Cannot access web interface over the internet - ip banned

(Chad McKay) #1

Hi, first time asking a question. I have read many answers and solved many issues with the help of the community. Thank you!

Ok, so, either I can’t figure out what to search for or this is not a common problem. The last time I updated FreePBX I was surprised the theme changed so dramatically. I like it. Apparently, at the same time (or closely thereafter), i lost the ability to access the web interface over the internet. All attempts from outside my internal network fail with connection timeout errors. Inside the building, everything continues to work as expected. I did not change any setting in the router (which continues to route the sip traffic and other services just fine). I did not change any of the DNS or any other settings. In fact, I only noticed the problem when i clicked the bookmark on home laptop and got no joy. BTW, we have a let’s Encrypt certificate installed so we access the gui over https via it’s domain name

To try to “solve” the problem, I clicked around in the Sys Admin -> Network, Firewall, intrusion detection and anyplace else I thought i might find a misconfiguration. I rebooted the server and network equipment. Restarted the firewall - all to no avail. I opened up the http (80) port through the router and also got a connection timeout error on 80. I was able to update my LetsEncrypt cert over port 80 - worked perfectly. It seems that the web interface is the only trouble.

Synopsis: Everything was working as expected. Update applied. Web GUI not accessible outside local network.

I guess I don’t know what is causing the issue - any help would be greatly appreciated!

(Jared Busch) #2

Make sure you are using the right port.

[jbusch@pbx ~]$ fwconsole sysadmin ports
+----------+-------------+
| Port     | Name        |
+----------+-------------+
| disabled | restapps    |
| disabled | restapi     |
| disabled | ucp         |
| 80       | acp         |
| 84       | hpro        |
| disabled | leport      |
| disabled | sslrestapps |
| disabled | sslrestapi  |
| disabled | sslucp      |
| 443      | sslacp      |
| 1443     | sslhpro     |
+----------+-------------+
#3

do you have shell access to the server?

Without knowing how your firewall is set up or if ID has legacy enabled, etc.

You could make sure youre not being blocked by running

  • tcpdump -vvvvn src <your.home.ip.address> and see if your IP is hitting the server
  • iptables -L -v -n | grep <your.home.ip.address> to see if youre being explicitly rejected
  • fail2ban-client status and get the list of the jails then run fail2ban-client status <JAIL> to see if youre IP is in the list

if youre familiar with iptables, you could whitelist your IP for testing by running iptables -I INPUT -s <your.home.ip.address> -j ACCEPT and testing it. To remove your IP, iptables -L INPUT -v -n --line-numbers find out which line number has your IP and then issue iptables -D INPUT <lineNumber>

(Chad McKay) #4

Here is the output of on my server:

[root@pbx ~]# fwconsole sysadmin ports
+----------+-------------+
| Port     | Name        |
+----------+-------------+
| disabled | restapps    |
| disabled | restapi     |
| disabled | ucp         |
| 8080      | acp         |   <---
| 84          | hpro        |
| 80          | leport      |
| disabled | sslrestapps |
| disabled | sslrestapi  |
| disabled | sslucp      |
| 443       | sslacp      |   <----
| 1443     | sslhpro     |
+----------+-------------+

I’m guessing acp and sslacp are the web interface?? I am connecting to 443 sslacp both internally and externally. I have the 443 ext IP forwarded as a “virtual server” to 443 int IP in the router config.

(Chad McKay) #5

Ok - It was the fail2ban or something that added my home ip to the iptables as blocked. Maybe in the update / restart / thrashing around I did it didn’t get un-banned properly. It may not have anything to do with the update - it was just around the same time. Thanks for the suggestions to diagnose. It is working as expected now!