Router/Firewall Recommendation Help

So I am setting up a brand new system fro a client with 6 GrandStream phones with BroadVoice as the provider. FreePBX and the phones are all working. We have a comcast wireless router configured in passthrough mode. We also have a Netgeard wireless router. I have bought an Ubiquite Enterprise AP to use for wireless, so do not need the wireless from Netgear nor Comcast router. What is the best suggestion you guys have for this setup as far as router/firewall that will work with FreePBX. I am willing to buy a router, but am limited on budget as I have wasted it all on phones and other equipment. I was thinking of using pfSense with a cheap computer, but am open to suggestions. Thank you. I do work at a hospital as an IT Admin so have experience using Cisco and their command line, but am hoping for something simple and not to complicated to setup, as I do not want to spend a lot of time on setting this up. Thank you.

We’ve been using IpCop for too many years. It plays happily with FreePBX.
IpCop has been around a while, but not sure whether development is still very “active”.
(If its not broken, don’t try to fix it.)
If I wasn’t already using IpCop, I’d most likely use pfSense. Its powerful, and very polished.
Also, I cannot recommend IpCop since the English language forum has closed.
OTOH If your German is good, they are very active.
HTH and YMMV

If you are using FreePBX 13 their is now a perfect firewall built into FreePBX to handle all your firewall needs

Tony,

I have been following the firewall threads, (and I could be wrong, I am daily ya know), but I don’t think there is any sort of gateway or proxy software for a subnet (eth1 for instance) to provide some security for a LAN. I am confused about that then and therefore being a solution to handle all your firewall needs.

I thought it was a much better replacement for fail2ban for devices directly connected to the Internet.

John

I am currently on FreePBX 12 with Asterisck 13. I had upgrade to FreePBX 13 but Endpoint Manager was not working and I need that for my devices so I reverted.

Tony, you are not advocating tossing a second NIC in the FreePBX box, turning on forwarding then putting on translation rule in the firewall?

For those reading along, all you need to do to make a linux box an IP routers is to set:

in /etc/sysctl.conf

Controls IP packet forwarding

net.ipv4.ip_forward = 1

Then set an IP tables rule to NAT any traffic from “trusted interface” to “untrust” You can also firewall off the local services such as SIP and SSH so they can be only accessed from where you want.

That’s correct. Your Modem/Gateway does that, with its NAT.

There is no need to route your traffic THROUGH the FreePBX machine. Most modems have a ‘DMZ’ setting, which means ‘traffic I don’t know about goes there’. The FreePBX machine is the DMZ host, and everything else is just simply NAT’ed

Writing the FreePBX Firewall with the idea of the machine being a ROUTER was way out of scope… Why would I want to do that, when every modem does that already?

Rob,

Exactly! That was my concern.

“If you are using FreePBX 13 their is now a perfect firewall built into FreePBX to handle all your firewall needs.”

I got hung up on, “to handle all your firewall needs.”

John

1 Like

Heh, it’s all good. It handles all of ITS firewall needs, it doesn’t do EVERYONEs firewall needs 8)

I’ll be doing a bit of fine tuning on it today, so if you have any suggestions, now would be the best time to mention them - I think I’m going to officially remove the ‘Beta’ tag from it, as it’s been going pretty well for a while now.

Edit: A suggestion of ‘act as a firewall for a network’ will have the answer of ‘No’ :sunglasses:

Hi everyone, have been using Endian Community firewall for a few years now and more recently with FreePBX behind it. Works really well and no special config or rules required for SIP to work. Endian is originally based on IPCop so although it’s a commercial product they make a free version available. Lots of great features too. Hope it helps. http://www.endian.com/community/overview/

I am using PFSense, been using it for several months with great results. My ports are only open to the addresses of my trunk providers, no one else.

Little tricky to set up and get used to, but it is free, works good and is highly configurable.

Just my two cents for what it is worth…

For a commercial solution the Sangoma small business SBC’s work great.