Do I need to keep my static IP at the office?

I apologize for such a subjective question, but it’s been a while since I set up my freepbx system(for my single office phone) and I’ve forgotten most of how I set it up. I remember spending hours watching how-to videos but I doubt I could do it again - which is why I’m here asking this question.

I have freepbx hosted on a Digital Ocean droplet. At my office, I have a static WAN ip, and I’d like to get rid of it as it’s an extra monthly cost, and I’m not sure I even need it. Matter of fact, UNLESS I need it for freepbx, it’s gone. What areas of a Freepbx configuration would involve a static ip? If I know where to look, I can probably figure out if it’s needed.

Thanks!

I’d say you can get rid of it. You’d need to tweak the FreePBX firewall I believe, to allow for connections to from any IP address. I don’t like that so I have Tailscale installed on my end and the FreePBX and I’m able to connect over that VPN. More secure and with only one phone. that makes more sense cost wise. You could also do a straight up VPN between your physical phone and the cloud-hosted server

Makes sense. I’ve got a little experience with tailscale. Do I just join my Digital Ocean IP as well as my Unifi gateway to the tail net?


I don’t even know what any of those ip addresses are, except for the one marked FiOS WAN. The 192.168.3 address is a VLAN I created on my office firewall for voip traffic, to isolate it. No clue about any of the others, and none of them are the public IP to my Digital Ocean PBX droplet.

Yes. Probably have the Tailscale on the DO as a subnet router exposing just the DO IP. and have TS on the Unifi connect to the DO’s subnet router. That way you may not have to update the PBX server IP on your physical phone

I would note all of them down and systematically remove them to see what fails and where

OK, I began doing this. I started with the entry for my Static IP. The phone still makes and receives calls, but I locked myself out of the dashboard:( And now I can’t access the Freepbx settings lol. I’ll have to restore my PBX droplet from backup.

How will I prevent this problem once I get rid of my static IP?

As far as tailnet goes, to add it to my Digital Ocean, I have to create another droplet it seems, and then that’s an added cost, which I don’t want. So what’s my other option if I ditch the static IP? I do have Tailscale running on my Synology NAS here in the office, so there is a tailnet available.

Can you ssh into the box? I believe two restarts within 5 minutes temporarily disables the firewall. Should be able to access the dashboard after that and fix the firewall.

Add your Tailnet to the firewall.

Wouldn’t you just be able to install it on Debian using this : Install Tailscale on Linux · Tailscale Docs

Hey, I appreciate all the help. I’m almost to where I need to be but confused about adding the Tailnet to my FPBX firewall. Which part of the tailnet gets entered? All I seem to be able to find are my Tailscale IP addresses for the devices within the tailnet, but not the CIDR of the tailnet itself.

Allow me get back to you on this. Have to look at my setup and I’m not at a PC now. It’s a homelab setup

Edit: I have 100.64.0.0/10. But because it’s only accessible to my Tailnet, I think that’s secure

Is the expense a burden?

Having a static IP at your office site can really make your networking simple.

Allow the specific IP for administration and phones and allow the IPs for your SIP provider. You don’t even need responsive firewall, just the straight IP-filter firewall. You could even use DigitalOcean’s simple filtering to do it at the provider level.

Allowing dynamic IPs and/or setting up VPN is just a lot more work.

In many areas (in the US at any rate) statics are only available from FTTP, VHDSL and Cable Internet providers if you reclassify your service as a business service which can easily triple your monthly service cost as well as greatly reducing your bandwidth.

I’ve seen many small businesses order “residential” service and when the guy shows up he installs it anyway and says nothing, despite the office clearly being a business. The customer service people in those areas placing the order use address lists of businesses to determine if an address is a business but those are often wrong and omit actual business addresses