FreePBX Firewall default GW Routing Problem

We have a Failover IP Routed to our Virtual Servers but we have problems once the FreePBX Firewall is enabled.

Our Network
Public ip
Netmask 22
Default GW

Failover IP
Netmask 32

To get the traffic outside with the failover ip we have to use this routing command
ip route replace default via “our default gateway ip” src “our failover ip

This works until the moment the CLI says “Firewall service now starting.”

After that the outgoing ip is the default gateway and not anymore the failover ip.

Does anyone have any suggestion why the “src failover ip” does not work with enabled firewall and what i have to do as workaround?


This entry is making the problem
MASQUERADE all -- anywhere anywhere mark match 0x3/0x3

But how can i set another postrouting entries before that, so that it will not be owerwritten by the Firewall?

iptables -t nat -A POSTROUTING ! -d GATEWAY/32 -o eth0 -j SNAT --to-source FAILOVERIP -p tcp --dport 80
iptables -t nat -A POSTROUTING ! -d GATEWAY/32 -o eth0 -j SNAT --to-source FAILOVERIP -p tcp --dport 443

My suggestion was this:
iptables -t nat -I POSTROUTING 1 ! -d GATEWAY/32 -o eth0 -j SNAT --to-source FAILOVERIP -p tcp --dport 80

This puts the rule in front of the other rules. But i dont know if the firewall overwrites this rule later?

Can you try making sure that interface is setup for the same zone as your default IP by going to Connectivity->Firewall->Networks

Conflicting entries in your Firewall Config vs manual routing tables can be a nightmare to work out. Is the virtual server in question on the same network as your primary?

Both servers are Cloud Hosted Virtual Servers with each 1 Fixed Dedicated IP address.

The Failover IP is just a routed Address and can be switched to any of our cloud servers.

The route for the servers to use the failover IP is:
ip route change default via “default_GW” src “Failover_IP”

This route gets blocked by firewall because of this entry:
Line 1158
"-t nat -A POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE", // if 1&2 are set, masq

After starting the firewall i cann remove the line with the command:
iptables -t nat -D POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE

Then the route works correctly.

The Interfaces are all in the same Zone because the Failover IP is just a Virtual Interfaces belonging to eth0

My workaround solution for now: (but it gets overwritten after a Firewall restart)

/sbin/iptables -t nat -D POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE /sbin/iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE -p tcp --match multiport --dports 80,53,443 /sbin/iptables -t nat -I POSTROUTING 2 -o eth0 -j MASQUERADE -p udp --match multiport --dports 80,53,443 /sbin/ip route change default via gateway src failover

I notice Asterisk/FreePBX firewall is not top dog in handling manual routing/custom ip solutions. The way I handle mine is I set BOTH my WAN connections up in my DNS zone file (1 pri, 1 failover) and let the router issues address rules in conjunction with my checkpoint. My setup utilizes FreePBX’s openVPN services and I set all VPN traffic to local to minimize firewall issues. That, along with TLS network-wide ensures (for me at least) a very secure network with minimum conflicts from the software firewall. I have a cloud-based mirrored server that kicks in should my physical WAN connections both fail. I setup that failure route thru SIPSTATION and a secondary DNS nameserver offsite.

If the above doesn’t apply maybe try this:

Check to make sure your interfaces in FreePBX Sysadmin are set up properly.
Make sure both IP address can reach your GUI (plus port if you have custom ports setup)
If the servers are virtual and mirrored, you may have to ‘spoof’ the mac address of the failover to match it’s records for the primary machine. If you have a hardware firewall, those route based on MAC address most of the time.
If nothing works, make sure BOTH ip addresses are correctly setup under Interfaces.

I have to solve it with routing.

I need to use the failover ip to go outside, else my phones have no sound after switching the failover ip to another server.

I cannot use any extra firewall, i have to use the built in FreePBX Firewall.
The Provider just routes the failover IP to the Dedicated ip of the server.

Failover IP -> Public IP of ServerA or ServerB
It can be switched with a XML Command between the Servers.
But i cannot assign the Failover IP to a Server with a gateway directly.

I solved it with workarounds and created a ticket.

What is the security reason for this IPTable Entry?
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE

Can you remove it from firewall or is it important for any security reason?

You should not open a ticket asking something to be removed when you do not even know what it does.

The main reason for the ticket was the feature to let me add my additional iptables. Then i saw that this feature exists already. So i changed it instead of closing

Sorry but that rule is needed for basic routing for users. It can’t be removed.

Is there any security problem if i remove it in the additional iptables?
-t nat -D POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE

Please do not remove rules from iptables, as you’ll probably end up confusing yourself even worse.

They are all thoroughly documented in the source. That changes the source IP of packets that are routed through the machine. I think you may have your network setup wrong if that is blocking things.

My goal is that the machines do not use the default gateway as outgoing ip, they should use the routed failover ip as source nat.
with is iptable rule i cannot use any other outgoing ip as the default gateway of the interface

The Datacenters Failover IP is only a routed ip normally applying with this routing, but works only without this iptables entry.
ip route replace default via “our default gateway ip” src “our failover ip”

That rule is only triggered on traffic that is routed through the machine. Have a read on POSTROUTING. This is why I say you have configured something incorrectly.

Saying that, if you want to delete it, feel free, you can add it to the custom rules.

Do you have an idea. How can a trigger the traffic over the failover ip without changing this? The Server is reachable but i have no sound on the phones.
I already forced asterisk to use the failover ip.

I would start with doing a tcpdump and investigating WHY you don’t have sound.

Second problem when i do not route over failover ip
The Let’s Encrypt certs will not update anymore as the request comes from the dedicated ip of the server :thumbsdown:

LetsEncrypt uses DNS

Yes thats the problem:
The dns resolved to the failover ip and the server requests the update from the dedicated ip.

You’re really going to have to spend some time with tcpdump to resolve your problems. The source IP of the request for letsencrypt has nothing to do with the DNS lookup that LetsEncrypt does to validate the domain ownership. This sounds like you’re confused about how it all works.