my FreePBX is on my LAN, and the LAN has its own firewall, therefore I didn’t enable the local FreePBX firewall.
Is this correct or it is advisable to config the local FreePBX firewall anyway?
And, can I avoid changing ARI username/pwd because of this setup, or should I follow the recent advises on that?
I almost always use both (edge and device(s)), but firewalls totally depend on your use case. If your PBX has just one or two trunks and only local extensions, you may only “need” one or two firewall rules at the edge, but what if that firewall goes down for some reason? Two firewalls can make it complicated if you don’t remember how each is specifically configured, but popular trend is to assume you have or will have bad actors on your LAN and can’t depend on edge rules to save you.
Similar with ARI credentials. I don’t want anything on my lans to have default credentials, but if the PBX network or vlan is just a few “fully trusted” (is that a thing?) devices, does it matter?
It’s a bit more work, but probably safest to assume things will NOT stay the same and button up every potential security hole you can from the start.