AMI access for external monitoring?

domedia · January 9, 2024, 3:09pm

Hi

I want to monitor my FreePBX system from Home Assistant (an open source Home automation system) and I have an integration (driver) to connect Home Assistant with Asterisk but it asks for an AMI account.
I have seen there is an access already setup as it’s used by FreePBX to communicate with Asterisk. I want to be sure I don’t break FreePBX by doing any modifications in that file. Right now it contains that:

[general]
enabled = yes
port = 5038
bindaddr = 127.0.0.1
displayconnects=no ;only effects 1.6+
[admin]
secret = hidden
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

Can I just add on permit line something like 172.16.1.40/255.255.252.0 to allow access from Home Assistant with secret indicated in file ? and FreePBX will still work without any problems ?

Thanks for help,

Vincèn

dobrosavljevic · January 9, 2024, 3:21pm

Why don’t you setup a new user inside the GUI by going to Settings -> Asterisk Manager Users?

lgaetz · January 9, 2024, 3:34pm

https://sangomakb.atlassian.net/wiki/spaces/PG/pages/26738813/Asterisk+Managers+Interface

domedia · February 3, 2024, 3:07pm

Thanks @dobrosavljevic and @lgaetz I have well created a new user in Asterisk Manager Users. Unhappy remote connection on the 5038 port from LAN doesn’t work as fw blocks it I’m trying to find out how I can open that port in fw included with FreePBX but so far not found yet…
I have added the whole LAN in Trusted Zone in firewall so it should open the port but when I check openports on FreePBX machine from LAN the port 5038 for AMI is still not accessible

lgaetz · February 3, 2024, 5:25pm

It’s not blocked by firewall (or it may be, but that’s not your issue here). By default, AMI is bound to localhost, so it will not accept AMI connections from the LAN interface:
https://sangomakb.atlassian.net/wiki/spaces/PG/pages/26706045/AMI+Default+Configuration+in+16

You can directly edit manager.conf to allow external connections, but when doing so you’ll need to ensure the firewall is configured to only allow trusted IPs to access 5038.

domedia · February 4, 2024, 10:52am

Thanks a lot it was the trick now all good and port is protected by fw to avoid any network risks

system · February 11, 2024, 10:53am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.