Hi everyone and thanks for taking the time to read my post. I’m installing the latest FreePBX distro 13 on a Dell server with dual NICs. It’s my first rodeo as far as setting up a PBX server so I am hoping you can offer some advice on basic configuration. I’m sorry if I am asking the a question that has been well-answered previously, I just can’t seem to find it in the forum. We’ll have a total of about 40 SIP phones that aren’t used heavily, no analog gear. Our ISP is also our SIP provider, and we get several static public IPs from them, one is dedicated to the SIP/VOIP traffic. We will be using the Sangoma built-in firewall for security and we have a Watchguard UTM router/firewall device where our network hits the internet.
As far as basic connections to the static public IP and local network I was thinking either:
Create a 1:1 NAT in the router between the static public IP and the static private IP (10.x.x.x) of the PBX on eth0 and forwarding the necessary ports to it, and set eth1 as an internal interface and connecting it to our LAN or
Connecting the ISP’s static public IP directly to eth0 so it would be truly an external interface and hope the Sangoma firewall will do it’s job, and again set eth1 as an internal interface and connecting it to our LAN or
Create a DMZ for the internal static IP of the PBX (on eth0) and set eth1 as an internal interface and connecting it to our LAN.
Thank you for your time and replies in advance! if none of this makes sense please feel free to let me know.
Oh and I almost forgot to ask this but is using just ONE NIC for everything a bad idea?
I would put eth0 on the internal network. Do 1:1 NAT IF you need direct external access. In most cases, you probably will not, unless your looking to access the UCP from outside or have SIP access from outside.
I personally don’t see the benefit of the second network port vs the added complexity.
That’s what I would do… Use a single eth0 and do the required NAT forwarding for external.
The safest thing to do would be put the PBX in a DMZ, so if it was hacked there would be no access from it to the rest of your network. But that puts your internal voice traffic going through the router. Could also do a VLAN and put only the phones and the PBX in a subnet. This is what I was doing… but I have since moved to an externally hosted FreePBX server - my network isn’t 100% so hosting it externally at least keeps the voicemail and IVRs up all the time.
I’m sure there are others with more experience than I, but I have found complexity tends to reduce reliability.
The advantage of a single interface and letting the WatchGuard do the work is that the setup can be reasonably secure.
The disadvantage is the possibility of a poorly set up firewall making your audio streams go dead in one direction. It also makes access to UCP and other services from outside the network more of a challenge.
If you set up an external interface for incoming SIP connections (including from your provider) be sure to use an “odd” port for your SIP connections from ‘random’ addresses and block all connections to port 5060 except those with very specific source IP addresses.
To start, I’d recommend setting up the second address with a routable address, then shut it down with the local firewall. Open it one service and one port at a time, making sure it operates as you want it to. If you decide to never use the external interface, you can safely (and usually effectively) operate with a single address mapped judiciously from the firewall.
While a 1:1 map might seem like a good idea, I’d be a lot more selective than that - only open the ports you really need and map them to ports on the PBX.