Moved our FreePBX to Vultr in March when employees began working remotely due to covid. It’s worked well until last week when–depending on which WAN connection you were on–some phones randomly disconnected & the GUI wouldn’t load. It effected one WAN, then 2, then back to 1.
To keep this brief, I found that disabling/re-enabling the firewall module or doing fwconsole firewall disable immediately restored connections. I turned the FW back on & things would be fine for a while (hours) then break again. So I disabled the FW but I’m still getting disconnects. (In fact, the GUI stops responding after several minutes now.) Doing fwconsole firewall disable still immediately restores connections even though the FW is already off.
I don’t see anything unusual in the logs.
Any thoughts on this would be greatly appreciated.
(Running FreePBX 14.0.13.28/Asterisk 13.32.0 with no updates applied in the past month. Been using Vultr’s firewall the entire time. Disabling Vultr’s FW has no effect on this issue.)
@dicko, how do you think I’m able to use fwconsole since I can’t connect to the server (But sincerely, I have learned a great deal from your many contributions on this site. Many thanks for sharing & continuing to share your expertise!)
Because if you go to your vultr login , for each of your machines there is a “view console” button, that gives you when clicked a ‘shell’ on your machine, this shell is effectively a TTY so you will be able to run fwconsole or anything you want from there
Yes, excellent point @jerrm. And in fact, I removed one extension around the time this weirdness started. That phone was trying to connect & failing bc it was removed.
But I added our 3 WANs to trusted zones, & now, the firewall is off. So how can connections be failing when it’s off? Weird.
Sorry, yes, my comment was to say that I’m already using the Vultr console to issue these commands (since I can’t always connect to FreePBX). But thanks for the input.
Existing connections dropping points to fail2ban. Unfortunately that can’t be disabled in the distro (the GUI has a “stop” button, but it will eventually restart and come back).
If the WAN IPs are static, make sure they are whitelisted under sysadmin->intrusion detection.
If they aren’t static, then adjust the fail2ban settings to effectively neuter it.
Quick summary for newbs like me (& pls correct whatever I get wrong!).
I was under the mistaken impression that FreePBX:
has a single firewall controlled in Connectivity > Firewall.
adding our WAN IPs in the Trusted Zone would permit us access.
“Disabling Firewall” turns off the firewall.
Turns out:
The firewall module is but one feature of the firewall (iptables). Another important firewall setting is located (as @jerrm pointed out) in Admin > System Admin > Intrusion Detection: Whitelist.
Zone settings only apply to the Responsive Firewall feature, not the entire firewall.
“Disabling Firewall” does not disable the entire firewall but instead only disables the Responsive Firewall feature.
In my case, I thought the firewall was off…it wasn’t. Some condition was causing our WAN to be rejected by fail2ban. (This was determined by (as @dicko instructed) issuing iptables -L -n. This showed the firewall was indeed still running & our WAN IP was being rejected. Note: You may also be able to see this in the gui at Admin > System Admin > Intrusion Detection: “IP’s that are currently banned.”)
It also turns out that by entering fwconsole firewall commands I was actually just clearing out the fail2ban list. While this temporarily reestablished connections, the real solution was adding our WAN IPs into the Intrusion Detection: Whitelist.
Hard to comment on FreePBX’ “intrusion detection” it is in fact a very ‘long in the tooth’ version of Fail2Ban with a very restricted ability to control itself as it only does a very old “Asterisk” jail
If you care to get a way better version then go to their site and get