Using Vultr for FreePBX 13

JaredBusch

@JaredBusch said in Using Vultr for FreePBX 13:

I would never use tftp over the internet. There is no security in it at all.

I was out at breakfast when I made the reply. Let me clarify.

Using tftp to pull configs over the internet have no possible method to encrypt the information in transit.

So if somewhere along the way, your traffic is sniffed (most likely is softphone on a mobile device on a public hotspot), the data inside the phone config files is 100% plain text. This is a super bad thing because these config files contain the SIP credentials for the device in question.

Once someone has your valid credentials, they have access to make calls on your dime.

Using http is no different. I recommend only using https on the public internet.

Now, you can mitigate by only allowing known IP addresses through the firewall. By doing that, there is no way for someone to get to your data form everywhere around the world.

To be clear this, is only about keeping the configuration files secret because they contain sensitive information. SIP registration is a totally different issue. That process has no need for encryption. The SIP protocol negotiates a nonce witht he PBX when it begins the registration process for an extension. The device never sends the registration password in the clear.

JaredBusch

@JaredBusch said in Using Vultr for FreePBX 13:

I recommend only using https on the public internet.

Now even tough I say that, there are potential problems with this on some devices.

/me glares at Yealink T4XG series devices

FreePBX's default Let's Encrypt certificate process on FreePBX 14 creates a Let's Encrypt certificate that Yealink T4XG series phones refuse to talk to. The exact same phone talking to FreePBX 13 with a LE cert generated by FreePBX works just fine.

So you have to decide to get some other certificate or use take the risk of using http for you device communication. I continue to hpe the Yealink will release a firmware update for this, but it is unlikely as that series of phones are no longer sold. They do not seem to consider them EoL yet, but they were replaced by the T4XS line.

prabbide

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

Emad R

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

JaredBusch

@Emad-R said in Using Vultr for FreePBX 13:

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

It assuredly is not. I use it daily. I do not use 13 daily any more, but when I did have active clients on both versions, I never had noticeably different speeds in the GUI.

scottalanmiller

@JaredBusch said in Using Vultr for FreePBX 13:

@Emad-R said in Using Vultr for FreePBX 13:

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

It assuredly is not. I use it daily. I do not use 13 daily any more, but when I did have active clients on both versions, I never had noticeably different speeds in the GUI.

We still have one client that won't upgrade (they make lots of excuses) and we don't notice a difference either.

Dashrender

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

JaredBusch

@Dashrender said in Using Vultr for FreePBX 13:

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

Vultr doesn't have a firewall unless you make one.
I mean it is possible they could. Let me test.

scottalanmiller

@JaredBusch said in Using Vultr for FreePBX 13:

@Dashrender said in Using Vultr for FreePBX 13:

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

Vultr doesn't have a firewall unless you make one.
I mean it is possible they could. Let me test.

Lots of people put one in by default and don't even think about it.

JaredBusch

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

Dashrender

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

right - so why not?

JaredBusch

@Dashrender said in Using Vultr for FreePBX 13:

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

right - so why not?

Don't know and don't honestly care. As I said before. Don't use TFTP on the public internet.

scottalanmiller

I wonder if TFTP default bindings are LAN only.

JaredBusch

@scottalanmiller said in Using Vultr for FreePBX 13:

I wonder if TFTP default bindings are LAN only.

/shrug

It let me connect.

Note: it also does not work on my ZeroTier address.

Dashrender

@JaredBusch said in Using Vultr for FreePBX 13:

@scottalanmiller said in Using Vultr for FreePBX 13:

I wonder if TFTP default bindings are LAN only.

/shrug

It let me connect.

Note: it also does not work on my ZeroTier address.

Now that is weird!

prabbide

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

Exactly my problem. But I concluded the same thing. Who cares? I do have a small reason to care, but I've got a workaround and moved on to other topics. Thanks for your 2 cents! Glad it wasn't just me.

jasonraymundo31

@JaredBusch said in Using Vultr for FreePBX 13:

I like Vultr's stat page.
Here is the network usage of a PBX with ~80 extensions (all pjsip, if that matters) and 15 simultaneous calls at peak.

What is the specs of your vultr instance with that usage, ~80 extensions and 15 simultaneous calls at peak.

Also, do you have some formula on how to decide what to get instance base on extension and simultaneous calls ?

scottalanmiller

@jasonraymundo31 said in Using Vultr for FreePBX 13:

What is the specs of your vultr instance with that usage, ~80 extensions and 15 simultaneous calls at peak.

Bottom line is that the $5 instance is as small as you can go. You need the 1GB of RAM. If they offered a 900MB option, sure that might work. But the 512MB option will not. So you can't go smaller than the $5 option on the low end, don't try. You'll be swapping and things will get bad, fast, if it will even run.

That said, you could handle hundreds of extensions and way more than 15 calls on that $5 1 vCPU / 1GB RAM option. We use that and we do closer to 30 simultaneous and it doesn't break a sweat. And we don't use g711 either, so we are working it harder than normal users.

You would need a LOT of calls or special usage to make you need a larger VM. We have no customers going larger based on RAM or CPU needs, only on storage needs (we have customers doing huge amount of call recordings or voicemails and just need more space.)

JaredBusch

@scottalanmiller said in Using Vultr for FreePBX 13:

And we don't use g711 either, so we are working it harder than normal users.

Actually 722 doens't use anything in resources jsut like 711. It is all about being on the same codec for the entire call path.

JaredBusch

@scottalanmiller said in Using Vultr for FreePBX 13:

Bottom line is that the $5 instance is as small as you can go. You need the 1GB of RAM.

Also, you can scale an instance to a larger plan if needed.