DMZ setting messed up myPBX

akk · May 2, 2013, 7:00pm

Hello,

I started off my FreePBX installation with the below risky settings:

Server placed under DMZ
All ports (5060, 9080, 10000-20000) forwarded to the server
All devices NAT=Yes

Now that everything was working, I wanted to make my system safer. The first thing I did was took the server out of the DMZ. Suddenly, my external devices were no longer able to place or receive calls (they registered fine).

Now even if I re-enable DMZ, I am still not able to get everything working.

Could someone please help? "(

Below are what I believe to be the relevant logs:

[2013-05-02 13:12:26] WARNING[5046] chan_sip.c: Retransmission timeout reached on transmission 08edfcca-2dff-1231-44a4-a9070526b861 for seqno 43424903 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 9921ms with no response

[2013-05-02 13:12:26] WARNING[5046] chan_sip.c: Hanging up call 08edfcca-2dff-1231-44a4-a9070526b861 - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions).

alan · May 2, 2013, 9:12pm

Are you forwarding the correct ports to the server?

akk · May 2, 2013, 9:25pm

Yes, I believe so. I can say that with confidence because all was working fine until I temporarily disabled DMZ. Now, even with the DMZ re-enabled, things are not working…

akk · May 2, 2013, 10:20pm

The following solved the problem tentatively, though I am still looking for a more elegant solution:

Kept DMZ enabled.
Removed port forwarding 5060 and 9080. Retained forwarding 10000-20000.

alan · May 2, 2013, 11:29pm

Can you please explain a bit more on your network topology? Specifically what you mean by DMZ.

akk · May 3, 2013, 3:24am

I use a Netgear router between a modem and my server. In its WAN settings, it gives you the option of placing one machine on your network outside the firewall, directly exposed to the internet. I did that to my FreePBX server machine.

alan · May 3, 2013, 8:35am

That is what I thought you meant by DMZ.

So if your FreePBX system is not longer in the DMZ you will have to forward all the correct ports to the FreePBX server.

You will also have to configure Asterisk to know what the external and Internal IP addresses are using SIP Settings in FreePBX.

Do you have a static Public IP address from your ISP?

akk · May 4, 2013, 4:09pm

Hi Alan,

Thanks for your comments. I do have configured FreePBX with the external and internal IP address. I also believe I forwarded the correct ports to the server (5060, 9080, 10000-20000). Yet, unless I place the server in DMZ, my external devices are not able to register to it!

I have a pseudo static Public IP address, meaning it stays constant for several months at a time.