不知从什么时候起,FreePBX 上的 fail2ban 不能启动了。amportal restart 时,其他项都是绿色的 OK,执行到最后是 fail2ban,两行:
Stopping fail2ban [Failed]
Starting fail2ban [Failed]
两个红色的 Failed 触目惊心。
看了看 /var/log/fail2ban.log,一头雾水。再说它不更新已经很久了,估计不能启动以后就没有更新。研究它的最后几行也不知对解决问题有没有帮助,总之我缺乏细看的耐心。问 Google 吧!有人说,
yum remove fail2ban yum install fail2ban
就能重新工作了,就这么简单。一试,果然!
问题虽然解决,但我对 FreePBX 软件质量的印象分有所降低——“不明原因、重装解决问题”似乎是 Windows 的特症,怎么 CentOS 下的 FreePBX 也染上了?!
I classify myself as a newbie as I have been diving into Asterisk / FreePBX for only 3 months. I am not familiar with 95% parameters of my IPPBX, and I try to avoid touching those parameters. However I can proudly say I have gained enough experience in setting up an IPPBX for a commercial environment, and I want to share it with you.
Before I start, I have to make it clear what my goals are, so you know if my experience suits you.
Firstly, I do not have massive users, say less than 100. We did not use any PBX, but once we launch IPPBX, it must be working very stably.
Secondly, users should be able to pick up the calls in the office, at home or on the move. Myself is a typical user, who answer 1/3 calls in the office, 1/3 at home, 1/3 on the move.
Thirdly, I want to save every pence possible on this first IPPBX. There are many IPPBX with Asterisk preinstalled and probably optimised on the market, whose prices start from £150. However I think at £150 it is an entry level product and geared for a SOHO enviroment. If I hunt for a proper commercial Asterisk IPPBX, I should look for something above £300. I am a fanatical DIYer and I believe business can take advantage of open source. Free open source allows business to do the same things other highly priced product can do, and sometimes does better. Of course the price of open source is the learning time. I spent £100 on the hardware (Bought from China directly. I evaluate it as £190 for similar hardware on the UK market), and 3 months in learning. A commercial Asterisk IPPBX with the equivalent capacity should be priced at £500 or so.
My 3 months’ learning only saved £400 which is a loss. Nevertheless, back to the topic – my gained experience in setting up an IPPBX.
I do not need to connect IPPBX to a physical analogue (POTS) or digital (ISDN) telephone line. If you do, and the more lines to connect, the more worthwhile to buy a commercial IPPBX with FXO or BRI ports built in. None of analogue/digital cards or ATA or ISDN gateways are cheap.
At the time of choosing a DIY IPPBX other than a commercial IPPBX, I was quite worrying about the stability. Now I can say software stability can be achieved by a newbie like me. But to make the whole system work reliably, I have to buy a decent hardware to run it on, and most importantly, a reliable network. My current ISP is horrible and due to be switched away in next month. It wasted me a lot of time debugging – barking at the wrong tree. I would not say “horrible” if I was only using their network browsing Internet. It looks like it can not afford VOIP traffic when it comes to host an IPPBX.
I set port forwarding on the NAT router where IPPBX is. I forwarded SIP bind port and RTP ports. I did not do everything at client side router. The SIP client should traverse a router not in my control.
I put NAT in Settings >> Asterisk SIP Settings to “route”, which instantly solved a lot of audio silence between various devices, i.e. high end SIP phone, entry level SIP phone, and several soft SIP phones installed on several Android based mobiles. I still can not understand the exact logical behavior of “yes”, “no”, “never”, “router” for NAT choice, but to me, “router” is the best choice.
I totally understand many people says SIP behind NAT is a nightmare. My IPPBX is behind a NAT router in the office, and if I am at home, my extension is behind another NAT router. This is the worst scenario. With FreePBX Distro and the above simple configuration, but without help of any third party modules, proxy, stun server, SER, the most difficult problem I encountered is one way audio on some devices / soft phones. It is always the caller can not hear voice from the callee, but the callee can.
Then I find enabling stun server on SIP client does not do anything good. Actually I find enabling Rport for signaling and media helps eliminating one way audio symptom if this choice is available. If your device does not have such a choice, but you have two devices at hand, you can dial out using one of them and transfer the call to the other one. This method makes both ends callees. So tricky. Do we really to do that? No. I have better way later on.
Missing codecs may cause audio silence, but it has nothing to do with one way audio. If a required codec is missing, both ends will be silent. I have a weird SIP trunk provider supplying 2 lines. Both lines have an external number (connecting PSTN) and an internal number (extension number on his SIP server). It turned out he enables different codecs for these 2 lines. And even on the same line, he enables different codecs for external number and internal number. It took me a long time before I realised it was a codec problem.
Although Android mobiles are widely available, it is worth buying SIP phones for office and home. SIP phones can stay online much more stable than any of soft SIP phones on Android mobile. It may not be a fault of soft phones. They are restricted by Android power management. The advantage of Android devices is you can choose SIP apps to install. To get the best of both worlds, the best buy is an SIP desktop phone with Android OS.
Among SIP apps, I recommend Zoiper (most stable, and support IAX2), CSipSimple (support video calls with CSipSimple video plugin), Samsung Galaxy built in SIP client (may be best choice in power saving), in turn.
It is time to summarise how to tackle one way audio. I mentioned IAX2. Yes, for soft phone, use it as the first choice over SIP. (Sadly as a hardware, VOIP phone with IAX protocol are not widely available.) I am using Zoiper on the move. In the office, as it in the same subnet, SIP traversing is not a problem, so any SIP phones will do the job. At home, use a SIP phone which can enable Rport, or use Zoiper.
I tried to achieve a stable IPPBX without having to periodically reboot it, but I could not. The IPPBX runs into a hanging state every a few days. For example, all trunks / extensions are disconnected. Even “amportal restart” can not solve the problem. A daily reboot is a must. Just choose a quietest time and use crontab to reboot. My IPPBX reboots in 34 seconds, which means the uptime is 99.96%. Normally the IPPBX will not hang within a day. But I set a monitoring script anyway to monitor if all trunks / extensions lose connection, reboot the IPPBX immediately. It never happened so far.
I also find IPPBX daily rebooting is a usual practice. I have monitored two of my SIP trunk providers are rebooting their servers daily. I am going to test it on a third one. Besides, I will be very glad to see a future version of FreePBX can run without rebooting for years as Nginx, etc.
我的 SIP 服务器 FreePBX 暂时还放在一个非常不可靠网络环境下,这在前文《FreePBX working with an unstable router》有提及,一有 SIP 不正常的风吹草动,我就成了惊弓之鸟。
今天早上我在家,发现 SIP 分机又出现单向语音的症状,测了多次,十次有九次是单向语音,主要是主叫方听不到对方声音。我在服务器上看来看去看不出原因,不管三七二十一,又重启了一次,仍没解决问题。
单向语音是 SIP 很常见的问题,在用 FreePBX 之初,我曾花大力气去解决,找到一套行之有效的办法。怎么今天又出现了老问题了?我一阵头疼。
我家的网络宽带路由器确实不太好,但一开始我没意识到是它的原因,因为浏览网页是正常的,再说 SIP 能注册,也能接通。我排查了很久,无意中将手机 Wi-Fi 连接关闭,用 3G 连接网络,手机的 SIP 客户端立刻就能双向语音,一切正常。我这才想到是网络宽带路由器的原因,把它重启了一遍,SIP 通话就正常了。
看来 SIP 对网络的要求非常高,而且是服务端、客户端双方的要求都很高。
FreePBX 上线运行近一个月,被我观测到若干次所有 peers (包括 trunks 和 extensions)都失去连接的情形,但 FreePBX web 界面里还是显示 asterisk 正常绿色。
目前我无法判断这究竟是 FreePBX 的硬件问题,抑或是 FreePBX 的软件问题,还是参数配得不对。我也没找到什么现成的命令可以判断 asterisk 是否在正常工作。
好羡慕一些人说 FreePBX 几年都不用重启也跑得很稳定。我也不想经常重启我的 FreePBX,但我得面对现实的商业化环境。
现实是我们不是 24 小时工作,电话也不会 24 小时响个不停,但工作时间我们不能容忍 FreePBX 无缘无故停止响应。所以我做了两项调整:
我不用 Apache 很多年,几乎忘了该怎么完整地配一台 Apache server。最近上线了一台 FreePBX,我想加强 web server 的安全系数,要修改一些默认参数。因为对 FreePBX 还不是很了解,所以不敢贸然把它的 web server 用我喜欢的 Nginx 代替,只好沿用元配的 Apache,捣腾它的 conf 文件。
首先,我想弄个 VirtualHost,把 FreePBX admin 界面隐藏到不公开的 ServerName 上。我忘了在使用 name based virtual host 前要先使用 NameVirtualHost 先声明一下。
NameVirtualHost ip_address:port_number
其次,启用了 VirtualHost 以后,VirtualHost 之外的 main DocumentRoot 就不起作用了。我在 VirtualHost 之外定义了一个 DocumentRoot 并想当然地认为它是 default server (未经任何一个 VirtualHost 定义的 server)的 DocumentRoot。事实上,VirtualHost 的 default server 是由 _default_ 显式定义,或在 _default_ 缺失的情况下,第一个 VirtualHost 就是 default server。
办公室里的 FreePBX 经过多次调试,初步可以稳定运行。无奈物业管理公司配送的 ZyXEL AMG1302-T10A ADSL router 是个家用系列产品,用起来非常糟糕:设置了一批端口转发至 FreePBX,但会莫名其妙地失效。这种失效是个别端口转发失效,最要紧的是 Asterisk bind port 失效,这样外网的 SIP 分机就注册不了,运行若干天定会发生这样的事故。联想到外网分机通话时经常出现的单向语音或干脆无语音,估计也是路由器无法稳定地转发 RTP port 造成的。
物业管理公司外包 IT support 给一个外地的公司,虽然离得不远,但英国公司本身就效率低下,又不是在同一个城市,根本就指望不上。本来我也不指望别人来做 IT support,但物业管理公司和 IT support 公司不愿告诉我 ADSL 上网密码,我就无法换掉它的路由器;它也不愿告诉我路由器管理密码,搞得我在路由器端口转发失效的情况下,也无法远程重启路由器。
我已经跟物业管理公司要求独立装宽带,并自己管理。在没有得到答复前,怎么解决外网分机无法在特定端口注册的问题?我想了个办法,就是开启多个 Asterisk bind ports。严格地说,Asterisk只能有一个 bind port,而多个 bind ports 的效果,其实是在 FreePBX OS 层面的防火墙上达到。
iptables -t nat -A PREROUTING -i eth0 -p udp --dport (another port number) -j REDIRECT --to-ports (original port number)
这条规则把 (another port number) request 转给 (original port number)。我一口气添了 10 条同样的规则,这下有 11 个 SIP 注册端口可用,希望 ZyXEL ADSL router 不会一夜全坏掉吧?!
/etc/init.d/iptables save
保存路由规则,让重启后不丢失。
顺便说一下,我对 ZyXEL 的质量没有信心,它的家用系列产品不稳定不是个别现象,它的商用系列我也不敢去尝试。
FreePBX 12 alpha 如果掉电重启,已多次发生 DB error,改装 FreePBX 11 仍有发生。虽然我已查明这是 MySQL socket 被锁定造成的,删除 /var/lib/mysql/mysql.sock 即可,但嫌 MySQL 不能自行修复,于是想到将 socket 移入内存 /dev/shm,掉电即不复存在,重启时每次都是重新生成 socket,不再有被锁定之忧。
怎么更改 MySQL socket path 呢?其实也不复杂,只需更改三个文件。
1. /etc/my.cnf
MySQL 自身的配置文件
将
socket=/var/lib/mysql/mysql.sock
更改为
socket=/dev/shm/mysql.sock
2. /etc/freepbx.conf
告诉 FreePBX socket 的新位置
将
$amp_conf['AMPDBHOST'] = 'localhost';
更改为
$amp_conf['AMPDBHOST'] = 'unix(/dev/shm/mysql.sock)';
你可能觉得 ‘unix(/dev/shm/mysql.sock)’ 的写法很奇怪。我摸索了好久才找到 PEAR DB 所用的 dsn 字符串中 MySQL socket path 的格式。
3. /etc/amportal.conf
告诉 asterisk socket 的新位置
将
AMPDBHOST=localhost;
更改为
AMPDBHOST=unix(/dev/shm/mysql.sock)
重启 MySQL 和 asterisk,确认 FreePBX System Status 是不是一片优雅的绿色(主要看 Server Status 块中的 Asterisk 和 MySQL 是否正常)?
FreePBX alpha-6.12.65 (已升级至 release 3)两天两次出现这样的错误,我想有必要做一下笔记,解决方法很简单,但找解决方法花了不少时间。
FATAL ERROR DB Error: connect failed Trace Back /var/www/html/admin/libraries/db_connect.php:63 die_freepbx() [0]: DB Error: connect failed /var/www/html/admin/bootstrap.php:103 require_once() [0]: /var/www/html/admin/libraries/db_connect.php /etc/freepbx.conf:9 require_once() [0]: /var/www/html/admin/bootstrap.php /var/www/html/admin/config.php:111 include_once() [0]: /etc/freepbx.conf
解决方法就是删除 MySQL socket 文件。
rm /var/lib/mysql/mysql.sock
如果觉得每次发生 DB error 去删除 socket 文件比较麻烦,可以参考一个一劳永逸的办法:Change MySQL socket path for FreePBX。
还有一点值得注意,如果发生这个错误,外网访问是看不到这个错误提示的,甚至内网的子内网也看不到,看上去就像 httpd 未启动。而且,发生了这个错误后,启动时其他服务也受影响,sshd 就不再启动(在我看来逻辑不应该是这样)。
FreePBX 出了新版。我下了 “64bit ALPHA-6.12.65-2 Release Date-01-15-14 FreePBX 12, Centos 6.5 Asterisk 11 or 12” 来装,装好以后发现多了一个 PJSip,搞得我晕乎了一天。
了解了一下 PJSip,发现它并不是什么新鲜玩意,只是 FreePBX 刚把它整合进来。其他 Sip 相关软件,如 CSipSimple,已经用 PJSip 很久了。
之前的 FreePBX 只有一种 Sip,现在 Sip Settings, Sip Extensions, Sip Trunks 都分为 PJSip 和 Sip。有时显示为 Chan PJSip 和 Chan Sip,但又不一致,象我这样的新手误以为 Chan Sip 不是原来的 Sip,因此琢磨到底是该用 PJSip 还是 Sip,浪费了不少时间。
现在 FreePBX 把 PJSip 放在 Sip 前面,PJSip 沿用常用的5060 端口,Sip 则另开了 5061 端口,大有 PJSip 取代 Sip 的意思。而我一开始也没发现 Sip 改端口了,使劲注册分机都是徒劳。
FreePBX 创建了 PJSip 分机,我用 CSipSimple 去注册,CSipSimple 端显示在线,但在 FreePBX PBX Status 里看不到可用分机线。我想是 FreePBX 在应用 PJSip 时有 bug,所以不要强求,用 Sip 已然不错。