With a little tuning, the Application restrictions were fine, except of course for the fact that I couldn’t use XCode, but I guess that developers aren’t really in the Parental Controls target audience.

I never really got into the time restrictions properly, whenever I exceeded my limits, I just typed in the admin password, and gave myself more time.  The system is entirely workable however, it just wasn’t the point of my experiment.

The Mail and I assume Chat restrictions worked quite well.  Despite the intrusive nature of the process, if we’re talking about managing a child online, then the system works exactly as I’d want it to.

Like all web filters, the content filters leave a little to be desired, I couldn’t read a page on the supposed dangers of Soy Milk, I assume, because it mentioned the effect Soy Milk is supposed to have on ones libido.  But I could successfully search for breast tattoos on google images, and get to see naked chicks, some were even goths as per my previous post.  What really let the content filtering down was it’s complete failure to handle SSL – All SSL sites are blocked by default, and the error messages and silent failures are anything but helpful.  Some more investigation is warranted here, I can’t help but think that the OS is running a transparent proxy to check the pages, which would mean that it would work with any installed browser, which would be a good thing (bring on Firefox or Opera) but makes handling SSL difficult.

Overall, the experience wasn’t nearly as bad as I expected if Apple can overcome the SSL problems, then I can see how Parental Controls could be a useful tool.  Of course, the experiment did reinforce something that I already new – It is only a tool, and no substitute for effective communication between the Parent and the Child.

Possibly Related Posts:

• Parental Controls and XCode
• Parental Controls – First Impressions
• OSX Parental Controls

I was able to create an XCode group as a member of Developer Tools and Developer Documentation.  Adding Loom at Work to that group got the XCode environment working for that user, even though the user is a managed user.

The Loom at Work account has no restrictions on aplication execution though, and that is more significant than I first realised.    I’ll go as far as saying it should have been obvious.  Loom is heavily restricted when compared to Loom at Work, so much so that even attempting to compile with XCode fails.  Loom can’t run any of the tools necessary to compile code.  Adding the tools progressively into the allowed applications list eventually gets a successful compile. But permission is needed to even run the new executable.

It seems that XCode and Application restrictions are not going to work nicely together – ever.  Like I said, it should have been obvious.

Until I can work out how to address the problem, it looks like no software development for Loom.

Possibly Related Posts:

• Parental Controls – Wrapping things up
• Parental Controls – First Impressions
• OSX Parental Controls

I expected that the process of taking away my membership of the Administrator group would lead to problems running some of my applications, I wasn’t wrong.  The two applications that I’ve run into problems with so far are Wireshark and XCode.I use Wireshark quite a lot at work, and the problems running it relate more to the fact that my recent installation of Snow Leopard changed things than to turning Parental Controls on.  On OSX, Wireshark uses the /dev/bpf* devices to enable traffic sniffing, and by default these are owned by the root:wheel use and group with only the root user being able to access them.

sudo wireshark

will get wireshark running as a standard user, but :

1. that is bad,and
2. my “Loom at Work” account isn’t in the wheel group anyway

The solution that Wireshark users on OSX adopt is to use a ChmodBPF startup item, which changes the ownership and permissions of the devices at each boot.  Normally, this would set the group for the devices to the Administrators group, in my case, I have created a wireshark group, and added both the Parent and Loom at Work users.

XCode was a bit more complicated. Pretty much everything works as a non-admin user, except for running and debugging code, for this a special permission is required.  A permission that is granted to the normally hidden “Developer Tools” group, a group which the Administrators group is, not surprisingly, a member of.

Managing Users and groups at this level with OSX’s DirectoryService is not exactly straightforward, at least it wasn’t straightforward for me initially.  Once I found the Workgroup Manager application, which is part of the OSX Server Tools, things were simple.  It appears that there are two developer related groups, Developer Tools and Developer Documentation.  My soultion was to create an XCode group, which is a member of both of those groups, and add both of my managed users to that Group.

The Workgroup Manager application gives me a lot more insight into exactly how flexible OSX can be when it comes to account restrictions.  It seems to me that the standard “Parental Controls” feature is actually just a wrapper for a much more complete user management system.

With that housekeeping aside, I was free to move on to appreciating the experience of being a “Manager User’.  Keep in mind that , as this is a closed process, I control all three of the Loom, Loom at Work and Parent accounts.

The following observations relate specifically to the Loom account.

Application Restrictions

The default set of restricted applications suggested by OSX is reasonably sane.  In addition to the default set, I had  given myself access to Photoshop, Corel PhotoPaint and a couple of other imaging related applications right from the start.  No access to the Preferences panel is annoying, but on a well set up machine, it shouldn’t be a problem.

After less than an hour of  doing “stuff” under these restrictions, I found that I needed – really needed – access to Terminal, playing with *nix based devices will do that do you.

The other  thing that I can’t live without is SecondLife, but that’s just me.

Content restrictions

Initially, web access was not very successful.  As I mentioned in my previous post, https is a problem, and not only because it needs parental approval every time you visit a new site.  Normally, when the content filter decides I can’t see a page, I get a nice message telling me that that is the case.  Seraching for “Naked Goth Chicks” on google images results in the following.

I can click the Add Website and get Parent to let me keep browsing,  Parent can choose to let me through just once, or anytime I like.

When I try to connect to https://www.google.com, I get this result instead

Not nearly as helpful.  Parent needs to add the https://google.com to the approved sites list using the Parental Controls preferences pane.

If that was the end of the problem, it wouldn’t be so bad.  www.secondlife.com is an example of the difficulty that can come from this limitation.  The SecondLife portal allows a user to login and perform various account management.  the portal itself is all HTTP, but much of the traffic is HTTPS traffic.  Only, the traffic doesn’t go to www.secondlife.com, it instead goes somewhere like https://load-balancer18.lindenlab.com.   This conversation silently fails, and since the user gets no feedback about what failed, it is very hard to fix easily.  The load-balancer18.lindenlab.com will turn up in the blocked sites log – more on that later – but simply adding it to the allowed sites list from there doesn’t help, since next time, it could be a different machine in the load balancer pool.  The solution is to add https://lindenlab.com to the allowed sites list, since this allows access to all of the sub-domains as well.  There are a lot of sites that use SSL only for important parts of a session, and serve static content from entirely different servers and domains.

Despite these hiccups, the system isn’t too bad, it hasn’t really hampered my day to day browsing.  I have already had a few experiences of being  allowed access to one page in a site, while being blocked from a page that it links to.  In each case that this has occurred, checking the logs and viewing the blocked content using Parent has led to pages containing some sort of adult content.  Of course, we are relying here on someone else’s definition of adult here, which is a subjective thing.  The ability to easily grant access to blocked content on a case by case basis does a good job of negating the effect of this subjectivity.

Email/iChat

I haven’t been able to use iChat at all since I switched Parental controls on.  I used to use iChat connected to a Messenger account through a Jabber gateway.  The Parental Controls don’t support Jabber, and so, I have no messaging.  Microsoft Messenger is installed on my MacBook, and although I haven’t tried it, I’m guessing that I could use it unfiltered to chat with people, if only my Parent would let me.  The Parental Controls for iChat only support MobileMe, Mac.com and AIM accounts. I expect that the experience is similar to using Mail.

I deliberately opted for a clean slate approach when I switched on the email Parental Controls.  Mail and iChat are both limited to approved contacts only, and I left the initial contacts list empty.  I did switch on the approval mechanism though.  Every email with a non-approved email address (and I assume iChat contact) received by Loom triggers an email to Parent.  The email sent includes the full text of the email received.  Trying to send an email to a non-approved address prompts Loom to “Request Permission” first.  The  emails received by the Parent present a toolbar allowing Parent to approve (or dis-approve) of the contact for Loom.  When approved, the mail which was previously hidden from Loom is visible on the next mail refresh.

I’m not sure how the process work work with another mail client tough – say Outlook – the approval messages seem to use custom Apple headers.

Even though I am both Loom and Parent, I can’t begin to explain how invasive the process feels to me.  Even though Parent only sees the first email received from any given contact, the fact that they see even that email bothers me.  As a parent, I can see how important this is, and would like to see an “Approve this eMail” button in there next to the “Approve Contact” button.  Clearly a dialog between Parent and Loom needs to occur here.

The other benefit to the Parental Controls is that all of the Junk eMail rules get processed by Parent‘s mail account, and the Loom will only ever get parentally-approved spam.

Time restrictions

Initially, I thought that the time restrictions that I imposed were quite reasonable – for me at least.  3 hours a day on weekdays, seemed like plenty.  The 10pm cut-off seemed reasonable.

15 minutes before time runs out, either total time on the computer, or the curfew kicks in, Loom is prompted to add more time.  Naturally, the Parent needs to enter a password here to allow a time extension.  It is important to note that time logged seems to be what counts here, so even if only a screen-saver is running, I am still using my allocated time.  I need to do some testing to confirm this however.  In the meantime, I have set a 15 minute automatic logout to minimise time loss when I wander away for an hour or two.

I have found myself repeatedly adding time to Loom‘s session, and allowing myself to remain logged in past curfew, explaining to my inner Parent – quite successfully – that I am in th middle of something important, last night, it was reconfiguring my asterisk box.

The time extensions aside, I have found that these self-imposed limits are changing the way I use the computer – I am forced to prioritise my time.  I am planning to stop arbitrarily awarding myself more time – likely to be a failed plan – after I extend my weekend time allocation out to 7 or 8 hours.

Logging

OSX Parental Controls logs activity into four categories :

• Websites Visited,
• Websites Blocked,
• Applications and
• iChat

They track exactly what the names imply.  The Websites visited log gives a mechanism to block future access to a site, and the Websites Blocked log allows a site to be approved.  Both logs can be sorted by date or site, and filtered by time.  Any of the visited pages can be easily opened Parent.  The Applications log can be similarly sorted and filtered, and simply records how many times an application was used and how much time was spent using that application.  I can see potential for application level time restrictions here.  Until I work out how I’m going to test the iChat filters, I can’t report on how the logging works.

I’m a little surprised that there isn’t some kind of Mail log as well, detailing how many messages were sent to which contacts, possibly showing the content of those messages.

Like the Mail contact approval process, the website logs can be incredibly invasive.  Everything that I have looked at, including my failed searches for Naked  Goth Chicks are logged there.  That is of course the point.  Like all of these tools, they will only work well if they are part of a dialog between Parent and the Loom.

As Parent the logs give me enough information to talk to Loom about what it is that I am doing on the web, what Parent doesn’t get to see is what Loom actually looked at on Facebook.

Even more Parental Controls

My current obsession with Parental Controls and OSX led me to a search for more information on the subject.  So far I have found two more applications which include additional controls.

• the DVD Player and
• iTunes

The DVD player has a per account Parental Control option which requires an Administrator password to activate and deactivate.  Once active, Parent needs to approve each DVD to be viewed by Loom.  Approval can be granted for all future uses of that DVD or for a single session only.  Whilst I have activated this feature, since I don’t watch many DVD’s on my MacBook, it probably won’t affect me greatly.

iTunes allows access to Various types of media to be restricted, and also enables content filtering on the iTunes Store.  I have allowed all content types for Loom, but restricted iTunes store access to explicit material, and filtered Movies, TV shows and Applications to Australian  PG, PG and 12+ respectively.  I can only see the explicit content block and the restriction on iPhone applications actually affecting me since I have never used the other services.  Interestingly, the settings appear to have no effect on the iPhone Apps that I have already downloaded, or on the music already in my library.

Next Steps

I am still using Parent fairly regularly,  fine tuning Loom‘s web access, and approving contacts.  I expect that things will settle down on that front in the next few days.  It is the feeling that everything I do is being monitored that I am having trouble getting used to.

As nonsensical as the statement is – there is absolutely nothing that I do on my MacBook that I disapprove of – I still feel as if I need to change my behavior because someone is constantly looking over my shoulder.

Possibly Related Posts:

• Parental Controls – Wrapping things up
• Parental Controls and XCode
• OSX Parental Controls

The Australian governments recent Clean Feed internet trials have also got me thinking about exactly how the tools that are supposed to be there for users actually are.

Like many workplaces, mine implements web and spam filtering software and firewalls which very rarely actually get in the way of me doing my job.  Of course, I also know how to completely bypass them when they won’t let me look at www.2600.com because it’s a hacking site.  Or spend more than an hour on other sites because the filter thinks that they aren’t work related.

The plan

About four months ago, I switched from a Linux based laptop to a MacBook – that is probably the subject of a blog post in itself – suffice it to say that I am now happily using OS X 10.7 which happens to include what appears to be a decent set of parental controls.  Today I decided to switch them on, and subject myself to “Parental Control”

Of course, it isn’t as easy as simply turning the controls on, setting the defaults and leaving it at that.  Aside from seeing what it is like to live in a restricted environment, I still need to be able to do work at work – and while that doesn’t necessarily mean a local admin account on OSX, it does mean I can’t use some of the more interesting Parental Control features.

The setup

With the above in mind, I have set up 3 accounts.  My original “Loom” account, a “Loom at Work” and a “Parent”.  I have also created a dedicated email address for the Parent account, and configured Mail accordingly.  The “Parent” account is the only member of the Administrators group, and is used to manage Parental Controls for the other accounts.  The “Loom at Work” account is standard user account that is restricted to logging in between the hours of 7am and 6pm Monday to Friday.

The “Loom” account is much more restricted :

• The set of usable applications is limited to Parental Controls default
• The dictionary profanity filter is turned on
• The automatic adult website filter is turned on (I tried the restrict to a limited set option, but it was too painful)
• Mail and iChat are both limited to approved contacts only.
• I am limited to 3 hours per day computer time on weekdays and 4 hours per day on weekends
• “Bedtime” is set to 10pm-7am for “school-nights” and midnight-7am for weekends

Since I also have the password to the Administrator account, it is easy for me to change these settings if I want to, my intent is to change them only if I need to.

Using applications

If something is on the approved list, it will run, if not, I get prompted to allow it to run once, or to be permanently added to the allowed applications list.  My intent is to use “Allow Once…” the first time I receive this message for an application and “Always Allow…” should I receive them regularly.  I expect that the list of approved applications should settle down after a few days.

Mail and iChat approval

The list of approved contacts is empty to begin with.  Every time an email is sent to or received from an address not on the list, an email is sent to the admin account to request approval.  This email includes the full text of the one to be sent or received.  Again, I intend to approve all contacts.  I’m only bothering to do this to get a feel for the process.

Time Extensions

There is provision for the Parent to allow logins beyond the imposed time restrictions.  At this stage I am not planning to allow any activity outside of the restrictions, the exception will be allowing the “Loom at Work” account to log in if needed.

The experience so far

After 3 hours, the only issue I have found is that the content filter blocks all https traffic to domains which aren’t explicitly added to the whitelist. When the domains in question are embedded in other pages, the popup “get an administrator to approve this” button doesn’t work, and the preferences pane is needed.

More significantly though, the idea of blocking all secure traffic because it is secure bothers me.

Where to next

A day is hardly enough time to draw conclusions, I hope to have more to report in a day or two.

Possibly Related Posts:

• Parental Controls – Wrapping things up
• Parental Controls and XCode
• Parental Controls – First Impressions

As in my previous posts, I have created a file called extensions_local.conf under /etc/asterisk and included it in my extensions.conf file using

#include extensions_local.conf

This file is broken into a series of sections – called contexts.  There should be a section for each “context=” line in the sip_local.conf  and iax_local.conf files.

In my case, they are

• from-internal
• from-remote
• incoming-call

The context= lines match to the sections in the extesnsions_local.conf file, and tell Asterisk where to start processing rules when someone picks up an extension, or dials in.

Starting with the last context first, when we recieve a call on the SIP line from PennyTel
[incoming-call]
exten => _X.,1,Dial(SIP/1000&SIP/1001)

The [square brackets] mark the beginning of a section

the “exten => ” consists of three parts, a pattern to match, an execution order and a command to execute.  The pattern is “_X.”  which matches all incoming numbers.  Since the is only one rule here, it will get executed. The command is “Dial(SIP/1000&SIP/1001)”  This tells asterisk to Call extensions 1000 and 1001 and connect the call to the first one which answers.

The next section is [from-remote] – calls from our IAX2 trunk to another Asterisk server

[from-remote]
include => incoming-call

This section is fairly straight forward the “include =>” line tells asterisk to include all of the rules under incoming-call in this section as well.  So Calls from out PennyTel number or friendly Asterisk box will cause both of our local extensions to ring.

Now the from-internal section.  These rules are processed when someone picks up one of our extensions and starts dialling.

[from-internal]
exten => 1000,1,Dial(SIP/1000)
exten => 1001,1,Dial(SIP/1001)
include => to-remote
include => dial-out

The first two lines allow the extensions to call each other.  The includes are there to make the file more manageable, I could have kept everything in one section, but I prefer to break things down by function.

The final two sections are below.

[dial-out]
exten => 000,1,Dial(SIP/PennyTel/000)
exten => _0011,1,Dial(SIP/PennyTel/${EXTEN:4})
exten => _0NXXXXXXXX,1,Dial(SIP/PennyTel/61${EXTEN:1})
exten => _ZXXXXXXX,1,Dial(SIP/PennyTel/613${EXTEN})
exten => _1300XXXXXX,1,Dial(SIP/PennyTel/61${EXTEN})
exten => _1800XXXXXX,1,Dial(SIP/PennyTel/61${EXTEN})


[to-remote]
exten =>_8XXXX,1,Dial(IAX2/ToRemote/${EXTEN:1})

The pattern matching rules are quite powerful, more detail can be found here.

Possibly Related Posts:

• Configuring Asterisk – Part 3
• Configuring Asterisk – Part 2
• Configuring Asterisk – Part 1
• OpenWRT and Asterisk – my new PABX
• It begins…

Connecting to Asterisk boxes together using IAX2.

Basically, I’m creating two IAX2 connections between two boxes, one in each direction. The code below goes in iax.conf – or if you’ve been following my other posts iax_local.conf.

Replace the fields listed below with whatever is appropriate for you. Usernames and passwords can be whatever you like, they only exist within Asterisk.

And of course, swap the local and remote stuff around for one end of the connection

LOCALNAME : username for the remote connection to use when connecting to the local connection
LOCALPASSWORD : A local password for the remote connection to use when connecting to the local connection

REMOTENAME : username for the local connection to use when connecting to the remote connection
REMOTEPASSWORD : password for the local connection to use when connecting to the remote connection
REMOTE.ASTERISK.BOX : The ip for name of the remote asterisk box (I use dyndns.org)

If the Asterisk servers are behind firewalls, then the approriate port (4569) will need to be forwarded

[LOCALNAME]
type=user
secret=LOCALPASSWORD
nat=yes
context=from-remote

[ToRemote]
username=REMOTENAME
type=peer
secret=REMOTEPASSWORD
qualify=yes
nat=yes
host=REMOTE.ASTERISK.BOX
context=from-remote


My next post will cover dialling rules which should make everything work together nicely.

Possibly Related Posts:

• Configuring Asterisk – Part 4
• Configuring Asterisk – Part 2
• Configuring Asterisk – Part 1
• OpenWRT and Asterisk – my new PABX
• It begins…

While this is incredibly exciting – for about 5 minutes – it isn’t actually very useful. In this article, I’ll be adding the first of two Trunks to Asterisk.

Again, my terminology is what works for me, I recognise that some people may disagree with this and suggest that I should use the propper terms for everything – I even agree with people who say that kind of thing – but it doesn’t mean that I’m going to do it. As far as what I’m doing here goes, a Trunk is any connection to the outside world. I’ll be setting up a connection to a VOIP provider using SIP, later, I’ll and an IAX2 connection to another ASterisk box – run by a friend of mine.

Connecting to a VOIP provider.

I use PennyTel for my VOIP provider, I live in Australia, they’re in Australia, and I’m happy with their offering. In particular, cheap calls, and a normal phone number that supports multiple dial-in lines.

PennyTel let me connect using SIP, so the configration goes in the same sip_local.conf file that we created in Part 1. If you wanted, you could use #includes in the cip.conf to seperate extensions and trunks into two seperate files – in fact I may do that myself some time.

Basically, we add the following blocks into sip_local.conf to create an incoming and an outgoing connection for PennyTel.

[613nnnnnnnn]
username=nnnnnnnn
type=user
secret=PASSWORD
qualify=yes
nat=yes
fromuser=613nnnnnnnn
context=from-trunk
canreinvite=no

[PennyTel]
username=613nnnnnnnn
type=peer
secret=PASSWORD
qualify=yes
nat=yes
insecure=very
host=sip.pennytel.com
disallow=all
context=from-trunk
canreinvite=no
canredirect=no


And finally so PennyTel knows where to find us when a call comes in, add the following to the [General] section of sip.conf

register=613nnnnnnnn:PASSWORD@sip.pennytel.com/613nnnnnnnn


Possibly Related Posts:

• Configuring Asterisk – Part 4
• Configuring Asterisk – Part 3
• Configuring Asterisk – Part 1
• OpenWRT and Asterisk – my new PABX
• It begins…

I break everything in Asterisk into one of three categories – I’m sure someone will tell me I’m wrong on this – Extensions, Trunks and The Rules. These categories have may or may not be related to do with the names of the files that they are configured from, they are just the way I think about this stuff.

Extensions – These are the actual telephone(s) that are connected to your PBX

Trunks – these are the connections from your PBX to the outside world and/or other peoples PBX’s

The Rules – these are the bits which make everything work.

The easiest place to start is probably setting up extensions. In my case, I’m using a Linksys PAP2T to provide two local extensions. The set up of each of these is a two step process :

1. Configure asterisk to take a SIP connection
2. Configure the PAP2T to connect to Asterisk

My Asterisk box is running on an Accton MR3201a at 192.168.0.30, my PAP2T is configured to use DHCP, usually 192.168.0.50. To configure the Asterisk end of the connection ssh into the MR3201 and edit sip.conf using vi. First though a note on Asterisk configuration files.

Asterisk has a whole bunch of configuration files, most of them contain stuff that I’ll probably never need to worry about or change. Fortunately Asterisk lets me include one config file from another. When I want to change or add to sip.conf for example, I have just added the line

#include sip_local.conf

to the end of the file, and make all my changes in sip_local.conf so that they are easier to find and manage. Anyway, back to connecting the PAP2T to Asterisk …

~> ssh root@192.168.0.30
root@192.168.0.30's password:

BusyBox v1.4.2 (2007-07-23 05:59:27 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.07) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:~# cd /etc/asterisk/
root@OpenWrt:/etc/asterisk# ls
agents.conf             extensions.conf         modules.conf
alarmreceiver.conf      extensions_demo.conf    musiconhold.conf
asterisk.conf           extensions_local.conf   osp.conf
cdr.conf                features.conf           privacy.conf
cdr_custom.conf         iax.conf                queues.conf
cdr_manager.conf        iax_local.conf          rtp.conf
codecs.conf             iaxprov.conf            sip.conf
dnsmgr.conf             indications.conf        sip_local.conf
enum.conf               logger.conf             sip_notify.conf
extconfig.conf          manager.conf            sip_registrations.conf
extensions.ael          misdn.conf
root@OpenWrt:/etc/asterisk# vi sip_local.conf

I’m going to assume that you know how to use vi – if you don’t try installing joe, which at least gives a help screen when you press Ctrl-K Ctrl-H

<code>ipkg install joe</code>

The first entry in my sip_local.conf is

[1000]
type=friend
secret=PASSWORD
qualify=yes
nat=yes
host=dynamic
context=from-internal
canreinvite=no
callerid=device <1000>


The [ ] is a section header in most configuration files, in this case [1000] sets the SIP user name.

• type=friend means that this device will be able to send and receive calls, other options are peer and user
• secret=PASSWORD is pretty obvious
• qualify=yes tells asterisk to regularly ping the connection to make sure it’s latency isn’t to high for VOIP operations
• nat=yes tells asterisk that the device is behind a NAT firewall
• host=dynamic tells asterisk that the device may change its IP address, and will tell us where it is. You could also put a static IP address here.
• context=from-internal tells Asterisk what context to start in when processing The Rules – we’ll get to that later
• canreinvite=no does something that I understand but can explain in one sentence try here for more detail
• callerid=device <1000> sets the caller id for the device

I have two entries like this set up, one for each of the two channels on the PAP2T

To set the PAP2T, login to the web interface as adiministrator and set the SIP proxy to the address of the MR3201a (192.168.0.30) in my case, the User name to 1000 and the password to the one specified above.  this is obviously repeated for each channel as well.

Now, plug in a telephone (or two) and asuming everything is ok, nothing at all will happen – since no extensions are set up yet.

To test that things are working, add the following to extensions_local.conf (remember to add a #include to extensions.conf as well)

[from-internal]
exten => 1000,1,Dial(SIP/1000)
exten => 1001,1,Dial(SIP/1001)


Now pick up extension 1000 and dial 1001, extension 1001 should ring – you may need to get Asterisk to reload it’s configuration before this will work.

The next post will explain how to set up a SIP trunk to Pennytel, and after that, we’ll get into some detail with The Rules

Possibly Related Posts:

• Configuring Asterisk – Part 4
• Configuring Asterisk – Part 3
• Configuring Asterisk – Part 2
• OpenWRT and Asterisk – my new PABX
• It begins…

To give you an idea of the size of the MR3201, her is a picture of one

12933|300px

Yes, that little box really is running a full-blown PABX

Anyway, enough of that, how to set it up

Using Linux on a PC with a free ethernet port run the following:

wget http://www.open-mesh.com/flashing/easyflash
chmod +x easyflash
wget
http://downloads.openwrt.org/kamikaze/7.07/atheros-2.6/
openwrt-atheros-2.6-vmlinux.lzma
wget
http://downloads.openwrt.org/kamikaze/7.07/atheros-2.6/
openwrt-atheros-2.6-root.squashfs


Directly connect to the MR3201a using a standard cat5 patch lead – don’t power the MR3201a yet

Execute the following:
sudo ./easyflash eth0 openwrt-atheros-2.6-root.squashfs openwrt-atheros-2.6-vmlinux.lzma


Now connect power to the MR3201a.

Wait for a while, this will replace whatever firmware is on it with OpenWRT 7.07

The clean firmware install uses an IP of 192.168.1.1 the following should get the local ethernet to work
sudo /sbin/ifconfig eth0 192.168.1.2/24

By default OpenWRT runs a telnet server until a password has been set at which point it switches to an ssh server.

telnet 192.168.1.1
login as root
passwd


The network configuration is stored in /etc/config/network mine looks like this…

# Copyright (C) 2006 OpenWrt.org
config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
config interface lan
option ifname eth0
option type bridge
option proto static
option ipaddr 192.168.0.30
option netmask 255.255.255.0
option gateway 192.168.0.1
option dns 192.168.0.1


A restart will set the device to it’s new IP
reboot

now to update the ipkg repositories and get some packages installed

The file /etc/ipkg.conf has a list of repositories in it. I use :

src release http://downloads.openwrt.org/kamikaze/7.07/atheros-2.6/packages
src packages http://downloads.openwrt.org/kamikaze/packages/mips
src extras http://downloads.openwrt.org/kamikaze/7.07/packages/mips
dest root /
dest ram /tmp

To get asterisk installed, use the following ipkg commands
ipkg update
ipkg upgrade
ipkg install asterisk
ipkg install asterisk-sounds

/etc/init.d/asterisk enable
/etc/init.d/asterisk start


All that remains is to configure trunks and extensions. Which will be in a later post. Configuration files for asterisk are located in /etc/asterisk

EDIT: Asterisk will fail to start when trying to load the zaptel channel driver. we don’t need this, so add the following to /etc/asterisk/modules.conf

noload => chan_zap.so ; Don't load zaptel


Possibly Related Posts:

• Configuring Asterisk – Part 4
• Configuring Asterisk – Part 3
• Configuring Asterisk – Part 2
• Configuring Asterisk – Part 1
• It begins…

And most importantly, a box of Codral Cold & Flu tablets, for the Cold that I’m getting, since I am not getting the Flu.

Possibly Related Posts:

• So this is it