Firewall Question - trust extensions based on phone MAC?

I have a number of deployments, but am not a FreePBX expert. All instances I run are hosted on Vultur and whenever possible, sites with phones have static IP, or run a dynamic DNS service for the sake of not having issues with registrations when the local WAN IP changes.

As I don’t totally manage IT in every instance, there are a few challenges, but made me think yesterday following a power outage at one site / WAN IP changes / phones are locked out even though they have the correct credentials…is there not a way to enter the MAC address of the device so regardless of IP, they can register? Or, is there not a firewall setting or option that allows the phone to register even if it is not from a trusted IP?

FreePBX doesn’t use IP address as part of the credential, for extensions, although it can do for trunks. It uses the extension number. As such I don’t really understand your problem.

For outgoing calls, to the extension, it uses the IP address from the registration, which will be corrected on the next re-registration.

IP networks don’t know about MACs beyond the immediate broadcast area, and there is no requirement for them to be globally unique - that comes form Ethernet, not from IP. The socket APIs don’t give access to the MAC address.

(There is some advice for Asterisk to use Ethernet MAC addresses, instead of extension numbers, as the user part of the device’s URI, so that attackers have to guess that as well as the secret. However FreePBX relies on the degeneracy of hte device address/extension number relationship, and this has no effect no network routing.)

The issue is that FreePBX is hosted in the cloud, and phones are on-premise. In cases where I don’t have control over network / can’t use DYN DNS without putting another device on-premise, if the WAN IP changes because of an ISP refresh, power outage, etc, the phones are unable to register to the server, as the firewall does not allow them to reach the server. I need to manually shut the firewall off, let them register, and then turn it back on. I want to avoid this in situations where I don’t have control over the network.

You need to relax the firewall to allow SIP to arrive from all possible networks that your ISP could allocate to you, or use a VPN (in which case handling the instability of the device’s public addresses becomes one for the VPN). MAC is not a solution, as it doesn’t go beyond the first router, which might be before the NAT one.

Whilst you could just pass through REGISTER, I’d expect an attacker to try REGISTER.

I used VPN for this. It took a while to figure out all the settings but it works great and allows phones to register from anywhere in the world. I used Yealink phones but lots of them support openVPN. I am using it with a customer that have 150 phones, and we have not had any problems with connection or voice QOS issues. I wrote up a article on how to to it. How to Setup Yealink with OpenVPN with FreePBX.pdf - Google Drive

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.