Need advice on moving PiaF from copper to ITSP

[mcbsys]

Someone on another forum mentioned the Netgear FVS318G which does claim to support QoS. In terms of learning curve, that should be an easy replacement for the current FVS318. Hard to beat $118 street. Anyone using one of these?

 

[gregc]

For just a two person office, you really should look at DD-WRT or Tomato firmware for one of the more economically priced routers. The firmware upgrades give you features that rival much more expensive options.

Here are a couple screenshots of my QOS setup pages:

 

[lifespeed]

Thanks the Draytek does look interesting. Never heard of them before. I like the ability to use a USB modem as second WAN source.

Cisco Small Business (formerly Linksys) routers have some nice specs but the reviews on NewEgg are not good. Need to spend some time looking at Cisco 800 series which I think are the "real" Cisco.

The Draytek 2130 has exceedingly high performance thanks to a hardware NAT engine. Don't know if that matters much to you, but I found internet speeds (Comcast 25/4 Mbps) were significantly improved when I upgraded from a DLink DGL-4300. Apparently the router can be a bottleneck in these days of fast internet.

If you think of PFSense, I would advise against a compact flash installation as these do not include proper management of flash memory card wear. If you want flash for an appliance-like install, use an inexpensive SSD. I use a 40 GB flash drive for my PIAF Intel Atom "appliance".

 

[bjeung]

Linksys E2000 and tomato. Could pickup two refurbs for $25-30 and have a stand-by sitting there. Another option with a little more memory would be the Netgear WNR3500L. I use these all the time with my SMB clients and for tele-worker scenarios with OpenVPN.

You mentioned the virus scanning capabilities on the Sonicwall as an attraction. I would do all that stuff in the cloud and not on an appliance. I don't think you need concern yourself with a full on filtering proxy, but either OpenDNS free or enterprise would do the trick. I can sell you enterprise licenses, as I'm sure others on here could as well. They are very inexpensive through MSP's. You can PM me if you are interested in that.

Also, since you are hosting an e-mail server on the same connection, I would definitely handle the filtering for that in the cloud as well. Free us as much of that DSL as you can. SpamHero is a very cost-effective service ($5/month for an entire domain, inbound only, and yes that is an affliate link) or you can do something through Postini or an MSP like myself with in-bound and outbound as well as continuity features.

Definitely agree with setting up test trunks first and either call-forwarding the inbound and putting outbound on the trunks to test.

Good luck

 

[mcbsys]

Linksys E2000 and tomato. Could pickup two refurbs for $25-30 and have a stand-by sitting there. Another option with a little more memory would be the Netgear WNR3500L. I use these all the time with my SMB clients and for tele-worker scenarios with OpenVPN.

You mentioned the virus scanning capabilities on the Sonicwall as an attraction. I would do all that stuff in the cloud and not on an appliance. I don't think you need concern yourself with a full on filtering proxy, but either OpenDNS free or enterprise would do the trick. I can sell you enterprise licenses, as I'm sure others on here could as well. They are very inexpensive through MSP's. You can PM me if you are interested in that.

Thanks for those thoughts. I am getting some great input here.

I already have OpenDNS and hosted mail filtering set up for the client. The SonicWall stuff that sounded cool was a) trap viruses at the perimeter (e.g. if a user browses to a site with a nasty .gif file, which has happened) and b) ability to turn off or prioritize certain kinds of traffic, e.g. no Bittorrent, and YouTube comes after SMTP comes after VoIP.

 

[bjeung]

Thanks for those thoughts. I am getting some great input here.

I already have OpenDNS and hosted mail filtering set up for the client. The SonicWall stuff that sounded cool was a) trap viruses at the perimeter (e.g. if a user browses to a site with a nasty .gif file, which has happened) and b) ability to turn off or prioritize certain kinds of traffic, e.g. no Bittorrent, and YouTube comes after SMTP comes after VoIP.

Tomato has some built-in rules (just need to enable them) for blocking P2P stuff, etc and with some simple searches you can find plenty more examples. Although I'd probably use OpenDNS to block torrent stuff and not the router, simply because OpenDNS would block access to the 'questionable' torrent material, where as the router would block all torrent-type stuff and I'm seeing more and more legitimate content being delivered via P2P/bittorrent which you might want to allow.

 

[bjeung]

Heh, just checked out your website. Nevermind the MSP stuff, looks like you got that covered

 

[mcbsys]

The Draytek 2130 has exceedingly high performance thanks to a hardware NAT engine. Don't know if that matters much to you, but I found internet speeds (Comcast 25/4 Mbps) were significantly improved when I upgraded from a DLink DGL-4300. Apparently the router can be a bottleneck in these days of fast internet.

If you think of PFSense, I would advise against a compact flash installation as these do not include proper management of flash memory card wear. If you want flash for an appliance-like install, use an inexpensive SSD. I use a 40 GB flash drive for my PIAF Intel Atom "appliance".

I appreciate those details and cautions. I ran into the speed issue on my home network--the FVS318 couldn't handle 6000 down. So I downgraded to 3000 down. Considering the church will max @ 3000 down, I don't think that'll be an issue there.

Meanwhile I just saw the thread on DSLReports about using voip.ms as a simple hosted PBX. Someone name "lifespeed" says it works . PiaF is great but holy cow, if the church can commit to VoIP, that might just save them from having to replace the 9-year-old server that PiaF is running on. So now they're not just saving $100/month over AT&T, they don't need a new server, they don't pay its electricity, and I don't need to maintain it. Is that too good to be true?

 

[bjeung]

Go to the Providers section and check out rentpbx. I have a couple out there and have been very happy with them. And they support PBIAF! Throw in those Vitelity trunks and you are good to go!

 

[lifespeed]

PiaF is great but holy cow, if the church can commit to VoIP, that might just save them from having to replace the 9-year-old server that PiaF is running on. So now they're not just saving $100/month over AT&T, they don't need a new server, they don't pay its electricity, and I don't need to maintain it. Is that too good to be true?

It all depends on what your expectations for the phone system flexibility are, and your budget. I blew $400 on a small Atom box with SSD for PIAF that draws 15W of power. It will do anything with the phones that I (or helpful folks on this forum) know how to make it do. My favorite trick is automagically detecting if I, or my wife, are at home via registration of Bria SIP client on our smartphones. It then rings the SIP phone when we're home, or the mobile when we're away. Only one phone number needed.

But voip.ms (they are pretty darn flexible) will do 80% of what most ordinary users would get out of PIAF without buying a small admittedly power-efficient server. If you just need the phones to ring with voicemail, and maybe forward a call to the other phone, then voip.ms will cover it. Fancier tricks it is not so good at.

As far as hosted PBXs, I have found they involve significantly more monthly expense than paying for a "feature" voip provider. If the goal is expense reduction one of the better ITSPs is the way to go. If you need the PIAF features, an inexpensive low-power server will quickly pay for itself relative to hosted PBX monthly bills.

 

[mcbsys]

Go to the Providers section and check out rentpbx. I have a couple out there and have been very happy with them. And they support PBIAF! Throw in those Vitelity trunks and you are good to go!

RentPBX does look good if I want to run PiaF in the cloud. But why give them $15/month when voip.ms will do IVR, ring groups, and time conditions for free?

Thanks for the SpamHero tip. I've got them on MailFoundry, which until a few months ago was free up to 10 users. Now they pay $1/user/month. But that's just named users, the ones that get quarantine reports, which is just two. They have about 80 forward-only users (all the church committee members), and all that mail gets RBL and virus filtering for free.

 

[mcbsys]

If the goal is expense reduction one of the better ITSPs is the way to go. If you need the PIAF features, an inexpensive low-power server will quickly pay for itself relative to hosted PBX monthly bills.

Expense reduction is good . This is a church office. They want the light to blink if there are messages. Four or five IVR messages describing worship times etc. Email notification is a bonus but only the pastor uses it; the admin only checks messages when she's there anyway. Fancy stuff like follow-me and recording are not needed. I doubt I could get their attention long enough to describe SIP presence detection. I have wondered whether the pastor might not like a SIP (soft)phone when she's working from home; this would make it easier in that I wouldn't have to open an in-house PBX to the Internet.

 

[mcbsys]

Linksys E2000 and tomato. Could pickup two refurbs for $25-30 and have a stand-by sitting there. Another option with a little more memory would be the Netgear WNR3500L. I use these all the time with my SMB clients and for tele-worker scenarios with OpenVPN.

Which Tomato build are you using? If I'm reading correctly, plain tomato doesn't work; I need something like TomatoUSB?

Wikipedia
tomato USB builds

You mention E2000. Any reason (other than price) not to go to a Linksys E3000 or E4200?

The WNR3500L gets good reviews for a single-band wireless N router. But since will probably be there for 5+ years, I'm thinking I should get dual band. I'll also need site-to-site VPN capability and ability to make part or all of the wireless side into a guest network.

 

[lifespeed]

The WNR3500L gets good reviews for a single-band wireless N router. But since will probably be there for 5+ years, I'm thinking I should get dual band. I'll also need site-to-site VPN capability and ability to make part or all of the wireless side into a guest network.

You're talking about some fancy capabilities on a church budget.

I very much prefer to separate wired and wireless, you can choose the features you need that way and upgrades are simpler. I like the Engenius EAP9550 or high-power EAP300 for wireless AP. These will also VLAN tag for guest network. You do, of course, need a supporting VLAN router and/or layer 3 switch which can route across VLAN.

Like I said, your budget and features are out of sync. But we all try to get the most bang for our buck.

 

[mcbsys]

Like I said, your budget and features are out of sync. But we all try to get the most bang for our buck.

Engenius does look cool. Actually I have a Belkin wireless N router on a separate fixed IP right now so the wireless capability isn't mandatory. However, it does appear that Tomato is designed explicitly for wireless routers.

I have enjoyed site-to-site VPN with dual Netgear FVS318s for 6 or 7 years and would not like to give it up. It simplifies remote support from my home office.

The guest network thing seems to be built in to most home routers these days, including the native firmware of the E3000 and the WNR3500L. It looks like TomatoUSB supports it if you are willing to set it up as VLAN from the command line.

I was thinking up to $200 for a QoS-capable non-wireless router but if I can get all this plus Wireless N under $100, why not? Like bjeung said, I may buy a spare just in case .

 

[lifespeed]

You can get a Draytek 2130 and EAP9550 (or EAP300) for $200.

The reason the Draytek is so desirable is it has bi-directional QoS, almost unheard of in consumer routers. And it is blazing fast. And it uses open-source firmware that seems to be actively developed and updated. And it supports VLAN and VPN.

The wireless AP mentioned will mount on the ceiling and are powered over ethernet. This makes for easy installation and exceptional coverage, with well-designed directional antennae.

I mention these units because I think they are an optimal solution. There are many ways to skin a cat, but I suspect few would approach the features/performance per $$ of the above solution. Any wireless router with an omni antenna won't be able to accomplish the coverage of the Engenius EAP series.

 

[mcbsys]

The reason the Draytek is so desirable is it has bi-directional QoS, almost unheard of in consumer routers.

Can you explain bi-directional QoS? I would think it would work like this:

Inbound: router tags packets based on certain criteria (protocol, port). Higher tags go through first.

Outbound: endpoint tags packets, router allows higher-priority packets to pass through ahead of others.

Would be nice if the router could also prioritize untagged outbound packets. Is that what you mean by bi-directional QoS?

 

[lifespeed]

The router doesn't tag packets, but prioritizes them according to the tagging already present. With inbound VoIP packets I have found it most practical to prioritize traffic in the PIAF RTP port range. Of course, that requires that those ports are forwarded to PIAF - something one must do anyway if your PBX RTP ports are exposed to the internet.

So far I have been unable to figure out if the tagging from my provider (voip.ms using default TOS settings for *1.4) makes it through to me.

But the short answer is the Draytek (and some Engenius routers, and PFSense of course) are known to prioritize inbound traffic. This is important if your inbound WAN link is being saturated by non-VoIP traffic. You would get stutters and robot voice at this point, with an ordinary router.

I have tested and verified that my inbound internet throughput drops from maximum, and my voice quality remains perfect when my WAN link is saturated. Or more accurately, the router QoS prevents it from saturating when a VoIP call is added to an already-full WAN link.

Edit: Yes, higher priority packets pass through first (both incoming and outgoing) with bidirectional QoS. This can be done by DHCP/Cos/ToS tagging, or by port range. My port range example shows how I accomplish inbound VoIP QoS without knowing the DHCP tag value from voip.ms.

 

[mcbsys]

The router doesn't tag packets, but prioritizes them according to the tagging already present. With inbound VoIP packets I have found it most practical to prioritize traffic in the PIAF RTP port range. Of course, that requires that those ports are forwarded to PIAF - something one must do anyway if your PBX RTP ports are exposed to the internet.

Hmm...seems strange that a router would prioritize (presumably) untagged packets but not add tags to them. I want those inbound packets tagged so that the next device in line, the gigabit switch, knows to maintain the prioritization.

BTW, and this was a revelation to me a couple months ago, you probably do NOT have forward ANY ports to your PiaF box. I use voip.ms through my FVS318 router with 5060 and RTP forwarding turned OFF. Apparently the registration with voip.ms starting from PiaF is enough. It was some security thread on here that got me to hunt this down. Seems like it might not work with all routers. If you take phones off-site and want to register them to your PiaF without a VPN tunnel, then you may need to open ports to the Internet. Hopefully QoS tagging works whether you have the ports forwarded or not.

Re. checking voip.ms packets, here's an article I wrote on configuring a switch and checking for tagged packets:

Basic QoS Setup on a Cisco SG 200 Switch

Maybe the info on checking tags in Wireshark will be relevant. You should be able to check your voip.ms packets that way if a) you have a hub or b) you have a switch that does port mirroring. One way or another, your PC needs to see the same packets that are arriving at your PiaF box.

I ordered an E2000 to play around with for starters. We'll see how far I get with that.

 

[lifespeed]

f you take phones off-site and want to register them to your PiaF without a VPN tunnel, then you may need to open ports to the Internet.

That is why I forward ports - smartphones running Bria in my wife and I's pockets.