Hello all. Please forgive these newbie questions as I am EXREMELY green with SIP and FreePBX, but will soon be setting up a system at our railway museum here in California.
Currently I am using a Cisco 7945G to connect to a friends FreePBX in another state. I understand completely and totally that the 7945 is one of the worst to learn on, however fear not.
After much patience, I have the unit converted to SIP, I have my XML files in line (as best I can figure), and I am able to place calls without issue.
But I cannot receive calls at all. My DID just rings busy. I am using a Ubiquiti EdgeRouter Lite, and have tried to do my research as best I can on it however unfortunately I am either coming up empty handed, or, more likely just plain don’t understand what I am reading.
I have enough knowledge to at least get the phone working one way on my own. Just need help getting it to work the other way.
I have NAT turned off on the phone (set to ‘false’), when I turn it on, I lose my connection. I’ve never configured NAT or anything else on this router (or any other for that matter), so I don’t know.
Again, the PBX is FreePBX so hence the reason I’m asking here.
The answer will be in the asterisk logs. If you don’t have access to your friend’s FreePBX, all you can do is guess. The best guess I can make is that your phone is actually not registered with the FreePBX server. You can make calls without registering as long as you have the right username/password, but you cannot receive calls without registering. Don’t turn on NAT on the phone but rather let Asterisk handle the NAT.
If your friend is running the FreePBX server he should advise you about your router. He should look for logs at the time you are expecting to receive an incoming call (make a test call) and see what’s going on. And check the Asterisk Info page or use the asterisk command line to find out whether your phone is registered.
I have an Ubiquiti EdgeRouter with SIP phones connecting to a remote PBX. No problem. Do not forward any ports or open anything on the firewall specific to SIP; just set up NAT as you would for normal internet use.
The 7945 is only capable of very short, easy-to-guess passwords in the 8-character range. This is going to make keeping this port secure very hard, and depending on how his system is set up, could result in a lot of fraud charges on his bill. The rest of the shortcomings of the phone are also well documented, so you might need to plan on those.
As far as NAT is concerned - NAT settings are so your outbound connection to the server has a path back to your phone once the connection has timed out. You may well need to include NAT settings (which will include the external address for your local network). Some people find that TCP works better in this configuration with these phones. NAT, like many other things in our system, are situational. The server end may or may not need to set NAT on the extension and/or on the trunk. The configuration for NAT is often hard to troubleshoot without a lot of configuraiton info, so we may not be much help on that part of the problem.
The “usual” stuff. He needs to look through the /var/log/asterisk/full log file to see what the errors are. https://wiki.freepbx.org/display/SUP/Providing+Great+Debug is always a good start at trouble-shooting these phones. Because of the extremely poor connection security with these phones, using them in a configuration like this is never recommended.
Now, when you get ready to move forward to the museum, these phones work better in a LAN environment running the native Chan-SCCP-B channel driver and the SCCP Manager to manage the phones in FreePBX. As “Skinny” phones they work reasonably well and should meet your needs nicely. I’ve never tried to use one in a remote configuration like you are using with your current phone.
As SIP phones, they are a pain to configure and get set up, so I always recommend that users of the 79xx phones, if you are going to use them, skip the SIP load and stay on the SCCP firmware load. The password length situation alone makes these phones a real risk.
This is not true. Eight characters, randomly chosen from upper case letters, upper case letters and digits has ~210 trillion combinations. If the attacker hit your system with 100 guesses per second, it would take him on average more than 34,000 years to find the password. But 100 attempts per second is a big load that would degrade voice quality, make the system unusably slow and quickly fill the disk with logs. You obviously need address whitelisting, fail2ban or other methods to limit the rate of intrusion attempts. Once those are in place, an 8-character random password is not a problem.
However, if an attacker can capture the hashed password, e.g. because you used it on a SIP app over open Wi-Fi, he can crack it offline. Suitable hardware can try many billions of passwords per second, correctly guessing an 8-character password in less than an hour.
Of course, if your 8-character password is “password”, it will be found almost instantly.
If you have an edgerouter lite, I would recommend running openvpn between the network hosting freepbx and your edgerouter, so that you have a secure connection between you and fr eepbx. This way, you will less likely be hacked. You could send your friend your router config, he could modify it with the appropriate openvpn settings, and you could upload it back to your router.
Correct me if I’m wrong, but if my password was too long or the password length was an issue, would the phone not be able to log into the PBX and make outgoing calls?
I guess I need someone with intense ER Lite experience to teach me, since I’m going to be doing this at the railway museum sooner than later. But first I need to get this “test” system working at home with my phone connecting to my friends PBX.
Asking questions in the FreePBX forum when you don’t actually have access to the FreePBX is going to lead to a lot of frustration for you and us. How can we help you when you cannot show us logs or configuration? Work with the FreePBX operator, or bring him to this thread.