FreePBX Firewall > Phone Provisioning Difficulties

I am struggling to sort out the correct settings for the firewall on my servers. I’ll start by saying that my servers are configured on internal networks; they are not directly exposed to the internet.

For a while I left the firewall at its default settings, which had the network interfaces set to the “Trusted” zone. I finally decided to go through the process of configuring the firewall. Unfortunately, however, new endpoints are now unable to provision from the server. I am not sure if I have something set incorrectly, or if I am misunderstanding how this should work. I note that I have the same experience on both servers that I have attempted this on.

My configuration is as follows (just including what I believe are the important bits):

  • Services (all left at defaults; clarifying a few below)
    • SIP Protocol > Internal
    • TFTP > Internal
  • Interfaces:
    • eth0 > Internal (I also tried “External,” as recommended)
  • Networks:
    • > Internal (this is our internal subnet)

When I try to connect a new phone, which has been configured in FreePBX but has not yet connected, it is unable to pick up its configuration from the server. Disabling the firewall allows the phone to connect and correctly pick up its configuration, but once I turn the firewall back on, it is again unable to pick up its configuration from the server.

Any thoughts, or other data that would be useful for troubleshooting?

is your phone setup to use TFTP or is it using someting like HTTP or FTP provisioning?

Sorry, forgot to add that detail; I am using TFTP for provisioning. Also, clarifying that I have tried a few different endpoint models; Aastra 9133i, Aastra 9143i, and Grandstream GXP-2160.

@xrobau any ideas here?

Ahha! We’ve finally nailed down the issue that was randomly caused TFTP to fail, and the fixed firewall is in edge at the moment.

If you’re having this problem, you’ll see ‘connection refused’ errors in /var/log/messages, and it’ll be fixed by running fwconsole --edge ma downloadinstall firewall which should install firewall version

That seems to have fixed it for me; thanks!

1 Like