Connecting remote phones to PBX that's on LAN and configuring phones outside of TFTP auto-provision

I’m in the process of ‘playing’ and learning about FreePBX. I’m new to phone systems in general. So far, I’ve got FreePBX installed and I have 2 Cisco SPA 504G phones to use. I went ahead and purchased CM Endpoint Manager and I’ve got a phone template set up for the SPA504Gs, local networks configured/trusted, extensions created, phones assigned, etc. and the phones autoprovision via TFTP and they work! I can call each extension, use voicemail, DTMF is working with a test IVR, I have an outbound route set up with a prefix that isn’t used with any trunks yet, etc. I’ve only used PJSIP so far w/ port 5060 (default).

Here is my network layout for FreePBX
- pfSense LAN1
- FreePBX interface (only interface on server)
- pfSense LAN2
- DHCP range on LAN2 for testing phones, with option 66 to point to FreePBX TFTP

  • +WAN gateway on pfSense, ex. public IP (not mine, just picked random for example)
    **To keep it simple, all LAN to LAN traffic is currently allowed…

I’d like to test out connecting a few phones into the FreePBX from outside of the local network. If I use FreePBX for a production solution, I’ll have to accommodate 10 remote SOHO users. For site-to-site, I would simply use VPN tunnels, and allow them to communicate through the LAN to FreePBX (like trusted).

I’m not quite sure how the phones connect to the PBX yet, but I thought that the details must be in the TFTP config- which comes from the phone template/mapping? The details being username/secret and SIP gateway?

I will need to figure out how to manually update these “soho remote” phones with the WAN gateway, find out what will need updated in the phones, and then how to configure FreePBX side to allow connections from WAN, only certain extensions/users or templates if possible, set up port forwards UDP 5160, RTP 10K-20K from WAN IP to FreePBX LAN IP, …should I use TLS/SRTP, etc… so many things. I think one option for configuring phones would be through their web interface they’ve got…

My question is, even if I can get “soho remote” phones working and get a good understanding of how and why it works- is it safe? I’m not sure how I would connect these remote users otherwise, unless I sent them all VPN boxes to put behind their routers, or purchase phones capable of tunneling or OpenVPN…

-How to configure phones for remote users without TFTP?
-What will need configured on phones?
-What will need configured on FreePBX to allow them after setting up port forwards from router WAN IP?
-Is it safe for them to hit WAN IP without VPN relying on port forwarding?

I know this is sloppy, but I’d appreciate any guidance/advice. Thank you…

I found that I am able to connect from outside network with X-Lite without issue, as long as I have my ‘external network’ set appropriately [public IP] and 5060 / 10K-20K port forwarded to PBX. I see I’m already getting slammed with SIP attacks according to logs…

My setup in lab:
Test Call From X-Lite > Home Gateway <-Internet-> Comcast GW > pfSense WAN > PBX [trusted interface]
So far I can dial up a test IVR menu, DTMF works fine… haven’t initiated any calls back and forth though between extensions yet to see voice quailty.

Next I am going to try to get SRTP to work and learn a little more about SIP… finally, trying to build a custom config for phones or figure out how to alter directly on phone / upload via TFTP so I can set up phones for outside of the LAN…

Will post updates on my progress. Hope it helps some other ‘noob’ someday…

Adaptive Firewall will help solve this problem, as will moving the public port away from 5060.

If you set up a VPN between your phone network and your PBX LAN, you can use the TFTP provisioning solution pretty much at will, and then you won’t have to mess with the SRTP foibles. Opening the TFTP service to anything outside your network basically destroys all the rest of the security work you’ve done.

The first T is TFTP stands for “Trivial” and boy, they are not kidding about that.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.