FreePBX firewall question

I’m a little confused on FreePBX and firewalls. When configuring the firewall in FreePBX it says it shouldn’t be behind any other firewall and should be placed in the DMZ zone. However, elsewhere I’ve read it’s a bad idea. So I’m not really sure. Which is it. I like the idea of isolating the FreePBX because I do have remote extensions and would like to keep the rest of the network secure.

I’ve been operating recently under the second option above with FreePBX behind the firewall.

Yesterday, I replaced my pfsense router with an edge router X from ubiquity, after finding my way around the UI and figuring out getting 10000-20000 to the pbx I’ve noticed stuttery audio. I know the audio problem comes from the server to the trunk because it happens during the ring and during IVRs. So it isn’t just the phone.

Should I leave it as is and work on the stuttery audio or should I really have my server outside of the firewall?

I hope this all makes sense, it’s been a long day


(Note: I do not use the FreePBX firewall, I use a real DMZ and SIP traffic is only allowed from my ITSPs trunks. RTP traffic to my PBX is allowed from everywhere since not all my providers proxy it through their servers.)


Which definition of a DMZ are we talking about?

An enterprise grade router/firewall one (which pfSense is definitely capable of) or an home router one?

A real DMZ from an enterprise router/firewall is on a different network segment than the LAN. It has rules to let only some traffic from the DMZ to the LAN and usually (but doesn’t necessarily have to) have restrictions to its outbound traffic to the Internet.

A fake DMZ from an home router is on the same network segment as the LAN. Essentially all network traffic not otherwise forwarded to another computer is forwarded to a specific host, see DMZ host.

The first one is usually quite secure, the second one, well, not that much… If someone is able to gain access to a consumer router’s DMZ host (s)he essentially compromised a computer on your LAN…

Now it’s also possible to put a server in front of the firewall but this is not what people usually refer to as being a DMZ…

If bandwidth is severely limited you might have to prioritize traffic but that’s something your pfSense firewall (using its Traffic shaper) could do and I assume it was not required?

Was your setup identical (with the exception of the firewall) when you had pfSense and did you have problems?

Does you new router has SIP “helpers” of any kind like SIP alg? Did you try turning it/them off?

Good luck and have a nice day!


for the most part, you can run the pbx behind a router/firewall. if your trunks use IP authentication then you will have to forward the SIP ports (UDP 5060 or 5061 and 10000-4000) and white list the ip addresses of your trunks. the thing that does not work is to do double NAT’ing

1 Like