CROESNET.EU

Found a useful article on the web, to help block someone hacking into my asterisk server.

http://www.pbxer.com/asterisk-security-use-iptables-to-block-nasty-hosts/

Was searching for this, after I found a lot of failed registration requests in the log-file of my PBX. While the passwords I use are strong, and were not hacked, my little Flepo PC running trixbox didn’t like the workload this was causing. All fine now again. Thank you.

Being unhappy with the limited functionality offered by this model of NAS, and knowing it is based on the Gemini chip I tried to upload an alternative firmware. Thats was a mistake – it no longer boots up. Instead, 20 seconds after power-on it sounds a very loud beep and that’s it. It seems bricked.

There’s apparently no telnet server running in the bootloader, nor is there any other network traffic coming out of the box (checked with wireshark).

Anyone who knows how to unbrick this NAS? I found info on the web about unbricking a Giganas, using the build in TTL serial interface, but was unable to find this same interface inside ths Sarootech product.

[Show as slideshow]

[View with PicLens]

Is the conector on the second picture the serial port? What would be the pin lay-out?

[Show as slideshow]

[View with PicLens]

This weekend I received my new NAS server, a Sarotech Wizplat NAS-20. After installing my two 1TB in it to build a RAID array, I soon noticed the following:

• my old (bricked) Giganas configuartion, which was still on the disks, was being read, but only partially working. I had to remove the partitions from the disk in my PC, install them back in the NAS before being able to configure them in the NAS
• The NAS is making less Noise than my Raidsonic Icy Box 4220
• The webinterface look and feel of the Icybox and the NAS-20 s very similar
• Out of the box the NAS-20 however has less functionality; no twonkey server, no DHCP server, no SSH-server – Of which I mostly disliked the lack of a UPnP media streaming service.

But, after spending some time googling, I found a very good piece of software called Fonz Fun-Plug (or FFP).

Following the instruction from this page, I had a working ffp with mediatomb up and running in no time.

I’m at the moment fine-tuning the configuration, but think I will soon be able to migrate all my media over to this NAS, and use it as my primary server.

Next topics on the wishlist (to be able to retire my old Linksys UnSlung-2) is a LDAP server.

Since last week I am now the proud owner of a German 1&1 Homeserver 50.000, in fact a rebranded AVM Fritzbox 7390 in a different color.
After some initial configuration challenges, my VDSL2 connection is up and running now for a little more than 1 day.

I was now able to unplug some devices, because all functions were taken over by the new Fritzbox:
Sagem 3464 – Only acting as bridge
Firtzbox 7170 – Providing my PPPOE connectivity
Cisco 837 – Acting as DHCP server, because of being able to pass options (like TFTP server info) to the clients.

I have the new 7390 now running with Freetz additions, to be able to use DNSMASQ and some other packages.

A thank you to:
Philippe for providing some tips through the userbase.be forum
The Freetz team for providing this brilliant piece of software

It has taken me some time to get the 1und1 Smartdrive to work correctly under Ubuntu 10.10 Maverick through webdav. Capturing the steps here, to remind myself and share with the community.
Most of this info is created by testing, trial and error, using pieces of information found on the internet and the man pages.

1) Install davfs2 (via synaptic or command line: sudo apt-get install davfs2)
2) Allow users to mount by setting this option through this program
   "sudo dpkg-reconfigure davfs2"
3) Create folder /media/1und1 (sudo mkdir /media/1und1)
4) Edit /etc/fstab by adding this line
   https://sd2dav.1und1.de /media/1und1 davfs user,noauto,rw 0 0
5) Edit /etc/davfs2/davfs2.conf, changing the following line:
   a) from: # ignore_home                      # system wide config file only
      to:   ignore_home kernoops               # system wide config file only
   b) from: # if_match_bug    0
      to:   if_match_bug    1
6) Edit /etc/davfs2/secrets, adding the line with credentials
   https://sd2dav.1und1.de         kaxxxx-xxx@online.de    your-password
7) Add yourself to the user-group davfs2
   (System -> Administration -> Users and Groups)

You can now mount /media/1und1 to your 1und1 Smartdrive as user

Since about two weeks I have a VDSL connection in addition to an ADSL which will be terminated next month. While I do enjoy the bandwidth increase, I quickly discovered that the router which comes with the new subscription does not offer the same functionality as I used to have.
VDSL in Belgium comes by default with a so called B-Box2, a Sagem Webr@cer 3464 rebranded by Belgacom, running a customized Belgacom firmware.
With some hidden command this router offers some basic functionality including dyndns, port-forwarding, but features like VPN are missing.

To overcome these limitations, I decided to start using my AVM Fritzbox 7170 router again, and just use the B-Box2 as a bridge. It proved more challenging than I expected, but I succeeded. Below the step you have to perform to make this to work.

Belgacom B-Box / Sagem 3464 in Bridge mode:

Firstly, start with the basic steps to configure the B-Box2 for operating in bridge mode. Doing more with less is the trick here. Rather than adding special configuration, it turns out the modem is already supporting bridged PPPOE traffic straight out of the box. I just decided to strip some unnecessary configuration to avoid problem;

1. Disable wireless
2. Disable the voip wan interface

Below are some screenshots of the steps to take on a factory default box

[Show as slideshow]

[View with PicLens]

Reconfigure the Fritzbox 7170:

The re-configuration of the Fritzbox is more tricky. To be able to establish a PPPOE connection to your ISP (in my case EDPNET), it is necessary that the router is able to send PPPOE encapsulated packets out of the LAN interface, with a VLAN tag. The VLAN tagging is required for VDSL and is only possible after some configuration tweaks. By default, a fritzbox is able to use the LAN0 interface as pseudo WAN port, however this is normally without VLAN tagging. Your PPPOE requests will time out without response if they are not send with the correct VLAN tagging, in case of EDPNET (and probably Belgacom as well) VLAN ID=10.

I also learned that it is not possible with every firmware version. I was succesful with 29.04.70. Newer firmware versions did cause some problems.

To add VLAN tagging to the IP packets, the following changes need to be made to the ar7.cfg file (in /var/flash). First enable telnet (dial #96*7* from a phone connected to one of the analog or ISDN ports). Telnet into the box, and edit ar7.cfg using the build in nvi editor.

Change / add the following:

Insert the below code, in between the existing piece of code in grey:

       vccs {
                VPI = 1;
                VCI = 32;
                traffic_class = atm_traffic_class_UBR;
                pcr = 0;
                scr = 0;
                priority = 0;
                dsl_encap = dslencap_pppoe;
                vlancfg {
                            vlanencap = vlanencap_class_prio;
                            vlanid = 10;
                            vlanprio = 1;
                           }
               ipbridgeing = no;
               ipbridgeing_igmp = no;
               pppoeforwarding = no;
               connections = "internet", "voip";
        }

Change the following parameters from no to yes:

enabled = yes;
name = "internet";
dsl_encap = dslencap_inherit;
dslinterfacename = "dsl";
no_masquerading = no;
no_firewall = no;
pppoevlanauto = yes;
pppoevlanauto_startwithvlan = yes;
ppptarget = "internet";

and

enabled = yes;
name = "voip";
dsl_encap = dslencap_inherit;
dslinterfacename = "dsl";
no_masquerading = no;
no_firewall = no;
pppoevlanauto = yes;
pppoevlanauto_startwithvlan = yes;
ppptarget = "voip";

The code pppoevlanauto and pppoevlanauto_startwithvlan appears twice in the config.
Lastly, change the default VLAN ID from 7 to 10:

manual_speed = no;
connect_delay_when_synced = 3s;
sync_lost_delay = 0w;
default_tcom_vlan = 10;

After this, it’s just a matter of using the GUI to configure LAN0 as WAN interface, with PPPOE. Screenshots below:

[Show as slideshow]

[View with PicLens]

As of today I’ve replaced my Netgear DG835GB routers, by two identical Fritzbox models 7170. I had to do this, because the Netgear model was not supported for a migration to the “1und1 Komplettanschluss”. I already had replaced the remote end, but because of not being able to establish a VPN between a Netgear and a Frtizbox, I now replaced the central site router as well.
Given that this one has the Trixbox behind it, as expected, it brought some challenges.

Out of the box, Asterisk is registering with external SIP providers via UDP port 5060. Traffic received by the fritzbox using UDP port 5060 is not passed on to devices behind the Fritzbox, because being considered for the Fritzbox itself.
Trying to setup port forwarding on the Fritzbox for UDP port 5060 gives the following error “FEHLER: Eintrag kollidiert mit interner Regel”.

Another solution found on the web suggests to change the port or bindport in sip.conf on the Asterisk server, to a different value than the default 5060. I tried this, including setting up port-forwarding on the router. My trixbox registered now correctly with the various SIP providers I’m using, but my internal extension failed to register correctly.

The solution turned out to be a modification in the fritzbox. I’m using software version 29.04.76.
First of all, you need to make sure telnet access is enabled.

I made the following modifications (using nvi):

In file /var/flash/voip.cfg change:

"sip_srcport = 5060;"

to

"sip_srcport = 5061;"

In file /var/flash/ar7.cfg :

                        forwardrules = "tcp 0.0.0.0:443 0.0.0.0:443 0",
                                       "udp 0.0.0.0:5060 0.0.0.0:5060",

to

                        forwardrules = "tcp 0.0.0.0:443 0.0.0.0:443 0",
                                       "udp 0.0.0.0:5060 192.168.1.3:5060",

192.168.1.3 being the IP address of my Asterisk/Trixbox.

Note that it is important to use the editor nvi on the fritzbox to edit the config files

After a bit of googling, I managed to find a way to reduce the annoying delay when dialing from on of the 7941 phones in my network. Where the 7960′s immediatly send the outgoing call after pushing the # key, I had a long delay on the 7941 phones.
I found the solution in changing the dialplan file.
Using the below code did the trick. Pushing # sends the dialstring immediatly. Just waiting results in the call being placed 4 seconds after pushing the last button.

<DIALTEMPLATE>
<TEMPLATE MATCH="*" TIMEOUT="4"/>
</DIALTEMPLATE>

Since a few weeks I’m having a few Cisco 7941 IP Phones. Although they look pretty similar to the 7940 models, it turns out configuring them is totally different.
Once provisioned and registered, I discovered that the ldap directory script I use for the 7960 phone didn’t work any longer.

I finally found a solution for this problem today, by just using some of the code from the pre-installed Trixbox xmlservices scripts.

Rather than using the original directory.php script, I now use the below updated SearchDirectory.php script, and renamed it to ldapSearchDirectory.php.

ldapSearchDirectory.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
//Copyright (C) 2006 Fonality Inc. (fonality.com)
 
//
 
//This program is free software; you can redistribute it and/or
 
//modify it under the terms of the GNU General Public License
 
//as published by the Free Software Foundation; either version 2
 
//of the License, or (at your option) any later version.
 
//
 
//This program is distributed in the hope that it will be useful,
 
//but WITHOUT ANY WARRANTY; without even the implied warranty of
 
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
//GNU General Public License for more details.
 
 
require '/var/www/html/xmlservices/libs/Smarty.class.php';
 
$smarty = new Smarty;
 
require '/var/www/html/xmlservices/include/xmlservices_libs.php';
require '/var/www/html/xmlservices/include/xmlservices_config.php';
 
$smarty->compile_check = true;
 
// $smarty->debugging = true; 
 
$smarty->assign('PageTitle','Search by last name');
$smarty->assign('Prompt','Enter the first few letters');
 
$smarty->display('ldapsearchDirectory_'.$content_format.'.tpl');
?>

ldapsearchDirectory_ciscoxml4.tpl in the templates directory looks like this:

1
2
3
4
5
6
7
8
9
10
11

<CiscoIPPhoneInput>
<Title>{$PageTitle}</Title>
<Prompt>{$Prompt}</Prompt>
<URL>{$Server}/result.php</URL>
<InputItem>
<DisplayName>Filter</DisplayName>
<QueryStringParam>filter</QueryStringParam>
<DefaultValue></DefaultValue>
<InputFlags>A</InputFlags>
</InputItem>
</CiscoIPPhoneInput>

Lastly, the result.php script has been updated a little:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

<?php 
// This XML-PHP page searches contacts in LDAP and display it on CISCO directory service 
// Script Provided by Gael Marronnier From Simstream Company www.simstream.com gael_asterisk@simstream.com
// Modified by Arnaud Croes (arnaud@croesnet.eu) to make it work properly in a 3CX environment
// 
// Get parameter from directory script
 
require '/var/www/html/xmlservices/libs/Smarty.class.php';
 
$smarty = new Smarty;
 
require '/var/www/html/xmlservices/include/xmlservices_libs.php';
require '/var/www/html/xmlservices/include/xmlservices_config.php';
 
$directoryRowCount=30;
 
$smarty->compile_check = true;
 
//$smarty->debugging = true; 
 
# This sets the offset for the LIMIT portion of the query
$NextStartingRow = $_GET['NextGroup']*$directoryRowCount;
 
 
$filter = $_REQUEST["filter"]; 
 
// LDAP server characteristics 
$ds=ldap_connect("192.168.1.2"); 
if (ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3))
{
    echo "Using LDAP v3";
}else{
    echo "Failed to set version to protocol 3";
}
$myldap="ou=addressbook,dc=croesnet,dc=eu"; 
 
// Phone entries on my LDAP server are in the format +1 (800) 5551234, the way outlook likes it.
// Names on the server (cn) are not supposed to have special characters like &
// The script replaces the + by 00 , because 3CX doesn't like the + character in the dial string.
// Also removing space, ( and ) characters.
// Removing the ( and ) characters is just cosmetic, they do not cause functionality problems.
// Phone number format change variables
$patterns[0] = '/\+/';
$patterns[1] = '/\(|\)|-|\s+/';
$replacements[0] = '00';
$replacements[1] = '';
 
if ($ds) { 
  $r=ldap_bind($ds); 
  $filterldap="(|(givenname=*".$filter."*)(sn=*".$filter."*)(cn=*".$filter."*)(mail=*".$filter."*))";
  $sr=ldap_search($ds, $myldap, $filterldap); 
  // Lets start displaying XML infos 
  echo "<CiscoIPPhoneDirectory>\n"; 
  echo "<Title>IP Telephony Directory</Title>\n"; 
  $info = ldap_get_entries($ds, $sr); 
  echo "<Prompt>"; 
  echo $info["count"]; 
  echo " Reachable person(s)</Prompt>\n"; 
  for ($i=0; $i<$info["count"]; $i++) {
     if ($info[$i]["mobile"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (mobile)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["mobile"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
     if ($info[$i]["homephone"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (home)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["homephone"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
     if ($info[$i]["telephonenumber"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (business)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["telephonenumber"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
   } 
   echo"</CiscoIPPhoneDirectory>"; 
   ldap_close($ds); 
} else { 
  echo "error"; 
} 
 
?>