Wanted to poll users.
What is the best firewall system to use with freepbx? We have many issues running a Fortigate 100d as every so often the firewall starts dropping packets both in and out to the freepbx. It only affects the freepbx system. What are the firewalls you use in your production? We are only a small to medium sized business.
This is a difficult question to answer, as there are a variety of networks to consider.
FreePBX comes with an amazing web-configured firewall solution. Sometimes that firewall can get in the way of proper operations, so you need to be careful when having a firewall installed in front of FreePBX.
For example, I have an 2 installations where we are behind another firewall (CentOS 6 Linux) and we port forward all of the SIP stuff to the FreePBX box, which works fine.
I have another installation where the FreePBX has a public IP number, and 2 NICs available, with the phones attaching on the local network, and one remote user through the public interface, along with SIPSTATION. We also are testing Zulu on this system. I have a Mikrotik device in front of this server, filtering out most of the internet’s wild waters, but still keep the internal firewall active.
The forums all over the place suggest disabling any sort of SIP helpers on upstream devices. Look for settings on 5060 (or your other SIP ports, maybe 5061) and see what works for you. With the free price of FreePBX, you can easily build test setups within virtual machines, and test setups without bothering your internal users.
I dislike fortigate in general, but have you disabled sip alg? As well as made sure your udp timeouts are high enough. Most firewalls have a default udp timeout of 30 seconds. If your phones or providers only check in once an hour or once every few minutes the firewall will close the nat hole. You can set specific udp timeouts for specific traffic.
Thank you for your post. I haven’t considered the FreePBX firewall. The reasons why vary however, to my knowledge there is no DNS filtering so that we could block certain websites, and there is not an easy way to do IDS/IPS. These are two things that I and upper management want to do. I should have included that information I do apologize.
Thank you for your post.I have not changed settings in the fortigate. The issue was one that even stumped fortigates support team multiple times. It seemed packets were being silently dropped even though the rules were correct and working. It all and all has been a major issue, and with licensing costs it looks simpler to look at other solutions.
We have few production PBXact systems behind Sophos XG at the DC and all clients are remote using desk phones and softphones.
I provide sip trunks to customers with fortigates and I have to send keep alives of 20 seconds really not ideal try increasing your udp time out on the fortigate in the mean time.
Fortigate acts like no ones ever had a voip issue with them before? Crazy. They even make voip phones. They should know this stuff. I like sonicwalls but you still have to disable sip alg and increase udp timeouts. Im more of a mikrotik guy though.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.