After moving the eth0 interface from the trusted to the internet zone, after a few minutes I cannot connect to the GUI. My ssh connection disconnects as well.
The AWS console shows the instance is still running but I have to reboot to get things working again.
If possible, use AWS security groups to handle your firewall needs.
I found that the FreePBX Distro firewall blocks DHCP and this causes the instance to drop its IP address after some time. So if you are using the distro firewall, try adding a custom rule to allow DHCP.
Unfortunately, that’s not how it works. Your EC2 instance will receive a private IP address from AWS DHCP server. Your elastic IP is mapped to that private IP. You must use DHCP and you cannot assign the public IP directly to the interface.
No joy. I created the custom service as you specified and put the eth0 interface into the internet zone. I can connect to the GUI until the firewall kicks in then it is blocked
I also put my client network into the trusted zone.
Your issue may be different than the one I mentioned. With the DHCP packets being blocked, it usually would fail after several hours because the DHCP lease expires and the server can’t renew. In your case it is blocking you right away so you probably have something different going on. If you can operate with only AWS Security Groups as your firewall and disable the Distro firewall you will have a simpler configuration.
I’ve worked on dozens of systems on Vultr and they never have a problem getting their DHCP assigned address. I’ve also dealt with dozens of local VM installs with DHCP assigned IP addresses without ever seeing this. I have never used AWS though.
I don’t have the log information at hand and the incident I worked on was a year or so ago (which is why the screenshot image I shared has the old styling). I know this firewall rule solved the problem we had. If I remember it right, the initial DHCP acquisition by way of broadcast worked fine. Later, the renewal which happens by unicast was blocked, so at the end of the lease time the IP was released. When the IP was released, this caused several services on the server to go berserk (technically speaking!) and it never recovered. What I would expect to happen is for the DHCP client to start over with a broadcast to get a new lease, but that didn’t happen.
How so, we all read that you can’t make it work
Maybe they can help you traverse their firewall, you will need both your SIP signalling and your SDP traffic seamlessly forwarded both ways, along with any http/https services on whatever port you want to provide.
Yes, that guide is fine. Only allow traffic for what you are using. If you are only using SIP from your business then only allow your business IP to access SIP ports.