My Network Setup
1x FreePBX 13 Server (with internal IP) behind a Router with one external static IP address;
1x Phone behind the router;
Several x Phones on the outside of the router.
How my network worked with FreePBX 12
1x phone behind router connected to 192.168.x IP address;
several phones connected outside of the router with the static ip:port NOT through the VPN;
router routed traffic to the freepbx server;
I was able to access my web interface with the 192.168 address when connected to the vpn.
Since upgrading to FreePBX 13, I am able to make calls on my trunk and access my web interface from behind the router - I can’t make or receive internal calls as no other phones can connect.
I cannot access the web interface outside of the router without creating a tunnel through my vpn and setting up Firefox as a proxy and any phones outside of the router will not connect. These phones connect without VPN (they are too old for VPN);
My Current FreePBX 13 Firewall Setup
eth0 set to ‘external’ (this is the only interface);
asterisk sip settings - set to recognise my external static ip address (as before);
192.168.1.219/32 (my laptop IP) set to trusted within zones -> networks;
192.168.1.0/24 set to trusted within zones -> networks;
IPV6 IP for my internet network at my parents - specified in zones -> Networks - this is set to internal (I have just changed this to trusted but I also disabled the firewall, connected my phone and reactivated the firewall so i’m not sure if i’ve accidentally fixed the issue only temporarily).
Web management is set to ‘internal’
I have changed the asterisk sip port from 5060 to a custom port - this worked fine with freepbx 12.
Any thoughts on any blatant misconfiguration or whether the firewall is compatible with my network needs please? I can’t guarantee that, by the time someone replies, the phone stops connecting outside of the router again!
you probably fixed the issue - once the phone registers the system adds it to the allowed list.
Hello, thanks for this. I gave up on moving to FreePBX 13 as it was clearly still very buggy as of Summer 2016 in my opinion.
What I am unsure of in your answer is the correct way of sorting this out. I can’t really take down the firewall every time I want a phone to connect…
Thanks and Happy New Year
it sounds like your problems are all firewall configuration related. if you disable the firewall and your phones then register, it means you have a configuration issue with the firewall. you can of course use a vpn but it is not necessary.
- NIC’s - i always set ALL the NIC’s to external
- i add all addresses that should be able to access the pbx to trusted - this includes your local area network (in your case the 192.168.1.0/24 as well as the internet from your parents house. you might also have to add the ip addresses for your ISP. If your remote phones are connected to routers that support dyndns or something similar, set that up and add those url’s to the trusted zone in the firewall. if the phones are not connected to anything that supports dyndns, they will still work even if they are not added to the network list if you do the next item
- enable the responsive firewall and enable the appropriate service - probably chan sip in your case - this will allow your remote phones to register and work with the pbx.
- go through all the services (2 tabs of stuff) and set them appropriately to either reject or nothing. nothing basically says that if the request is coming from a trusted network then allow it, otherwise reject it.
- add all your trusted networks to the fail2ban white list
- setup the endpoint manager so that you have the proper provisioning protocols enabled.
7 click on the port/service map tab to verify that the ports you think you are using are enabled especially since you changed the sip port.
Thanks for this,
I am having a nightmare upgrading and getting version 13 stable at the moment.
I really appreciate the time that that just took you to type and I certainly shall read it carefully when, I really hope, I can get to a stage where I can successfully deploy v13
the upgrade from 12 to 13 works pretty well provided you have all paid modules on current maintenance. things break if they are not.