| 00:00.19 | epoch | I haven't run into many switches that support more than 16 vlans |
| 00:00.21 | puzzled | MnxPower: that will be a nightmare. create groups and use a firewall |
| 00:00.50 | MnxPower | puzzled, We want to prevent users from doing anything peer to peer. |
| 00:01.05 | MnxPower | i.e. windows shareing, etc. |
| 00:01.12 | puzzled | firewall is your friend |
| 00:01.19 | MnxPower | i.e. no interworkstation pc to pc virus spreading |
| 00:01.26 | epoch | puzzled: how would a firewall help? |
| 00:01.33 | puzzled | MnxPower: make us happy and block port 25 too |
| 00:01.47 | MnxPower | puz we block all except for a few ports already |
| 00:01.56 | puzzled | epoch: no access to port 5060 and RTP ports and there will not be VoIP traffic |
| 00:02.08 | *** join/#asterisk czero (~h@CPE0090f800c5b0-CM00e06f166c34.cpe.net.cable.rogers.com) |
| 00:02.15 | MnxPower | But that doesn't help keep pcs on the same switch from talking to each other |
| 00:02.46 | puzzled | MnxPower: hmm makes sense actually. put them in vlans. how many vlans do those dell switches sport? |
| 00:03.18 | puzzled | anyone want a Grolsch beer? |
| 00:03.27 | MnxPower | puzzled, They are being deployed tomorrow night, but we have a differnt model switch also managable I'll check |
| 00:03.36 | rene- | put a lot of nics on your server and wire some crossover cables :) |
| 00:03.44 | puzzled | lol |
| 00:04.02 | derrick_ | the medusa network |
| 00:04.31 | pfn | not much of a network when the workstations can't talk to each other... |
| 00:04.37 | pfn | but I guess that's ok for most people |
| 00:04.45 | *** part/#asterisk venix (~pnaomi@Z-pc1-198-S1.gw1.tor1.sprint-canada.net) |
| 00:04.54 | puzzled | MnxPower: a reasonable serious switch will allow you to route traffic via vlans though a router/firewall so you can block stuff |
| 00:05.01 | pfn | why not put everyone on a separate network and use a firewall to route, heh |
| 00:05.17 | puzzled | pfn: these days, the more you block the more people are productive |
| 00:05.18 | pfn | doesn't really prevent workstation communication |
| 00:05.20 | *** join/#asterisk mr_monkey (~root@201.137.111.232) |
| 00:05.40 | pfn | puzzled nah, if I were blocked, I'd find otherwise to wste my time 'sides irc |
| 00:05.41 | pfn | heh |
| 00:06.16 | czero | blocked networks simple |
| 00:06.20 | czero | ssh to a server out side |
| 00:06.25 | czero | no on ever block ssh |
| 00:06.26 | mr_monkey | where can i configure the dial tone to make outgoing call such as (9 or 0 ) |
| 00:06.30 | czero | then irc from there |
| 00:06.30 | MnxPower | We have basically done all we can reasonably do to protect the network from the outside for the amount of money we could spend, now we are working on securing the inside. |
| 00:06.31 | pfn | czero that's not true |
| 00:06.33 | puzzled | czero: how many lusers now that shit? |
| 00:06.34 | pfn | a lot of people block ssh |
| 00:06.42 | pfn | example is lockheed-martin |
| 00:06.44 | pfn | they block ssh |
| 00:06.51 | pfn | of course, they just port block it.... |
| 00:06.57 | puzzled | MnxPower: at least 50% of hacks come from the inside. take it seriously |
| 00:06.58 | MnxPower | laptops and wireless are the bane of corporate IP |
| 00:07.04 | jcollie | pfn: ssh is one of the few things that i let in unconditionally :) |
| 00:07.06 | czero | ok well I've only evre worked in an ISP/telcom/telcom vendor |
| 00:07.06 | puzzled | indeed |
| 00:07.11 | czero | you cnat; block ssh out then :) |
| 00:07.18 | MnxPower | puzzled, We are worried about data theft and viruses |
| 00:07.30 | puzzled | czero: so you now that stuff but how many ppl know that stuff that work in finance? |
| 00:07.40 | czero | puzzled none :) |
| 00:07.49 | mr_monkey | where can i configure the dial tone to make outgoing call such as (9 or 0 ) |
| 00:07.49 | czero | but I'm nevre worried bout them :) |
| 00:07.50 | pfn | yeah, I had friends who are loan brokers |
| 00:07.51 | paulc | depends if you want to steal financial figures or the latest set of source code.. |
| 00:07.51 | pfn | clueless |
| 00:07.52 | pfn | heh |
| 00:07.55 | puzzled | MnxPower: block usb in the bios also and protect it with a password |
| 00:08.02 | paulc | mr_monkey: You asked the same question yesterday. Still having no luck? |
| 00:08.06 | MnxPower | Fortunatly our users are about as computer savvyt as my cat. |
| 00:08.14 | mr_monkey | mmmmmmmmmmmm, not at all |
| 00:08.23 | puzzled | MnxPower: that's a good thing |
| 00:08.33 | czero | sercurity concerns though inside is the biggest worry |
| 00:08.39 | paulc | mr_monkey: You're using call files to create an outbound call, and your FXO line is connected to a PBX right? |
| 00:08.48 | mr_monkey | but that was some diferent since, that was using manager interface and this is using extension.conf |
| 00:08.51 | MnxPower | puzzled, Here's the bad thing: %90 of the computers in the copmpany are owned by the individual employee. |
| 00:08.51 | AgiNamu | pfn: stopping the channel doesn' |
| 00:08.51 | jcollie | mr_monkey in some phones that may be something that has to be configured on the phone |
| 00:08.51 | czero | the threat from out side is an insider accessing then doign shit _most_ of the time |
| 00:08.53 | AgiNamu | work :( |
| 00:09.02 | pfn | aginamu you delete the call file? |
| 00:09.08 | pfn | delete the call file and hang up the channel |
| 00:09.11 | AgiNamu | Does that do it ? :* |
| 00:09.12 | *** join/#asterisk Bentley (~Bentley@S01060080c8135e6a.cg.shawcable.net) |
| 00:09.14 | paulc | MnxPower: WHAT? That's WEIRD! |
| 00:09.25 | puzzled | czero: I had the same challenges in a telco environment also. it was fun trying to stay ahead of the rather knowledgeable student pack |
| 00:09.29 | pfn | manxpower what kinda company is that??? |
| 00:09.34 | MnxPower | paulc, Real Estate. The are all basically "contractors" |
| 00:09.51 | puzzled | contractors are expensive. hire people :) |
| 00:10.03 | MnxPower | puzzled, For them nthey are not. |
| 00:10.06 | AgiNamu | ok i killed the call file |
| 00:10.07 | pfn | contractors are cheaper |
| 00:10.09 | AgiNamu | lemme see if that did it |
| 00:10.17 | MnxPower | And it's NOT a matter of "cheap". These people work on comission. |
| 00:10.24 | czero | one of my jobs in the past the head of our Security group was former NSA |
| 00:10.26 | MnxPower | Hell, the employees have to PAY to work at the company. |
| 00:10.26 | pfn | headcount is recurring cost |
| 00:10.30 | czero | learn alot form him |
| 00:10.44 | puzzled | pfn: while at Lucent, contractors charged 450 UK punds/hour. that is expensive |
| 00:10.51 | puzzled | pounds even |
| 00:10.52 | pfn | manxpower that's how a lot of these high commission places work |
| 00:10.56 | *** join/#asterisk MiXi^ (mixi@pD9545024.dip.t-dialin.net) |
| 00:11.59 | puzzled | MnxPower: your solution to yourLAN access challenge is a router/firewall |
| 00:12.07 | *** join/#asterisk Alric (~nbowyer@69.148.124.6) |
| 00:12.08 | czero | I'd love one of thos 540 punds/hr jobs |
| 00:12.10 | puzzled | and put groups in a VLAN |
| 00:12.11 | MnxPower | puzzled, We HAVE a router and firewall |
| 00:12.13 | czero | 450 too |
| 00:12.31 | puzzled | MnxPower: then you can block all the ports right? |
| 00:12.34 | MnxPower | The company has 13 offices and 400 "employees" |
| 00:12.56 | puzzled | that takes lots of FW management but it is doable |
| 00:12.57 | MnxPower | puzzled, We are currently blocking all ports except specific ones we need open. |
| 00:13.11 | puzzled | so why isn't it working? |
| 00:13.14 | czero | MnxPower thats the right way to do it |
| 00:13.16 | mr_monkey | ok, so let me know about the file which is used to set the dialtone pls |
| 00:13.24 | pfn | puzzled there's a difference, though |
| 00:13.29 | pfn | specialty contractors are different |
| 00:13.31 | pfn | and what's cheaper |
| 00:13.36 | puzzled | mr_monkey: zapata.conf |
| 00:13.41 | pfn | hiring a fulltime employee to do a project for 1 year |
| 00:13.49 | pfn | vs. hiring a specialized contractor to do the job in a month |
| 00:13.58 | puzzled | pfn: I agree. sometimes you need someone from the outside for a while |
| 00:14.02 | paulc | pfn: good point/question.. |
| 00:14.04 | czero | yes contractor should be short term slowutions |
| 00:14.11 | mr_monkey | thx |
| 00:14.21 | paulc | what about if you're interviewed for a full time job but would prefer (as the employee) to do it on a contract basis rather than full time employment? |
| 00:14.31 | MnxPower | I prefer contracts |
| 00:14.42 | MnxPower | Being a contractor can be good. |
| 00:14.46 | puzzled | mr_monkey: look at loadzone=<country code> and defaultzone=<country code> |
| 00:14.52 | pfn | being a contractor can be good for tax purposes |
| 00:14.53 | MnxPower | I have a single contact, I can say "no" |
| 00:14.57 | mr_monkey | my country is not listed in asterisk |
| 00:15.02 | puzzled | MnxPower: yes, money is agood as a contractor |
| 00:15.34 | puzzled | mr_monkey: look at similar settings. the NL entry is a good example |
| 00:15.35 | mr_monkey | so i set default 'us' |
| 00:15.51 | puzzled | mr_monkey: and define your country's settings if you know them |
| 00:16.09 | mr_monkey | so thats's the only one thing i need to modify |
| 00:16.10 | mr_monkey | ? |
| 00:16.18 | puzzled | mr_monkey: then set them using loadzone= and defaultzone= |
| 00:16.32 | puzzled | mr_monkey: yes afaik |
| 00:16.33 | PyroSteve | by experience, are there many problems associated with SIP clients being behind nat with ASTERISK not behind nat ? |
| 00:16.33 | mr_monkey | ok, |
| 00:16.41 | pfn | asterisk doesn't have a indication setting for mexico? |
| 00:16.43 | pfn | interesting |
| 00:16.59 | mr_monkey | mmmmmmmmm, i can't find one |
| 00:17.22 | mr_monkey | no NAT |
| 00:17.33 | puzzled | PyroSteve: yes. you need to forward ports to your SIP clients: 5060 and RTP ports |
| 00:17.46 | mr_monkey | ok, then i will try to fix that problem |
| 00:18.15 | puzzled | mr_monkey: if you find the right settings for your country, please add them to the relevant section at voip-info.org |
| 00:18.17 | PyroSteve | puzzled: thats what I didn't want to hear |
| 00:18.20 | pfn | pyrosteve almost no problems |
| 00:18.24 | mr_monkey | ok |
| 00:18.39 | pfn | there are almost 0 problems with SIP clients behind nat and asterisk behind nat |
| 00:18.39 | gafachi | is anyone familiar with the snom 4s? |
| 00:18.44 | pfn | you just need to set nat=yes and qualify=yes |
| 00:19.03 | pfn | there is sometimes a problem with SIP behind nat when you use a firewall that has an app helper |
| 00:19.11 | PyroSteve | pfn: well thats my setup of my testbed now |
| 00:19.12 | pfn | that can fuck things up royally |
| 00:19.13 | puzzled | PyroSteve: if you use ADSL, get a router that has a built-in SIP proxy or a firewall that can forward SIP/5060 and the RTP ports |
| 00:19.31 | pfn | puzzled sip clients do *not* need SIP and RTP ports forwarded |
| 00:19.34 | puzzled | like the Intertex IX66 |
| 00:19.46 | PyroSteve | im trying to find a simple for roaming users |
| 00:19.47 | pfn | provided that they register |
| 00:19.48 | puzzled | pfn: for incoming calls they do afaik |
| 00:19.52 | pfn | no, they do not |
| 00:20.01 | pfn | it's a function of how UDP works through NAT |
| 00:20.05 | puzzled | if the ports stay open long enough they don't |
| 00:20.14 | pfn | the ports stay open long enough |
| 00:20.22 | pfn | considerably longer than qualify messages |
| 00:21.22 | PyroSteve | I used Xlite on FWD with no problem, and I dont have any fowarding to my client |
| 00:21.30 | PyroSteve | not sure what FWD is using |
| 00:21.33 | PyroSteve | on thier endf |
| 00:21.39 | pfn | doesn't matter |
| 00:21.44 | puzzled | pfn: on my SIP client -> * -> NAT adsl router the ports need to be dorwarded if I want * to register to e.g. sipgate |
| 00:21.55 | puzzled | forwarded even |
| 00:22.15 | puzzled | PyroSteve: FWD uses IAX too. take that one. |
| 00:22.28 | puzzled | PyroSteve: search FWD for the settings |
| 00:23.00 | AgiNamu | asterisk rocks |
| 00:23.08 | puzzled | yes it does |
| 00:23.08 | AgiNamu | I'm using it to get my cellphone back (someone stole it) |
| 00:23.08 | PyroSteve | no no, my point is that I really have problems with SIP clients behind nat trying to work my * server behind another nat |
| 00:23.15 | PyroSteve | the real world * install that im about to do |
| 00:23.30 | PyroSteve | needs users to make calls from where ever |
| 00:23.55 | PyroSteve | now the new * install has the option of using a public ip with no nat |
| 00:23.55 | puzzled | PyroSteve: that is a tough one afaik. check voip-info.org and search for * and NAT for info |
| 00:24.08 | PyroSteve | yeah Ive read that 100000 times |
| 00:25.00 | PyroSteve | i was looking for real world experenice instead of thero |
| 00:25.02 | PyroSteve | i was looking for real world experenice instead of theroy |
| 00:25.20 | puzzled | PyroSteve: putting * on a public IP solves half of the problem. now get your ADSL router to forward the right ports to your SIP clients and hopefully it works |
| 00:25.48 | puzzled | PyroSteve: there is info on voip-info.org how to deal with SIP port forwarding |
| 00:26.45 | kuj | have something like that working here: * behind NAT (even w/ dynamic IP), softclient behind another NAT |
| 00:26.48 | PyroSteve | <PROTECTED> |
| 00:27.23 | puzzled | PyroSteve: by not forwarding the ports back to your client |
| 00:27.26 | kuj | client (x-pro) has nat-keepalive turned on to keep its firewall/nat router open |
| 00:27.33 | puzzled | that's good |
| 00:27.51 | czero | has anyone tired a palm OS based SIP client? |
| 00:28.06 | kuj | * sits behind my own nat router w/ port forwarding enabled |
| 00:28.54 | *** join/#asterisk CowboyIAint (voipnewbie@168.215.181.74) |
| 00:29.26 | kuj | * uses "externip=hostname" in sip.conf, hostname is a dyndns.com name updated/maintained by the router in case IP changes |
| 00:29.44 | CowboyIAint | I'll start off with the fact that I'm totally new to Asterisk so as to allow those a better understanding of my stupid questions. |
| 00:30.30 | gafachi | can a SNOM 4s register to another proxy? |
| 00:31.08 | puzzled | gafachi: if you don't get an answer here, read the Snom manual |
| 00:31.23 | CowboyIAint | with that said, my first question is how do I get a PSTN over to my data network? |
| 00:31.49 | CowboyIAint | virtually that is. |
| 00:32.06 | gafachi | puzzled: thanks, yeah I did... it didnt seem clear.... |
| 00:32.19 | puzzled | CowboyIAint: get a card from digium.com, read everything at voip-info.org, try for 7million hours to get it to wrk, then check back here |
| 00:32.51 | paulc | CowboyIAint: With a VOIP termination provider :-) check nufone.net or voicepulse.com (via the wiki).. or like puzzled says, get some hardware and interface your existing PSTN connections to your * box |
| 00:33.16 | gafachi | it says it will forward register requests, but didnt specifically address initiating a register itself |
| 00:33.16 | CowboyIAint | Thank you paulc, that provides me a point of entry. |
| 00:33.27 | paulc | no problem :) |
| 00:33.31 | dan2 | pfn: ping |
| 00:33.43 | puzzled | pong |
| 00:33.50 | AgiNamu | nothing like wardialing with the "something terrible has happened" and then the monkeys while using Monitor :) |
| 00:34.02 | paulc | LMAO :D |
| 00:34.03 | puzzled | hahahaha |
| 00:34.06 | paulc | you should post those files online :) |