@scottalanmiller said in Opinions: Ansible vs. SaltStack:

@AdamF said in Opinions: Ansible vs. SaltStack:

So this is now a super old post, but still relevant. I have been using Saltstack to manage my servers. I don't have any downsides to this so far, but I like to re-evaluate every so often. I see that Ansible open sourced (a couple years ago) their Tower GUI (AWX) That's attractive to me.

What are the current opinions on server management in regards to Ansible vs Saltstack.

SaltStack has a new GUI now, too. It's very limited, but looks really promising.

OpenSource?

So this is now a super old post, but still relevant. I have been using Saltstack to manage my servers. I don't have any downsides to this so far, but I like to re-evaluate every so often. I see that Ansible open sourced (a couple years ago) their Tower GUI (AWX) That's attractive to me.

What are the current opinions on server management in regards to Ansible vs Saltstack.

Phew! Busy couple of days for me. Sorry for the late reply.

OK, so the setup is as @JaredBusch assumed. VPN on the Laptop only. Split tunneling was not enabled and now it is. Problem solved for now! DuckDNS is reporting the correct home IP. No need for VPN on the phone or PBX.

Good call @Dashrender

@scottalanmiller I'm still going to checkout the possibilities of OpenVPN though. Just in case I need it in the future.

Thanks guys. Have a great weekend.

@Dashrender said in FreePBX and changing IPs:

I'm curious why DuckDNS is picking up on the VPN IP instead of the local one? no split tunneling?

Any possibility that the home user has a router that supports DynDNS? If so, set that up should solve the problem.

Good call on the split tunneling. Checking...

@scottalanmiller said in FreePBX and changing IPs:

@AdamF said in FreePBX and changing IPs:

@scottalanmiller said in FreePBX and changing IPs:

@jmoore said in FreePBX and changing IPs:

Would setting up ZeroTier and adding their machine to it be a solution?

Yes, VPNs will essentially always solve this. The problem is that it is often a physical phone without a VPN built it. So it ends up being a lot of effort.

So this user had a Yealink T46s. (my favorite phone) I know that this has VPN capabilities, but I have not looked into how it works with FPBX. Have you?

OpenVPN. You can do it to the PBX, or you can terminate elsewhere. PBX doesn't care. It's like a honey badger with VPNs.

Do you need SysAdmin Pro for that?

@scottalanmiller said in FreePBX and changing IPs:

@AdamF said in FreePBX and changing IPs:

@scottalanmiller said in FreePBX and changing IPs:

@jmoore said in FreePBX and changing IPs:

Would setting up ZeroTier and adding their machine to it be a solution?

Yes, VPNs will essentially always solve this. The problem is that it is often a physical phone without a VPN built it. So it ends up being a lot of effort.

So this user had a Yealink T46s. (my favorite phone) I know that this has VPN capabilities, but I have not looked into how it works with FPBX. Have you?

It's like a honey badger with VPNs.

Pure gold.

@scottalanmiller said in FreePBX and changing IPs:

@jmoore said in FreePBX and changing IPs:

Would setting up ZeroTier and adding their machine to it be a solution?

Yes, VPNs will essentially always solve this. The problem is that it is often a physical phone without a VPN built it. So it ends up being a lot of effort.

So this user had a Yealink T46s. (my favorite phone) I know that this has VPN capabilities, but I have not looked into how it works with FPBX. Have you?

@scottalanmiller said in FreePBX and changing IPs:

@AdamF said in FreePBX and changing IPs:

For those using other PBXs other than FPBX, do you have this issue with IPs constantly being blocked?

We have it, but mostly it's rare. But it certainly happens, especially hits me because so many devices autoconnect when the IP changes here.

The problem is, I have no idea why FPBX thinks the connection attempt is suspicious and blocks the user. The rate at which this person's IP changes is insane. Sometimes more than once per week. Me on the other hand, I h ave had the same dynamic IP from my ISP for YEARS! Although this user uses Windstream, so there you go.

@scottalanmiller Good morning!

I have a user who connects to our PBX remotely. For whatever reason, their home IP keeps changing almost weekly. The lovely responsive firewall on FPBX ALWAYS blocks their new IP and I have to add it back in. I have the user setup with DuckDNS, and I have whitelisted their DNS name. However, they connect into the home office with your standard VPN tunnel. So, therefore, DuckDNS sees the public IP address of the OFFICE IP, and not the user's home IP. Is there anyway around this? Can I force the DuckDNS program to see their actual home public IP address instead of the Office IP address?

Also, is there something on the users phone that could be triggering the responsive firewall to block their IP?

For those using other PBXs other than FPBX, do you have this issue with IPs constantly being blocked?

@scottalanmiller said in Linux Copy a Disk Over SSH with DD:

This is a really handy command when you need to get an image of a filesystem to a remote machine.

ssh root@hostname "dd if=/dev/sda" | dd of=mydisk.img

Going to use this today. Do you have to boot into "rescue" mode to do this? Or can you run this right from the live running system that you are copying from?

This one was interesting to get to the bottom of. @JaredBusch With the VPN tunnel enabled, the phone system was trying to send RTP to the phone on the internal IP. There is a setting in FreePBX on the extension level called "RTP Symmetric". Normally, this is set to yes. I changed it to no and the audio started flowing normally. However, I didn't like this solution. So, as a test, (and what I should have done from the beginning) I blocked all outbound traffic FROM my phone system, to any local network. (10.x, 172.16, 192.168, etc) This immediately solved the issue. I did not yet do a packet capture AFTER the fact to confirm, but I am assuming that blocking the PBX's ability to get to an internal private IP, forces the system to renegotiate and send the RTP to the correct public IP.

Definitely an odd issue.

@dbeato said in Site to Site VPN - not passing audio traffic properly:

@fuznutz04 what happens when you disable the routing? Does it work? If it does then you can pinpoint it to your routing making it all go through the other end of the VPN WAN.

Yep disabling the VPN (disabling the VTI interface on my office router ) immediately makes it work. So technically, I didn't disable the route, but I downed the VPN tunnel.

On the Edge router, is it possible to route just the SIP and RTP traffic out of the public interface and NOT have that specific traffic go through the tunnel?

So the title kind of sucks, but here it goes.

I have 2 sites. Office (Edge router) and COLO (Edge router). I have my PBX down at the COLO. I previously connected my phones at the Office to the PBX down at the COLO via public IP. (Meaning the phones connected to the public IP of the PBX) No NAT down at the COLO. Everything was working perfect.

I now setup a site to site VPN between the 2 sites. Now, whenever I have a phone call, I have 1 way audio.

The office network is a 10.0.0.x/24 network, and the only thing I can think of right now that would be causing this, is the static rule that I setup down at the COLO firewall that says anything destined for 10.0.0.x/24, route out interface VTI0. But why is the audio trying to be sent to the 10.0.0.x/24 network in the first place? Shouldn't Asterisk be sending the audio back to the public IP address:port at my office? I wouldn't think that it should be trying to send it through the VPN tunnel.

I have to do some packet captures at multiple points here to really pin point what is going on, but has anyone else ever experienced this?

**Side note: If I change my phone IP to 10.0.5.1/24 (different local subnet), the audio traffic works perfectly.

@travisdh1 said in Web filtering for SMB:

Easiest, fastest, use Cloudflare DNS
1.1.1.2 and 1.0.0.2 blocks known malware sites
1.1.1.3 and 1.0.0.3 blocks malware and porn sites

PiHole is good if you want an easy local solution.

That's great. I didn't know they came out with 1.1.1.3. That's awesome!

@DustinB3403 said in Web filtering for SMB:

Are you looking to block content, like online gambling, porn etc? PiHole does an amazing job out of the gate and makes it pretty easy to do this if you want something quick and simple to setup and maintain.

I use Pi-Hole at my house. Good idea. I'm looking to block accidental stuff. Want to do what I can to keep malware, etc out as much as possible.

Does anyone use Web filtering in the SMB space ? If so, what is recommended for a small (less than 10 person) office? A Ubiquiti Edge router is on the edge, but if you would want to then filter web traffic through a box that filters and also monitors, what are people using? I previously used untangle back in the day, but have not worked with any web filters since then. 100% not interested in a UTM.

@JaredBusch I use Zerotier every day, and I completely forgot about this. Thanks!

@Dashrender @notverypunny Good idea. I already changed the power settings on the home computer months ago, but if a recent Windows update changed them, I'll check that out too. Randomly change settings I specifically set...thanks Windows.

I have a friend that has a small business. (2 people) They have an office PC and a home PC. She needs to remote into her home PC from her office PC on a daily basis. Previously, up until last week, I had them connecting via AnyDesk. This was starting to have issues and would be super laggy and would disconnect occasionally. So, I installed Screen Connect as a test and installed an agent on the Home PC. Then from the office PC, I would connect to the home PC. This worked well during my 15 minute test session when I installed it.

However, They are telling me now that many times a day, they attempt to connect to the home PC running the agent and just get the message "Waiting for your guest." Does anyone else get this with screenconnect agents?

Is there a better alternative for basic, remote access? (preferably free)

OK, we have success!

Steps to resolve:

1. On the DC I was having issues with at the main site, I stopped the KDC Service (Kerberos Key Distribution Center Service)

2. Then I ran this:

NETDOM RESETPWD /Server: <Domain Controller Name> /UserD:<Domain Admin Username> /PasswordD:<Domain Admin Password>

3. Rebooted the server.

After this, all of the strange event viewer errors in the DNS log, AD log, etc were gone. I can now successfully replicate across sites as well as join PCs to the domain. I'm not sure why this happened in the first place, but this fixed it.

Thanks for all the help!