CROESNET.EU

Found a useful article on the web, to help block someone hacking into my asterisk server.

http://www.pbxer.com/asterisk-security-use-iptables-to-block-nasty-hosts/

Was searching for this, after I found a lot of failed registration requests in the log-file of my PBX. While the passwords I use are strong, and were not hacked, my little Flepo PC running trixbox didn’t like the workload this was causing. All fine now again. Thank you.

Being unhappy with the limited functionality offered by this model of NAS, and knowing it is based on the Gemini chip I tried to upload an alternative firmware. Thats was a mistake – it no longer boots up. Instead, 20 seconds after power-on it sounds a very loud beep and that’s it. It seems bricked.

There’s apparently no telnet server running in the bootloader, nor is there any other network traffic coming out of the box (checked with wireshark).

Anyone who knows how to unbrick this NAS? I found info on the web about unbricking a Giganas, using the build in TTL serial interface, but was unable to find this same interface inside ths Sarootech product.

[Show as slideshow]

[View with PicLens]

Is the conector on the second picture the serial port? What would be the pin lay-out?

It has taken me some time to get the 1und1 Smartdrive to work correctly under Ubuntu 10.10 Maverick through webdav. Capturing the steps here, to remind myself and share with the community.
Most of this info is created by testing, trial and error, using pieces of information found on the internet and the man pages.

1) Install davfs2 (via synaptic or command line: sudo apt-get install davfs2)
2) Allow users to mount by setting this option through this program
   "sudo dpkg-reconfigure davfs2"
3) Create folder /media/1und1 (sudo mkdir /media/1und1)
4) Edit /etc/fstab by adding this line
   https://sd2dav.1und1.de /media/1und1 davfs user,noauto,rw 0 0
5) Edit /etc/davfs2/davfs2.conf, changing the following line:
   a) from: # ignore_home                      # system wide config file only
      to:   ignore_home kernoops               # system wide config file only
   b) from: # if_match_bug    0
      to:   if_match_bug    1
6) Edit /etc/davfs2/secrets, adding the line with credentials
   https://sd2dav.1und1.de         kaxxxx-xxx@online.de    your-password
7) Add yourself to the user-group davfs2
   (System -> Administration -> Users and Groups)

You can now mount /media/1und1 to your 1und1 Smartdrive as user

Since about two weeks I have a VDSL connection in addition to an ADSL which will be terminated next month. While I do enjoy the bandwidth increase, I quickly discovered that the router which comes with the new subscription does not offer the same functionality as I used to have.
VDSL in Belgium comes by default with a so called B-Box2, a Sagem Webr@cer 3464 rebranded by Belgacom, running a customized Belgacom firmware.
With some hidden command this router offers some basic functionality including dyndns, port-forwarding, but features like VPN are missing.

To overcome these limitations, I decided to start using my AVM Fritzbox 7170 router again, and just use the B-Box2 as a bridge. It proved more challenging than I expected, but I succeeded. Below the step you have to perform to make this to work.

Belgacom B-Box / Sagem 3464 in Bridge mode:

Firstly, start with the basic steps to configure the B-Box2 for operating in bridge mode. Doing more with less is the trick here. Rather than adding special configuration, it turns out the modem is already supporting bridged PPPOE traffic straight out of the box. I just decided to strip some unnecessary configuration to avoid problem;

1. Disable wireless
2. Disable the voip wan interface

Below are some screenshots of the steps to take on a factory default box

[Show as slideshow]

[View with PicLens]

Reconfigure the Fritzbox 7170:

The re-configuration of the Fritzbox is more tricky. To be able to establish a PPPOE connection to your ISP (in my case EDPNET), it is necessary that the router is able to send PPPOE encapsulated packets out of the LAN interface, with a VLAN tag. The VLAN tagging is required for VDSL and is only possible after some configuration tweaks. By default, a fritzbox is able to use the LAN0 interface as pseudo WAN port, however this is normally without VLAN tagging. Your PPPOE requests will time out without response if they are not send with the correct VLAN tagging, in case of EDPNET (and probably Belgacom as well) VLAN ID=10.

I also learned that it is not possible with every firmware version. I was succesful with 29.04.70. Newer firmware versions did cause some problems.

To add VLAN tagging to the IP packets, the following changes need to be made to the ar7.cfg file (in /var/flash). First enable telnet (dial #96*7* from a phone connected to one of the analog or ISDN ports). Telnet into the box, and edit ar7.cfg using the build in nvi editor.

Change / add the following:

Insert the below code, in between the existing piece of code in grey:

       vccs {
                VPI = 1;
                VCI = 32;
                traffic_class = atm_traffic_class_UBR;
                pcr = 0;
                scr = 0;
                priority = 0;
                dsl_encap = dslencap_pppoe;
                vlancfg {
                            vlanencap = vlanencap_class_prio;
                            vlanid = 10;
                            vlanprio = 1;
                           }
               ipbridgeing = no;
               ipbridgeing_igmp = no;
               pppoeforwarding = no;
               connections = "internet", "voip";
        }

Change the following parameters from no to yes:

enabled = yes;
name = "internet";
dsl_encap = dslencap_inherit;
dslinterfacename = "dsl";
no_masquerading = no;
no_firewall = no;
pppoevlanauto = yes;
pppoevlanauto_startwithvlan = yes;
ppptarget = "internet";

and

enabled = yes;
name = "voip";
dsl_encap = dslencap_inherit;
dslinterfacename = "dsl";
no_masquerading = no;
no_firewall = no;
pppoevlanauto = yes;
pppoevlanauto_startwithvlan = yes;
ppptarget = "voip";

The code pppoevlanauto and pppoevlanauto_startwithvlan appears twice in the config.
Lastly, change the default VLAN ID from 7 to 10:

manual_speed = no;
connect_delay_when_synced = 3s;
sync_lost_delay = 0w;
default_tcom_vlan = 10;

After this, it’s just a matter of using the GUI to configure LAN0 as WAN interface, with PPPOE. Screenshots below:

[Show as slideshow]

[View with PicLens]

As of today I’ve replaced my Netgear DG835GB routers, by two identical Fritzbox models 7170. I had to do this, because the Netgear model was not supported for a migration to the “1und1 Komplettanschluss”. I already had replaced the remote end, but because of not being able to establish a VPN between a Netgear and a Frtizbox, I now replaced the central site router as well.
Given that this one has the Trixbox behind it, as expected, it brought some challenges.

Out of the box, Asterisk is registering with external SIP providers via UDP port 5060. Traffic received by the fritzbox using UDP port 5060 is not passed on to devices behind the Fritzbox, because being considered for the Fritzbox itself.
Trying to setup port forwarding on the Fritzbox for UDP port 5060 gives the following error “FEHLER: Eintrag kollidiert mit interner Regel”.

Another solution found on the web suggests to change the port or bindport in sip.conf on the Asterisk server, to a different value than the default 5060. I tried this, including setting up port-forwarding on the router. My trixbox registered now correctly with the various SIP providers I’m using, but my internal extension failed to register correctly.

The solution turned out to be a modification in the fritzbox. I’m using software version 29.04.76.
First of all, you need to make sure telnet access is enabled.

I made the following modifications (using nvi):

In file /var/flash/voip.cfg change:

"sip_srcport = 5060;"

to

"sip_srcport = 5061;"

In file /var/flash/ar7.cfg :

                        forwardrules = "tcp 0.0.0.0:443 0.0.0.0:443 0",
                                       "udp 0.0.0.0:5060 0.0.0.0:5060",

to

                        forwardrules = "tcp 0.0.0.0:443 0.0.0.0:443 0",
                                       "udp 0.0.0.0:5060 192.168.1.3:5060",

192.168.1.3 being the IP address of my Asterisk/Trixbox.

Note that it is important to use the editor nvi on the fritzbox to edit the config files

After a bit of googling, I managed to find a way to reduce the annoying delay when dialing from on of the 7941 phones in my network. Where the 7960′s immediatly send the outgoing call after pushing the # key, I had a long delay on the 7941 phones.
I found the solution in changing the dialplan file.
Using the below code did the trick. Pushing # sends the dialstring immediatly. Just waiting results in the call being placed 4 seconds after pushing the last button.

<DIALTEMPLATE>
<TEMPLATE MATCH="*" TIMEOUT="4"/>
</DIALTEMPLATE>

Since a few weeks I’m having a few Cisco 7941 IP Phones. Although they look pretty similar to the 7940 models, it turns out configuring them is totally different.
Once provisioned and registered, I discovered that the ldap directory script I use for the 7960 phone didn’t work any longer.

I finally found a solution for this problem today, by just using some of the code from the pre-installed Trixbox xmlservices scripts.

Rather than using the original directory.php script, I now use the below updated SearchDirectory.php script, and renamed it to ldapSearchDirectory.php.

ldapSearchDirectory.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
//Copyright (C) 2006 Fonality Inc. (fonality.com)
 
//
 
//This program is free software; you can redistribute it and/or
 
//modify it under the terms of the GNU General Public License
 
//as published by the Free Software Foundation; either version 2
 
//of the License, or (at your option) any later version.
 
//
 
//This program is distributed in the hope that it will be useful,
 
//but WITHOUT ANY WARRANTY; without even the implied warranty of
 
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
//GNU General Public License for more details.
 
 
require '/var/www/html/xmlservices/libs/Smarty.class.php';
 
$smarty = new Smarty;
 
require '/var/www/html/xmlservices/include/xmlservices_libs.php';
require '/var/www/html/xmlservices/include/xmlservices_config.php';
 
$smarty->compile_check = true;
 
// $smarty->debugging = true; 
 
$smarty->assign('PageTitle','Search by last name');
$smarty->assign('Prompt','Enter the first few letters');
 
$smarty->display('ldapsearchDirectory_'.$content_format.'.tpl');
?>

ldapsearchDirectory_ciscoxml4.tpl in the templates directory looks like this:

1
2
3
4
5
6
7
8
9
10
11

<CiscoIPPhoneInput>
<Title>{$PageTitle}</Title>
<Prompt>{$Prompt}</Prompt>
<URL>{$Server}/result.php</URL>
<InputItem>
<DisplayName>Filter</DisplayName>
<QueryStringParam>filter</QueryStringParam>
<DefaultValue></DefaultValue>
<InputFlags>A</InputFlags>
</InputItem>
</CiscoIPPhoneInput>

Lastly, the result.php script has been updated a little:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

<?php 
// This XML-PHP page searches contacts in LDAP and display it on CISCO directory service 
// Script Provided by Gael Marronnier From Simstream Company www.simstream.com gael_asterisk@simstream.com
// Modified by Arnaud Croes (arnaud@croesnet.eu) to make it work properly in a 3CX environment
// 
// Get parameter from directory script
 
require '/var/www/html/xmlservices/libs/Smarty.class.php';
 
$smarty = new Smarty;
 
require '/var/www/html/xmlservices/include/xmlservices_libs.php';
require '/var/www/html/xmlservices/include/xmlservices_config.php';
 
$directoryRowCount=30;
 
$smarty->compile_check = true;
 
//$smarty->debugging = true; 
 
# This sets the offset for the LIMIT portion of the query
$NextStartingRow = $_GET['NextGroup']*$directoryRowCount;
 
 
$filter = $_REQUEST["filter"]; 
 
// LDAP server characteristics 
$ds=ldap_connect("192.168.1.2"); 
if (ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3))
{
    echo "Using LDAP v3";
}else{
    echo "Failed to set version to protocol 3";
}
$myldap="ou=addressbook,dc=croesnet,dc=eu"; 
 
// Phone entries on my LDAP server are in the format +1 (800) 5551234, the way outlook likes it.
// Names on the server (cn) are not supposed to have special characters like &
// The script replaces the + by 00 , because 3CX doesn't like the + character in the dial string.
// Also removing space, ( and ) characters.
// Removing the ( and ) characters is just cosmetic, they do not cause functionality problems.
// Phone number format change variables
$patterns[0] = '/\+/';
$patterns[1] = '/\(|\)|-|\s+/';
$replacements[0] = '00';
$replacements[1] = '';
 
if ($ds) { 
  $r=ldap_bind($ds); 
  $filterldap="(|(givenname=*".$filter."*)(sn=*".$filter."*)(cn=*".$filter."*)(mail=*".$filter."*))";
  $sr=ldap_search($ds, $myldap, $filterldap); 
  // Lets start displaying XML infos 
  echo "<CiscoIPPhoneDirectory>\n"; 
  echo "<Title>IP Telephony Directory</Title>\n"; 
  $info = ldap_get_entries($ds, $sr); 
  echo "<Prompt>"; 
  echo $info["count"]; 
  echo " Reachable person(s)</Prompt>\n"; 
  for ($i=0; $i<$info["count"]; $i++) {
     if ($info[$i]["mobile"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (mobile)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["mobile"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
     if ($info[$i]["homephone"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (home)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["homephone"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
     if ($info[$i]["telephonenumber"][0]) { 
     echo "<DirectoryEntry>\n"; 
     echo "<Name>" . iconv("UTF-8","ISO-8859-1",$info[$i]["cn"][0]) . " (business)</Name>\n"; 
     echo "<Telephone>" .preg_replace($patterns, $replacements, $info[$i]["telephonenumber"][0]) ."</Telephone>\n"; 
     echo "</DirectoryEntry>\n"; 
     } 
   } 
   echo"</CiscoIPPhoneDirectory>"; 
   ldap_close($ds); 
} else { 
  echo "error"; 
} 
 
?>

First of all, I had to upgrade my phones to a SIP image. This requires a factory default reset on the phone.

Step 1 Unplug the power cable from the phone and then plug it back in.
The phone begins its power up cycle.

Step 2 Immediately press and hold # while the Headset, Mute, and Speaker buttons turn
on and off in sequence.
Release # after the Speaker button turns off.
The Headset, Mute, and Speaker buttons flash in sequence to indicate that the
phone is waiting for you to enter the key sequence for the reset.

Step 3 Press 123456789*0# within 60 seconds after the Headset, Mute, and Speaker
buttons begin to flash.
If you repeat a key within the sequence (for example, if you press
1223456789*0#), the sequence will still be accepted and the phone will reset.
If you do not complete this key sequence or do not press any keys, the Headset,
Mute, and Speaker buttons will stop flashing after 60 seconds and the phone will
continue with its normal startup process. The phone will not reset.
If you enter an invalid key sequence, the buttons will stop flashing immediately
and the phone will continue with its normal startup process. The phone will not
reset.
If you enter this key sequence correctly, the phone displays this prompt:
Keep network cfg? 1 = yes 2 = no

Step 4 To maintain existing network configuration settings for the phone when the phone
resets, press 1. To reset network configuration settings when the phone resets,
press 2.
If you press another key or do not respond to this prompt within 60 seconds, the
will continue with its normal startup process and will not reset.
Otherwise, the phone goes through the factory reset process.

(thanks to http://www.tek-tips.com/viewthread.cfm?qid=1316949&page=1)

Not sure whether this ia a Cisco issue, or a problem on my NSLU2 tftpd server, but I had to change the xml config file attributes:

chmod 777 SEPmacaddr.cnf.xml
chown nobody:nobody SEPmacaddr.cnf.xml

I just ordered an extra number to my Freeconet account. This Polish VOIP provider has a user friendly web-interface for account management, available in English.
I use them mainly for inbound calls, but occasionally make outbound calls to Poland via them as well. Especially for calls to mobile phones they have very sharp prices.
With over a year of experience with them now, I can say that I’m very happy with the service.
The extra number I just ordered (all online, available instantly) I will use over a separate trunk, with inbound call routing to a special extension.
I didn’t manage to have both DID arrive over the same trunk, and have the correct inbound routes configured. Probably lack of knowledge from my site. Anyway, two parallel trunks seems to work just fine.

The trunk config and registration is straight forward.

Trunkname: 1und1

Peer details:

host=sip.freeconet.pl
username=userid
secret=password
type=friend
dtmfmode=rfc2833
nat=yes
canreinvite=no
fromdomain=sip.freeconet.pl
insecure=very
qualify=yes
disallow=all
allow=alaw&ulaw

Register String:

userid:password@sip.freeconet.pl/48phonenumber

Today I discovered Weepee, and decided to register with them, and give their service a try.
They offer local numbers in Belgium for a one time fee of only 9 Euro. No minimum call-volume or credit usage requirements.
Although I’m happy with the service provided by IPness for my Belgium phone numbers, I think I’ll move those numbers over (once I fully used my credit). IP-Ness expects a call volume with a value of 15 Euros every quarter as minimum usage. When your usage is below this volume, 15 Euro is charged anyway.
With only limited outbound volume via them, I sometimes end up just paying for the service, rather than the usage. I do use the numbers for inbound traffic though.

Because of their pricing structure, Weepee seems a good alternative.
Registration for an account and ordering of a number goes very smooth. The process, including the fax confirmation for ordering your numbers is fully automated. I did this all at 23:00 CET.

Setting up the trunk in the trixbox also worked without any problems.

Trunkname: Weepee

Peer details:

type=friend
host=ssw5.weepee.org
canreinvite=no
username=32userid
fromuser=32userid
fromdomain=weepee.org
secret=password
disallow=all
nat=yes
insecure=very
qualify=yes
allow=alaw&ulaw

Register String:

32userid:password@ssw5.weepee.org/32userid

After signing up for the SIP-trunk account with 2 numbers, I immediately opened a fax service account as well. Works very well.
If you do the registration and number orderingprocess quickly after eachother, chances are high that you get sequential numbers.