A few more things to add to my desired SOHO FreeSWITCH configuration

Since my last post I’ve spoken some more on #freeswitch and also freeswitch-users and have some ideas of how to implement some of the things I wanted to do on my SOHO PBX setup.

Additionally I’ve also added several other tasks which I think are important. So here is where you can find the updated post: http://blog.wl0.org/voip-configuration-requirement-for-freeswitch/.

I’ve not fully understood the configuration in FreeSWITCH using 2 different ports for internal and external traffic, especially as most SIP systems just use the default SIP port 5060. As such I want to configure FreeSWITCH so it works on a single port
rather than using the 2 ports the default configuration uses.

Since the requirements list has become quite long I want to try to document how I get to the final setup in the hope it will allow someone else to do this more quickly than it’s taken me.

If you see a configuration / description of FreeSWITCH behaviour which is wrong, or a better way to implement these features please let me know. This is a learning process for me.

Freeswitch – progress and frustration

I’ve not posted for a while and thought it about time I gave an update on my progress trying to get FreeSWITCH to work.

Bluebox

I previously mentioned that I was trying out Bluebox and it looked promising. I did play around with it for a while but had various issues which I had trouble solving.  One of these was due to the way the configuration is stored. Bluebox configuration is stored in a database and then auto-generated. This means that the configuration files have entries for things like sip_interface_1, trunk_1, trunk_2, etc… When looking in the log files this can be a bit confusing as it’s not apparent which “real entry these names refer to”.

I’d suggest that the configuration optionally allows the user to provide their own names so that you can entries such as the_name_of_my_sip_provider instead.

There were also some configuration issues with registrations and dialing not working as I had expected.  To be honest I did get offers of help from some of the Bluebox developers, but did not think it right to expect them to hand-hold me debugging certain software issues. In the end I could not get Bluebox to work the way I expected and so gave up. That is not to say that Bluebox is bad, but I think it needs to include some more tools to help diagnose the status of various things.  After all if you provide a GUI interface it helps if you also provide some sort of GUI test tools.  Perhaps I will try again later and see if  some of the issues I had experienced have been resolved.

Back to Manual Configuration File editing

In the end I decided to try again and edit the configuration files manually. I used the Bluebox install iso as a base (running inside vmware) and this time decided before I started to try to write up a requirements document and work through it. That can be found here. I decided to run the configuration inside a vmware guest while I was testing as this keeps the configuration behind my router’s NAT setup and in theory FreeSWITCH is not visible to the outside world so is safe while I learn and adjust the configuration.

The results of doing things this way have been promising but I notice several things which perhaps for a FreeSWITCH newbie may not be ideal.

  • I believe that the default FreeSWITCH logging may be too verbose. This is great for developers who understand all the logging messages and may be looking for a specific log entry but can be rather intimidating for someone who is trying to see if something worked or not and if not why not. For those type of people a less verbose log level may be appropriate, and of course you can later increase logging if you need to get the details of why something is not working as expected. So I’m not sure that verbose logging is ideal for the default freeswitch configuration.
  • xml file breakage. I’ve occasionally edited the xml configuration files incorrectly and when running reloadxml get the frustrating message about a failure to parse the file and some weird line number. Figuring out what entry is wrong and why from this message is quite tricky.  I only recently came across some comment saying that the preparsed xml files get written to log/freeswitch.xml.fsxml.  This helps a lot as you see the final configuration file generated from the various individual files but I believe mention of this should be more prominently commented in the various tutorials. It’s easy to miss. That said FreeSWITCH could at least report the full path of the xml filename where the error is found.
  • Related to the same issue is the fact that, as far as I can see, comments need to be in the format <!– some stuff –>. It is not clear to me whether white space around these comments is allowed always or only sometimes as the “xml breakage” I seem to have triggered was often caused by adding several lines of comments as above, often with white space before or after the comments. I did not expect that to make a difference but it seems that in some places it does.  I’d love some clarification on this and if it’s possible to make FreeSWITCH’s xml parser slightly more tolerant that would be nice.

Default configuration FreeSWITCH security concerns

Note: the comments here relate to the 1.0.6 version of FreeSWITCH. I’ve tried to build newer versions on my Linux box but the build fails. Checking out 1.0.6 builds without problems but I realise that a lot of changes have happened since. It would be nice to test on a newer version.
The default/sample configuration seems to be very open which is great for learning as a lot of functionality is enabled by default. However, this seems to be a perfect opportunity for SPIT (which seems to be the term used for the equivalent of VoIP SPAM).  While the default password for the extensions is configurable in vars.xml it is not apparent that it may be really important that you change this to something really secure.  I was working with FreeSWITCH behind a NAT’d router so was pretty relaxed about this, thinking they couldn’t reach the software, as it was not accessible on my public IP address.  However, that assumption seems not to be as true as I thought. It seems that registering with an external SIP gateway opens a hole out, but also opens a hole through the firewall to FreeSWITCH. That’s scary and I have not seen it mentioned anywhere.

A few days ago I noticed a lot of FreeSWITCH logging of something apparently trying to dial various international numbers. Looking at the logs it seems that someone had managed to guess one of my extension’s (not a default extension) passwords and was trying to dial out again to various numbers including places like Somalia.  As my configuration was not complete, and the default gateway not setup, this was failing but I was rather horrified at how easily someone could get in.  I was lucky and this could have cost me a lot of money.

I still don’t understand how the attacker found/figured out the extension that was being used to dial out from. Not being a default extension it seems it must have been guessing a large number and finally found one that worked.

However, this really reminded me of a similar situation several years back with sendmail. Before qmail, postfix and several other newer mail servers were popular most UNIX boxes came pre-installed with sendmail. Sendmail is great: you can configure it to do anything but the configuration file is rather complex and hard to really understand. At the time the configuration also assumed that it was fine to resend mail and often sendmail was configured as an open relay.  Newer MTAs (and sendmail too now) are configured with a slightly different attitude: the Internet is hostile and there are lots of people who, if they can, may try to abuse your system.  So now the software is configured to be very restrictive of what mail it will accept and forward.

How does this relate to FreeSWITCH? I’ve seen attacks to my current Asterisk setup (though not successfully) and with the attack of my FreeSWITCH configuration it seems that VoIP software should have something similar. The configuration should be designed to allow the least amount of access necessary and also to have controls in place to mitigate attack attempts.  Things that come to mind are:

  • the external profile should log authentication failures by default
  • FreeSWITCH should have some sort of rate limiting configured, so that someone trying to access FreeSWITCH frequently will trigger this and be ignored for a while, with the issue logged clearly.
  • It should be more obvious how to configure network ACLs for extensions, and these should be configured by default.  Postfix by default allows relaying (registering an extension) only from hosts in my networks which by default is the network of the network interface. This can of course be adjusted but is a good safe starting point.  FreeSWITCH’s default configuration should perhaps be similar, only allow registrations from clients on my network.
  • It seems that to register the client can use FreeSWITCH’s ip address or domain name.  Once someone outside has figured out where the SIP listener is located it’s quite easy to try to register with different users at the ip address. If you only accept the registration to user@my.domain.com then the attacker has to know what the correct configuration realm is before they can make much progress. That’s much harder for them. So it again seems like a good idea to NOT allow registrations directly to the IP address (at least by default).
  • For trunk connections if you have a DID number you expect the VoIP provider to call you. In this case it seems good that the example configuration clearly allow you to limit where the incoming calls to that incoming trunk number may come from, and whether they should be password protected or not.
  • Allow rate limiting of calls to a gateway, or from an extension. That’s different to rate limiting registration attempts to a specific extension, or from a specific ip address.  Also allow the configuration and limiting of the number of concurrent connections that may be allowed through a trunk/gateway.

I believe that some and perhaps  all of these features are possible in FreeSWITCH but they are not documented explicitly in the default configuration in a way which you really take note. It would be helpful if that were addressed.  You expect to have a mail server on all unix servers, and they should be secure. Many people using voice software probably expect the same.

Additionally a hacked mail server does not cost you money. A hacked PBX does.

FreeSWITCH cookbook

One thing that I would like to see is a FreeSWITCH cookbook, something that gives examples of lots of different types of configuration and is complete enough to use to solve different tasks that many people using FreeSWITCH may need to get
resolved. Like many other cookbooks I’ve seen (for perl, mysql) comments on the how and why help understand things better.  This could be part of the existing FreeSWITCH book, though perhaps a separate book would be more appropriate.

The FreeSWITCH configuration files are complex and there are many of them. I think this is part of what makes the software hard to follow for someone who is not using it on a day to day basis. Compare that with Asterisk which basically
has 2 configuration files you are going to change: sip.conf and extensions.conf. FreeSWITCH has many more.  This is why I think that you see a lot of people playing with Asterisk: it’s configuration is reasonably straight forward to understand and doing the basics is quite simple. From there you can hack away adding things that you want to improve. So a FreeSWITCH cookbook would be great. It could mention many of the things that I’ve mentioned in this post but others such some of ones I mention here below are issues I’m still working on resolving:

  • how to setup dialing to a trunk with a fallback trunk if the call fails.
  • common voicemail setups
    • set different languages for different extensions
    • set different languages for an outside caller depending on how he dials FreeSWITCH (which incoming DID number is used)
    • setup of a common voicemail mailbox (typical in a SOHO environment) shared by various extensions
  • how to setup FreeSWITCH in a new language (what’s required to make this work). FreeSWITCH seems to come with English and Russian and there are some external non-free language sound files, but from what I can see no more free ones. Can we “hack” or use a set of Asterisk sound files (using as many of them that “match”) in the meantime as Asterisk has sound support in many more languages? A short guide of what is wanted, or perhaps some sort of fundraising to bulid these would be nice.  I’d be willing to donate something if this were coordinated by the FreeSWITCH developers. If I could figure out what is needed then I may do this myself.  My specific interest is in Spanish, but it would be nice to have some “British English” sound files. Not strictly necessary of course but would be nice.
  • How to change the dial tones to sound like different countries. I live in Spain but have never really figured out how to change the dial tones to match what my family members expect to hear. Though I think that the default setup seems to match pretty closely, it would be nice to match this properly.  Again specific examples for different countries is useful for everyone.
  • Setting up the equivalent of Asterisk’s macros. I’ve seen in several places that I’d like to do the same thing and can’t figure out how to do what I’ve done in Asterisk which is setup a macro to parameterise the functionality. Something as simple as:
    • dial_gateway(gateway_name,gateway_name_file,number_to_call) which makes my configuration
      • say “using gateway <gateway_name>” (taken from some wmv files)
      • set up recording of the call
      • dial the number via the specified gateway
    • for calls to an extension(extension_number,language)
      • ring for a while and if picked up, setup recording and answer
      • if not picked up redirect to voicemail (in the appropriate language)

These are just some examples of things which it seems need to be grouped together as common functionality and so far I have not figured out how to do this in FreeSWITCH short of duplicating the configuration for each extension or trunk.

Summing up

In the meantime I am going to try and figure out how to tighten down my configuration so that it feels safe. Having seen various
attack attempts and one that partly succeeded I really want to be able to trust the configuration to not be the cause of a large bill
at some time in the future.  I like FreeSWITCH and would not have persevered with it if I did not think that the software is good.
It just seems to me that the documentation, while available, is not there in a form which many of us can digest easily.  The FreeSWITCH 1.0.6 book has been very helpful but I believe needs to cover more detail than now perhaps in a second edition. I think that more and better documentation will encourage more people to use this software. Sometimes I wonder if I am the only one who finds FreeSWITCH tricky to configure.

BlueBox GUI for FreeSWITCH looks very promising

(NOTE: If you’ve come here from http://planet.mysql.com my apologies. I’ve notified them to only follow my database related posts and hope they’ll not follow my full blog feed shortly.)

I recently came across a new site which offers a GUI configuration tool for FreeSWITCH.

Despite buying the FreeSWITCH 1.0.6 Book which is a very good read and playing a bit with the config files I’ve not found hand editing the native xml configuration files that intuitive.  This is probably because I don’t have enough spare time now to look at these things or participate in the freeswitch mailing list.

Anyway, I found BlueBox which seems to solve this nicely. The project seems quite new but as far as I can see the interface and usability is pretty good. This is basically similar to something like trixbox for Asterisk. Bluebox make things easy by providing a downloadable custom install image based on CentOS 5 and that gives you an empty PBX. While things are not yet quite working for me it does seem quite easy to add extensions (devices), trunks (gateways for calling outside) and then configure behaviour of voicemail, and for example whether you record incoming or outgoing calls. So this is nice, certainly nicer than doing this all by hand. However, it’s not quite working yet so I need to do further investigation to see why. Probably a mistake my end, a misunderstanding of the required input data or similar.

This project looks quite new and I have seen a couple of issues so far:

  • I attempted to install bluebox on vmware. Thinking this is just a PBX I only gave the vmware guest 512 MB of RAM. This was too little as I see that FreePBX uses 235 MB, Apache nearly 330 MB and MySQL (which stores the configuration) 240 MB. For a SOHO setup like mine that seems a lot.  Configuring the guest with 512MB does make the GUI a bit sluggish which is not helpful so I hope that bluebox will at least state the requirements more clearly and if possible figure out how to reduce the memory footprint (my current Asterisk setup uses 500MB with 80MB resident but the OS has plenty of memory spare).
  • Perhaps not surprisingly many PBX systems like this provide a default set of routes which look normal when used in your own country. The problem is the world is not as simple as this, or consistent with it’s numbering, so if you live somewhere else all these helpful initial routes are useless and you need to build your own. I’ve put in a ticket which is intended to address this for bluebox and give optional routes if based in Spain where I live.  Hopefully, the bluebox people will accept this and people who live in other countries can supply equivalent routes, thus making the initial configuration simpler for newbies like me. See BLUEBOX-221.
  • It’s possible to define more than one route to the same destination via different trunks. Currently it doesn’t seem possible to prioritise which of these should take preference though you can define that if a route fails to try another one. I’d like to see a way to prioritise the order in this case as one route may be less reliable but cheaper and so a good first choice option to try.

I’m sure these issues will get addressed one way or another and must admit to a very good first impression of Bluebox. I’m hoping to clear up my current mis-configurations shortly and thus be able to test behaviour and see how things go. Hopefully this will also allow me to look at the generated configuration files and see better how to configure FreeSWITCH in the future.
I’ll let you know how I get on.

Updated: 2010-11-13

Other thoughts which come to mind are:

  • The bad thing about GUIs is that debugging problems means the person reporting the problem needs to describe the problem very well, or better still provide screen shots of what is going on. Bluebox is going to have the same issue. I’d suggest that if possible some debug option is possible which will at least save the configuration and logging (excluding password information) so that people who are trying to help can see what is going on.  This certainly helped the MySQL support people who had to help me debugging several Merlin problems.
  • I believe the bluebox configuration is completely stored in the database. That’s good as it potentially allows more flexibility. One thing I notice from the current configuration is the configuration generation uses names like location_1, sipinterface_1, trunk_1, etc.  These names are logical from the point of view of the configuration generator, but not from the point of view of someone looking at their own code. So I’d suggest that for many of the configuration options like Trunks, SIP Interfaces, Locations etc that it’s possible to provide an “identifier type name” which if provided would substitute the less readable default tags. This perhaps requires a bit of work but would help someone trying to understand their configuration files.
  • The URL to adjust your location bluebox/index.php/locationmanager/edit/n provides fields for “Location name” and “Domain Name”. It might be clearer to and label this Domain Name/Realm which is what is shown in bluebox/index.php/locationmanager/index. See BLUBOX-224.

Vigor2820n 3.3.4 firmware upgrade also breaks SIP registrations

A few days after writing my last post about problems after upgrading my ADSL router’s firmware I also noticed that my VoIP connections were not working properly. I have several SIP providers and after a day or so of using the new firmware the SIP registrations to my providers started failing.  Initially I thought this was caused by my ISP as not all registrations seemed to be affected. I have not changed my Asterisk configuration in some time and did not associate the problem with the change in router firmware as everything else seemed to work fine.

The asterisk logging showed:

[Oct 15 02:12:04] NOTICE[3329] chan_sip.c:    -- Registration for '....@xxxxxxxxxx.com' timed out, trying again (Attempt #5)
[Oct 15 02:12:24] NOTICE[3329] chan_sip.c:    -- Registration for '....@xxxxxxxxxx.com' timed out, trying again (Attempt #6)
[Oct 15 02:12:44] NOTICE[3329] chan_sip.c:    -- Registration for '....@xxxxxxxxxx.com' timed out, trying again (Attempt #7)

A router reboot fixes the problem but it does come back again. Rebooting a router on a daily basis is not something I really want to do or think should be necessary.

I’ve reported the problem to Draytek support so will see what they say. In the meantime I see they’ve posted a 3.3.4.1 version of the firmware so perhaps this is one of a few known problems. Let’s see if this latest version solves my problem.

Update 25/10/2010

In spite of the upgrade to 3.3.4.1 I still notice the same problem:


[Oct 25 07:56:43] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6898)
[Oct 25 07:56:56] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5151)
[Oct 25 07:57:03] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6899)
[Oct 25 07:57:16] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5152)
[Oct 25 07:57:23] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6900)
[Oct 25 07:57:36] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5153)
[Oct 25 07:57:43] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6901)
[Oct 25 07:57:56] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5154)
[Oct 25 07:58:03] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6902)
[Oct 25 07:58:16] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5155)
[Oct 25 07:58:23] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6903)
[Oct 25 07:58:36] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5156)
[Oct 25 07:58:43] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6904)
[Oct 25 07:58:56] NOTICE[19553] chan_sip.c: -- Registration for '123456789@voip-provider1.com' timed out, trying again (Attempt #5157)
[Oct 25 07:59:03] NOTICE[19553] chan_sip.c: -- Registration for 'myaccount@voip-provider2.com' timed out, trying again (Attempt #6905)

So looks like I’m going to have to revert back to 3.3.3.

Asterisk attack

There was a lot of talk about this being the next menace after email spam. I’m not actually sure what it’s called for VoIP systems, but my Asterisk setup has started to be attacked over the last few days. Lots of entries like:

[Aug 27 19:20:30] NOTICE[18826] chan_sip.c: Registration from '"742"<sip:742@a.b.c.d>' failed for '208.109.86.187' - No matching peer found
...
[Aug 31 10:13:10] NOTICE[18826] chan_sip.c: Registration from '"1002" <sip:1002@a.b.c.d>' failed for '41.191.224.2' - Wrong password

Lots of messages get logged a second and I noticed this as suddenly CPU load on my PC jumped up quite a bit.

For the moment I’ve routed these addresses via the interface lo0 so they won’t bother me any more, but I need to come up with a better solution.

First I’m curious if applications like Asterisk or FreeSwitch have any built-in anti-abuse controls to recognise bad behaviour and to disable those abusers. I’m pretty sure that I’ve not read about anything for Asterisk, and I’m currently reading the FreeSWITCH book I bought but haven’t come across this mentioned yet.  Seems that applications like this may need to have these controls added at some time, just as sendmail, postfix and most mail servers have had to adjust to a hostile world.

The other option of course is to use a firewall or packet filter to limit the incoming traffic rate from a single IP to port 5060 or whereever the SIP connection is being accepted so that when going over the limit the ip will be blocked for some time. iptables can do this I think so I’m going to have to read about how to configure and set that up.

There are other applications designed to watch logs and use them to automatically add temporary blocks. fail2ban is one of these. I’ll also have to see if I can configure it for this task.

So if this has happened to you how do you protect your VoIP systems from that hostile world of the Internet?

Getting tc(8) to work for me with Linux with SIP/IAX

In Thoughts on VoIP and achieving good call quality I was still trying to figure out how to configure the outbound prioritsation of traffic on my Linux box to favour VoIP using tc(8). Finally I’ve had time to try and figure it out and as far as I can see it helps a bit.

Just a reminder of the problem.

My linux box runs Asterisk, but is also a web and mail server, runs NFS etc, etc, …. That means that sometimes it’s busy sending traffic which is not VoIP traffic. As a result during a voice call even though the bandwidth in my LAN is sufficient for all of this, some of the voice traffic may get delayed, affecting audio quality. It’s also worth noting that Asterisk accepts calls from my voip phone and then resends the call to the final destination which may be an internal PSTN gateway or an external VoIP provider. This double call issue means that any VoIP delays may get accentuated.

From the previous article I successfully checked that the voip traffic generated by Asterisk and my voip phones uses the dscp values EF for RTP voice traffic and CS3 for call signalling. Unfortunately my Siemens C470IP uses AF31, so this needs to be taken into account too.

I came across a few different posts about setting up tc(8) but none of them seemed to fit my situation. Some people configure it on a linux router and manage the bandwidth that way, others try to do the prioritisation based on ip port filtering. With RTP this does not work very well and besides it seems that if you want to implement QoS it’s best to try to do it consistently 1 way.

So I modified a script I found which almost seemed to do what I needed, and basically did the following:

  • Convert the 3 DSCP values into decimal
  • Multiply them by 4 as there are 2 bits to the right within the ToS byte
  • Convert that number to hex

That gave me the following values

Next, to match this properly in the tos byte we need to match the first 6 bits, as the last 2 are used for ECN.

See this link which shows the relation between DSCP and ToS bits.

Hence for tc(8) I need to use a byte mask of 0xfc.

The remaining script which I use is shown below and basically assigns all traffic to a low priority queue and then matches these 3 DSCP values, putting them in queue 0 (highest priority).


#!/bin/sh
#
# Taken from: http://www.howtoforge.com/voip_qos_traffic_shaping_iproute2_asterisk
# and adapted to filter by DSCP values EF, CS3 and AF31 (due to a Siemens
# voip phone not using the right dscp value).
#
[ -n "$DEBUG" ] && set -x
myname=$(basename $0)

start () {
# wrong? but set all traffic to lowest queue
tc qdisc add dev $interface root handle 1: prio priomap 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

# Adjust each queue so they themselves have some queuing discipline:
# This gives the first queue a supposed capacity of 3000 packets. In
# reality, the size will be 128 packets as it is hard coded in the tc
# program as being the maximum size possible.

tc qdisc add dev $interface parent 1:1 handle 10: sfq limit 3000
tc qdisc add dev $interface parent 1:2 handle 20: sfq
tc qdisc add dev $interface parent 1:3 handle 30: sfq

# Simon’s thoughts:
# decimal binary 4x hex bitmask
# CS3 24 011 000 96 0x60 0xfc
# EF 46 101 110 184 0xB8 0xfc
# AF31 26 011 010 104 0x68 0xfc

tc filter add dev $interface protocol ip parent 1: prio 1 u32 match ip tos 0x60 0xfc flowid 1:1
tc filter add dev $interface protocol ip parent 1: prio 1 u32 match ip tos 0xb8 0xfc flowid 1:1
tc filter add dev $interface protocol ip parent 1: prio 1 u32 match ip tos 0x68 0xfc flowid 1:1
}

# To see some statistics
status () {
tc -s qdisc ls dev $interface
}

# To remove your queues and return to the normal state
stop () {
tc qdisc del dev $interface root
}

interface=eth0

case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo “Usage: $myname {start|stop|restart|status}”
esac

This seems to now configure the interface giving VoIP (IAX and SIP traffic in my case high priority of everything else.

Work to do is to figure out how to recongise peer to peer traffic for when I download ISO images and drop those into a lower queue than the other ssh, smtp, http traffic that the server is doing. That however is not a concern for the voice traffic.

Thoughts on VoIP and achieving good call quality.

I spoke about the problems I was having with achieving good VoIP call quality some time ago. In spite of many tweaks the problems had not been going away.  I changed my ADSL router for one that includes QoS, hoping this would help solve the problem. However, it has not entirely done that.  I have basically been having a problem that some calls seemed to work fine, but others would have occasional delays which would ruin the voice experience.

So I decided to read up again on Quality of Service. It’s interesting that for most home users there is not a lot of documentation, or that it is incomplete. One good reference is Cisco’s Enterprise QoS Solution Network Design Guide. Not light reading but it’s pretty complete and certain things started to stand out:

First my Vigor 2820n ADSL router does support QoS but ONLY for traffic going out of the ADSL interface. I have 3 voip devices excluding my PC which runs Asterisk so a lot of the VoIP traffic is on my LAN. It suddenly became clear. There was no QoS taking place on the LAN.

While obvious to the professionals who play with this, QoS is something you only control for “outbound” traffic. That is where you have to focus. So looking at my setup it became clear that I needed to apply QoS in more than one place:

  • on my Asterisk PC for outgoing VoIP traffic to external VoIP providers but also to my VoIP devices on my LAN
  • on my ADSL router for external VoIP calls
  • on my switch for LAN traffic. I actually bought some time ago a DLINK DES3010F 8-port managed switch which included QoS support. This needed configuring too.

Of course this required 3 completely different sets of configuration.

  • The documentation on my DLINK switch is ok, but does has many different options and does not provide good examples of how to implement QoS.
  • Linux uses tc. There are various tutorials but it is a bit of a pain to use and is not that intuitive.
  • The Vigor router’s configuration is not too bad, and it helped a lot once I realised that the QoS applied only to the outbound ADSL interface and not to the WAN. It would have been nice if the documentation were clearer.

Then I came up across another thing. To configure QoS you need to decide which traffic needs to get the appropriate tagging for prioritisation. I’m still using IAX and SIP in Asterisk though I’d like to move over completely to SIP to simplify things. SIP is easy: it normally runs on a single port. The same is true of IAX.

RTP on the other hand, which is the protocol to carry the voice traffic, does not seem to have any recommended port ranges. As a result of that it became clear: my Asterisk configuration used one port range, my Linksys devices used another and my Siemens C470IP yet another.  For configuring QoS on the RTP streams that is not helpful. Configuring based on port ranges is probably not the best way to go but seems the easiest initially. Ideally the applications all need to correctly tag their traffic and then the PC, router and switch can prioritise it.

Finally of course Quality of Service is explained in different ways: DiffServ uses one terminology and ToS another. This can be confusing if you are playing with this for the first time and do not have a good guide to help.

So I’ve modified the switch and the router, perhaps not in the best way and also the PC with tc and now the voice quality seems to have improved quite a bit. I still need to tweak this further but it’s complex and for most home users if you get this wrong or do not do it at all your voice quality can drop considerably.

So if you are having trouble with voice quality on a SOHO voip system and have internal voip devices take a look at this. It might be the cause of the issue and nothing to do with the hardware you are using.

Update: 03-05-2010

Since writing this I thought I’d update the configuration. Based on the Cisco document I wanted to configure all voice traffic to dscp EF and call signalling to CS3.

I used wireshark to look at the traffic generated by each device and saw that my Gigaset C470IP sends signalling using the AF31 (the document mentions that some devices use this value rather than CS3) so I needed to adapt the configuration to take this into account.

Below are the changes I made.

DrayTek Vigor 2820N

Draytek Quality of Service configuration
Draytek Quality of Service

DLink DES3010F

The DLink switch required a few tweaks.

Then set the dscp values for EF (46), CS3 (24) and AF31 (26) to go to the highest priority (Class-3) queue.

This tells the switch to apply the dscp priorities.

Your setup may need more configuration but this seems to work if you only want to prioritise voip calls above everything else.

Asterisk

The following settings were needed in asterisk (1.4)

/etc/asterisk/sip.conf

/etc/asterisk/iax.conf

With the current configuration I see that much incoming SIP and RTP traffic does not have the DSCP values correctly tagged. Perhaps my ISP is filtering this? The end result is that the switch will not correctly prioritise the incoming traffic and so I may suffer dropped packets. I’m not yet sure if there’s a way to fix this as the place to do it would be in the ADSP router and I don’t see that the Draytek has any way to set the DSCP values based on incoming traffic properties like destination port.

Things to consider when building a home VoIP system

Over the months that I’ve been playing with VoIP I’ve come to the conclusion that there are many things that are not that obvious but which certainly need considering when you setup a VoIP system even at home.

The Dial Plan

It’s interesting but it’s not something I see that’s mentioned as being the first thing you shoud think about. The dial plan is however so important.

For those of us playing with Asterisk or Freeswitch this really should be something that’s thought about quite carefully. My home phone system is setup in such a way so that my wife really doesn’t notice that our phone is not actually talking directly to the phone line. That’s probably the way it should be as otherwise it’s just confusing and silly and upsets her that I’m playing with her way to talk to friends and family. In her opinion it should just work and no differently to normal.

Of course installations of Asterisk or Freeswitch come with their own default dial plan so you can see how features work. However if you’re going to use this software this really needs to be adjusted to that it works.

Most of the example dial plans of course don’t fit non-US countries and I’ve been living in the Netherlands and am back in Spain so actually it’s important to ensure that you can dial certain numbers.  So now this is as follows:

  • 00XXXX. international calls
  • 010 Madrid town hall
  • 061 Medical Emergencies (InSalud)
  • 062 Guardia Civil (military branch of police force)
  • 091 National police
  • 092 Local police
  • 1004 Telefonica help number (free)
  • 10NN direct dial via another telco
  • 112 emergency calls (almost never used, not good to test, but should be setup)
  • 6NNNNNNNN Spanish mobile numbers
  • 7NNNNNNNN personal numbers
  • 800NNNNNN Freephone numbers
  • 8NNNNNNNN Spanish fixed line numbers (new)
  • 900NNNNNN Freephone numbers
  • 901NNNNNN “local” rate numbers
  • 902NNNNNN more expensive than local rate numbers
  • 90[567]NNNNNN peak rate numbers ?
  • 9NNNNNNNN Spanish fixed line numbers

Although this list is not complete you get the idea. The point is that if you want to make Asterisk or Freeswitch usage transparent then you need to set up a dial plan to allow local users to dial these numbers. They also get very upset if trying to dial a normal number simply does not work. So try to avoid this frustration.

Internal Extension numbering

The internal extensions is another issue. What range do you use? Freeswitch supplies as an example 4 digit extensions beginning with 1. Looking at my dial plan above this will not work.

Instead I chose to use 2XX as the internal extensions. I don’t expect to have 100 phones and I can also setup a few fast dial numbers in this range. It also allows me to connect from the Internet when I’m not at home and still use my own phone system. That’s nice.

Then of course we want to have a mailbox system of some type and we need to reach it. I chose 500 to get there. That fits my plan.

So these things really are quite necessary to look at before you even begin. It also probably requires you to delete the default dial plans after doing initial testing so it doesn’t do things that you don’t expect.

Connecting to the PSTN

Outgoing calls using the above dialplan need to work. Since I’ve bought a Linksys SPA3102 I use it for dialing out to through my PSTN line. While this is a nice piece of kit it’s really a bit of a pig to configure. It took a while to get things working, though now it does.

Incoming calls go to ALL extensions

So far so good. A difference with normal phone switchboards is that normally you want incoming calls to go to ALL extensions not just to one specific phone. (I have four.) That led me to explore asterisk queues and rather than forward incoming calls to a specific extension to forward them to the queue which would then call all extentions. This idea isn’t mentioned on any sites that I’ve seen yet on a home system seems like a good thing to do. It’s also what most people expect at home.

Setting up Alternate VoIP gateways

One you get this far you’re doing pretty well. This is where I started looking at making cheaper calls through different SIP provider accounts. This can be quite important especially for me where I talk to family who live outside of Spain.  While trying out different providers it has become quite clear that some providers do give a better service than others. They may be a bit more expensive, but if the service does not work some of the time I’m rather reluctant to use it. That just irritates my wife so is best avoided. So again another clear recommendation: Test your VoIP providers thoroughly and at different times of the day. The service they provide may vary and may not always be what you expect.

The other option which you may want to do is simply route some of your calls through a different telco provider through your PSTN line. That’s quite easy to do in either Asterisk or Freeswitch. Add the telco’s prefix and then dial the number through the PSTN connection as normal.

Do you need a DID number?

Having a DID number is quite a handy thing to do.  DID (Dial in Direct) numbers are just normal landline numbers but of course do not need to be for the area or country where you live. Many VoIP providers offer these usually at a small monthly charge. I found Localphone.com who are quite nice, as they don’t charge you for the DID number and that does mean that you can have a number in a foreign country which allows perhaps relatives or friends to call you at what is a local rate for them and no cost for you. If you call out through the provider you pay the local rates and that’s fine. I have a DID number to allow me to recieve calls from my parents in the UK and another one to allow me to make and recieve calls to friends in the Netherlands.

Now which of these connections is the best one to use?

The final problem. After playing with different providers you suddenly start to realise that this is pretty hard to manage. If you look at all the different prefixes in the dial plan and have more than one potential provider you suddenly see that the price differences may be quite small. They may also change. If they change you may end up using the wrong dial plan and paying more than you need to.

This problem is something that I’d like to resolve but in a neat and tidy way. I’d like to have some sort of least cost dialing that would be able to collect the call rates to different locations offered by different providers and work out which is the cheapest plan and then route the call out through that provider. Doing this by hand is fiddly. I don’t yet know of any add on software which does this. While most voip providers do give you their call rates they don’t provide them in a format which you can use directly. They often just quote a rate for each country and perhaps mobile and fixed rate calls.  Often special numbers like freephone numbers to a foreign country aren’t allowed, and it’s not an issue of the price. They simply don’t work. That can be frustrating.

So these are some of the things that when you make your first steps into setting up a VoIP system need attention. None of them are technical issues, but more operational or practical issues which need to be considered if not initially later in the setup process. They are however often things that don’t seem to clearly mentioned in many articles where they are things that normally are assumed to be known or thought out already. I guess if you are building a system to sell to a company then they probably have been thought out, but many of us who are playing with this software may not consider them carefully enough.

This is what I’ve come across.

Have you had similar experiences or have they differed significantly from mine?

Discovering the cause of Asterisk jitter delays…

I’ve been running Asterisk pretty successfully for a few years now.  Successfully in the sense that I have it configured to talk to my Linksys SPA3102 for making outgoing calls and receving incoming calls from my local telco operator. I also have a DID number in the Netherlands which I still use for my visits there on business and also to talk to friends. Other international calls I route out through various VoIPs. And all is routed via Asterisk using a Linksys SPA941 “hard ip phone” and a pap2t connected to a cordless DECT phone. So all was fine?

Well no. I’ve been plagued for months with an issue I couldn’t resolve. My wife complained (rightly) that the phone calls had an unnaturally long delay when talking to people which made the conversation much more difficult. If you tried to interrupt someone who was talkng they didn’t hear you immediately and this broke up the flow of conversation completely.

So I looked at the Asterisk config and tweaked this and that. It didn’t seem to help. I looked on Google for complaints from others of similar symptoms but to be honest couldn’t really find the cause. There were some comments that referred to Asterisk RTP config being inflexible and requiring making adjustments on the ATA I was using but to be honest this didn’t make much difference.

I’ve been tempted to try and switch to another VoIP product like Freeswitch but that’s harder to configure (mainly through lack of experience with it, even if it looks promising).

Finally it seems (and I’m still not 100% sure), though the signs are promising, that the problem is something as simple as the SPA3102, PAP2T and SPA941’s default configuration having a high network jitter configuration. This is to improve things on an internet based voip call. However this adds loads of extra latency and if the phones are connected directly to Asterisk this default configuration adds a lot more latency than you would expect: latency from the phone to asterisk and then latency from the phone to the PSTN number (via the SPA3102), the combination being enough to destroy the usability of the call.

I’ve changed this now to low network latency and the results are promising, but I’m surprised not to have seen this problem mentioned in the Asterisks books I’ve bought, nor various forums and mailing lists I’ve been following.

So if you find that you have real problems with latency and you think it may be the pc, or it may be Asterisk then take a look at the soft or hard phones you are using and check the jitter configuration, at least on the Linksys products. This might make a huge difference and may your system usable.

Who has a VoIP PABX at home?

The “techies” who have been using Internet for ages do a wide variety of things. It just seems to me that few people use VoIP except for the simple stuff. Is that really so?

I’ve been using Asterisk for some time. I currently live in Spain. My parents live abroad, and for five years I was living in the Netherlands. So even if national calls aren’t expensive saving costs on International calls was something I was interested in. I’ve still got a couple of DID numbers in other countries which make it easier for me to be reached by family and friends. I use both IAX and SIP, the latter being more of a pain to configure for home use behind a NAT router with one ip. My own landline is linked to Asterisk too.

When I talk about VoIP to other friends and colleagues I seem to be the only one using VoIP in this way. I’m not sure why that is. Those who I know that have played with VoIP have a single account, not connected to their telephone line, and they use that mainly for cheaper outgoing calls. Few seem to incorporate their own phone line into the system and just use the PABX (Asterisk in this case) for all calling.

So am I really that odd, or is VoIP too hard at the moment even for most techies? If so that’s a real shame.