I set up an internal cloud network with a few pbx’s that I want to grow. I disabled the WAN access for all hosts except for a single PFsense VM, and routed the few PBX’s I have through the firewall.
It’s actually all working right now, albeit I haven’t tested with any significant call volume.
I plan to get an SSL certificate for the firewall, and set up the trunks and remote extensions to use it (no experience there, I assume the cert isn’t just for HTTP traffic. There is no HTTP traffic in this setup.)
I plan to set up 2 more instances of my PBX, expecting 15 extensions for each system. I want to set up some Yealink phones to connect to this all. Do I need to set up a VPN for all the phones to join or is whitelisting the router at the phones location enough?
While I’ve provisioned phones for old employers before, I was following specific directions. Anything I need to know about my setup that would throw a wrench in manual provisioning? I guess I could practice on my cheap VOIP phone, although it’s not the same make/model.
My big question is this: Is my topology and plans for it going forward sensible? The cloud provider is making auto backups of everything, has proven reliable to others, and can support a lot of bandwidth from it’s server farm in my state. I’m growing more confident with all the software involved and am ecstatic that it’s working in pre-production.
So what did I miss? What is going to bite me in the ass? If I just keep the firewall monitored and updated, then the phone systems could run stably for… ever?
It sounds to me like you are worrying that the thousands of people that are doing the same thing are somehow unwitting dupes in a shheme for us to make you look bad.
In general, stay as close as you can to the Distro version of FreePBX. Yes, you can roll your own and there are literally dozens of people doing just that, but if you can make the system work with the standard commercial distro, your problems get better support here (since there’s less guessing) and you are working from a known nexus (almost all of the regulars here use the Distro).
As far as your topology goes - the system (including the SSL Certificate part) relies in large part on the system operating on “a server” (whether real or virtual). This implies that the system is largely and primarily dedicated to phone operations for a single locality. It also implies that the services that support the PBX are able to control the server.
If you can stick to “one routable IP address per deployment,” you should be fine. Even if you don’t there are workarounds, but the hassles and headaches they cause make the expense of individual addresses per PBX just unnecessary.
PFSense is notorious for being problematic with SIP. I’ve found that when people are having network/NAT related issues and PFSense is the firewall that 99.9% of the time, PFSense was the cause of those issues. So with a couple dozen endpoints going through it you may not see many issues but as that grows that is when the issues can start to be more noticeable.
As for your phones, I would get the phone(s) you are going to use for the end users and test on those. Testing on another model/brand isn’t going to do much outside of telling you the functions/features you setup on the model/brand work. Nothing is to say those settings are applicable to the other model/brand in question.
Thanks for your suggestions. Since I just registered here and am fairly new, I don’t really know what to expect from the community. I definitely don’t think you are a bunch of scheming dupes or I would have posted to Reddit instead!
I’m specifically trying to break the “one routeable address per distro” convention and have had luck doing so, albeit after a couple of weeks of struggling. Thanks for the tip about the phones. I’ll pick one up before I go make myself look bad on site somewhere :-p
Also, the reminder about the restrictions of my topology (locale, etc.) will serve useful as I plan forward.
All in all I feel somewhat vindicated to go for it, drive it until it breaks, and keep synced up with the good folks in this community.
If it keeps passing its tests, then I’ll keep pushing forward. Thanks again.