Telco Build — Open Carrier Infrastructure Stack

Production-grade open carrier telecom stack

Full build log of a 10-VM carrier telecom infrastructure — from hypervisor network isolation to SIP proxy clustering, real-time billing, database high availability, centralized security monitoring, and a planned BGP routing fabric. Built on isolated virtual networks with MTU 9000 jumbo frames. Every value sanitized for community learning.

kamailio asterisk a2billing mariadb ossec zabbix opensearch gre tunnels bgp sip / lcr ubuntu 22.04 voip

Core Architecture

Internet / SIP Carriers / PSTN Gateways │ ▼ ┌──────────────────────────────────────────────┐ │ kamailio-01 kamailio-02 │ ← Active/Active SIP cluster │ SIP Proxy · LCR SIP Proxy · Failover │ ← LCR: cheapest carrier per E.164 prefix │ Fraud detect · TLS Cluster heartbeat │ ← Cluster state over SYNC network └────────────────┬─────────────────────────────┘ │ VOICE — MTU 9000 — no uplink (hypervisor air gap) │ ┌────────────────┴────────────────────────────────────┐ │ asterisk-01 · asterisk-02 · asterisk-03 │ ← Dispatcher-balanced PBX pool │ PJSIP trunks · dialplan · CDR logging │ ← A2Billing AGI: pre-call auth sub-second └────────────────┬────────────────────────────────────┘ │ DATA — MTU 9000 — no uplink (hypervisor air gap) │ ┌────────────────┴──────────────────────────┐ │ a2billing-01 a2billing-02 │ ← Real-time call authorization engine │ mariadb-01 mariadb-02 │ ← CDR, subscriber, rate table storage └───────────────────────────────────────────┘ │ │ SYNC — MTU 9000 — no uplink SYNC — MTU 9000 — no uplink │ │ ┌───────┴───────────────────┴───────┐ │ Kamailio cluster heartbeat │ │ MariaDB primary→replica stream │ └───────────────────────────────────┘ monitor-01 — OSSEC server · Zabbix · OpenSearch · Apache Observes all VMs via Voice + Data internal networks

Planned: GRE Tunnel Topology

Phase 7 extends the stack across sites using GRE tunnels at the SIP proxy layer. Each Kamailio node is a GRE leaf endpoint. SIP/RTP rides the GRE tunnel (low overhead, no encryption penalty on the data plane). WireGuard handles the control and management plane separately with full encryption.

Local datacenter Cloud / Remote site [kamailio-01]──GRE tunnel──────────────►[cloud-kamailio-01] [kamailio-02]──GRE tunnel──────────────►[cloud-kamailio-02] │ │ WireGuard WireGuard (mgmt plane) (mgmt plane) Data plane: GRE ← SIP/RTP, high throughput, minimal overhead Ctrl plane: WireGuard ← encrypted, authenticated, low bandwidth GRE allows SIP/RTP to traverse without per-packet crypto overhead. WireGuard provides management isolation: config, monitoring, SSH. DNS failover (Cloudflare) switches SIP registration on site loss.

Planned: BGP Leaf-Spine Routing Fabric

Phase 9 introduces a BGP routing fabric using CSR1000v virtual routers as spine nodes. Each SIP proxy cluster becomes a BGP leaf — advertising its SIP prefix routes. ECMP across spine nodes provides carrier-grade load balancing and sub-second route convergence on failures.

BGP Spine Layer [CSR Spine-01]──iBGP──[CSR Spine-02] / \ / \ eBGP eBGP eBGP eBGP [kamailio-01] [kamailio-02] [asterisk-01..03] AS 65001 AS 65001 AS 65002 leaf leaf leaf Each Kamailio leaf advertises: SIP route prefix for its carrier trunks Spine provides: ECMP across both Kamailio nodes On leaf failure: BGP withdraws route → traffic shifts in <1s CSR1000v (Cisco IOS-XE virtual router) runs as a VM on the same hypervisor. Existing CSR VMs can be cloned and configured as spine/leaf nodes without additional hardware.

Why BGP for a telecom stack?
Kamailio already performs per-call routing (LCR). BGP adds per-prefix routing at the network layer — two different decisions. LCR selects the cheapest carrier for a destination number. BGP selects the best path for packets to reach that carrier's SIP endpoint. Combined, you get routing decisions at every layer: IP, SIP, and call.

VM Stack

VM	Role	Networks	Phase 2
`kamailio-01`	SIP Proxy — primary (LCR + fraud)	ExtVoiceSync	Monitoring
`kamailio-02`	SIP Proxy — secondary (failover)	ExtVoiceSync	✓ Agents
`asterisk-01`	PBX — primary	ExtVoiceData	✓ Agents
`asterisk-02`	PBX — secondary	ExtVoiceData	✓ Agents
`asterisk-03`	PBX — tertiary	ExtVoiceData	✓ Agents
`a2billing-01`	Billing — primary (real-time auth)	ExtData	✓ Agents
`a2billing-02`	Billing — secondary	ExtData	Recovering
`mariadb-01`	Database — primary	DataSync	No ext NIC
`mariadb-02`	Database — replica	DataSync	No ext NIC
`monitor-01`	OSSEC · Zabbix · OpenSearch	ExtVoiceData	Installing

Network Design

Network	Physical Uplink	MTU	IP Range	Purpose
Management	Physical NIC	1500	<mgmt-net>	Hypervisor management — invisible to VMs
External	Physical NIC	1500	<ext-net>	SIP trunks, internet, customer portals
Voice	None (isolated)	9000	10.10.10.0/24	Kamailio ↔ Asterisk internal SIP/RTP
Data	None (isolated)	9000	10.20.20.0/24	MariaDB ↔ A2Billing ↔ Asterisk CDR
Sync	None (isolated)	9000	10.30.30.0/24	DB replication + Kamailio cluster heartbeat

Security & Monitoring Stack

OSSEC HIDS

Server on monitor-01, agents on all 9 VMs. Real-time file integrity monitoring of /etc, /bin, /sbin, /usr/bin/sbin. Active response auto-blocks attacking IPs within seconds via local firewall rules. Alerts on Level 7+ events via email.

Zabbix 6.4

Zabbix Agent2 on all VMs. ISP connectivity monitoring (ping loss to external resolver). SIP health via OPTIONS ping to each Kamailio node. Database connection checks. CPU/RAM/disk thresholds with pre-emptive alerts before service impact.

OpenSearch (Planned)

Single-node OpenSearch on monitor-01 aggregates logs from all VMs via Filebeat — OSSEC alerts, Kamailio SIP logs, Asterisk CDR, Apache access logs, auth.log. OpenSearch Dashboards provides full-text search and visual analysis across the stack.

Cisco Firewall Segmentation (Planned)

Zone-based firewall between External, Voice, Data, and Sync segments. VMs can't communicate across zones without explicit permit rules. Complements the hypervisor air gap — software firewalling above the vSwitch layer for defense in depth.

Key Concepts

Least Cost Routing (LCR)

Kamailio evaluates carrier rate tables on every outbound call and routes to the cheapest carrier for the destination E.164 prefix. Daily automated CSV import refreshes rates. Automatic failover to next cheapest if the primary carrier is unreachable or returns 503.

Real-time Billing — AGI

Every call triggers an AGI (Asterisk Gateway Interface) script that queries A2Billing before connecting. Sub-second authorization decision over the isolated Data network. Insufficient balance results in immediate rejection before ringing — no CDR post-processing lag.

Hypervisor Air Gap

Voice, Data, and Sync have no physical NIC attached. This is a physical impossibility, not a firewall rule. No wire connects MariaDB to the outside world. Even a misconfigured iptables or a kernel exploit cannot reach the database from the internet.

MTU 9000 Jumbo Frames

Standard 1500-byte MTU was designed for shared Ethernet in 1982. On an isolated virtual switch, there is no physical constraint. Jumbo frames deliver 6× payload per packet, fewer interrupts per MB, measurable reduction in CPU cycles on MariaDB replication streams.

Thin Clone + Machine ID Reset

vmkfstools clones at metadata level — a 30GB VM clones in seconds, not minutes, on NVMe storage. Pages are copy-on-write. Critical: systemd uses /etc/machine-id as DHCP client ID. All clones must reset it via systemd-machine-id-setup to avoid identity collisions.

ProxyJump for ARP Conflicts

A managed switch VLAN SVI can occupy a VM's intended IP, winning the ARP race. The VM becomes unreachable from outside but is still reachable from a peer VM on the same L2 segment. SSH ProxyCommand tunnels through the peer to access and reconfigure the conflicted VM.

Codec Strategy

Codec	Standard	Where Used	Why
G.711 μ-law	NANP PSTN (North America)	All carrier termination in North America	Mandatory for US/CA PSTN interconnect; no transcoding on external hops
G.711 A-law	ETSI PSTN (Europe/Intl)	International carrier termination	Standard codec for non-NANP carriers; passes through without modification
G.722	HD Voice — 16 kHz wideband	Internal VoIP phones on LAN	Zero PSTN interaction — HD voice is only relevant inside the LAN

Build Phases

Hypervisor & VMs ✓ Complete

5 virtual networks (incl. 3 isolated at MTU 9000) · golden image · 9 thin-cloned VMs · SYNC NICs · machine-id reset · IP conflict resolution

Security & Monitoring In progress

OSSEC 3.7 server · Zabbix 6.4 server + Agent2 on all VMs · OpenSearch log aggregation · Cisco zone firewall segmentation

Database Layer

MariaDB secure install · multi-database setup (kamailio_db, asterisk_cdr, a2billing_db) · primary/replica replication over SYNC · scheduled backups

SIP Proxy — Kamailio

kamailio.cfg · database backend · SIP digest auth · LCR (lcr module) · dispatcher to Asterisk · fraud detection (pike) · TLS/SIPS · active/active clustering

PBX — Asterisk

PJSIP trunks to Kamailio · CDR to MariaDB · A2Billing AGI pre-call authorization · IVR · voicemail · conferencing · call recording (MixMonitor)

Billing — A2Billing

Schema import · admin + customer accounts · wholesale rate table import · Asterisk AGI bridge · customer self-service portal · automated monthly invoicing

Cloud Integration

WireGuard VPN (mgmt plane) · GRE tunnels (SIP/RTP data plane) to cloud Kamailio · SIP federation · MariaDB cross-site replication for DR · Cloudflare DNS failover

Phones & Segmentation

VoIP phone VLANs on Cisco switch · QoS 802.1p/DSCP voice priority · SIP registration to Kamailio · Cisco zone-based firewall between segments

BGP Routing Fabric Planned

CSR1000v spine nodes · eBGP between leaf (Kamailio) and spine · ECMP load balancing · sub-second convergence · SIP prefix advertisements per site

Full build log with commands and configs on GitHub →