beyond the scope of this thread and beyond the scope of this forum. I would be glad to help and offer any advice that I can.
-Chris