Freepbx's firewall is not working properly

Templeusz · 2020-11-30 19:05:01 UTC

I have grandstream ht801 gates installed in 4 different locations

On the freepbx server for the “chan_pjsip” protocol, I have the non-standard port 24867 selected
When my firewall is turned off, everything works fine.
In the “asterisk info” tab, I have this info:
101/sip:101@15.15.15.10:5060
102/sip:102@19.19.19.19:46815
103/sip:103@15.20.15.10:5060
104/sip:104@27.15.15.10:5060
When I run the firewall and restart 4 voip gateways in different locations, only 3 voip gateways connect.
Extensions “102” stops working

Port numbers are real (I haven’t replaced them)

danardf · 2020-12-01 08:24:32 UTC

Do you use Responsive Firewall?
Did you declare some ips in trusted zone?
What the kind of system is used here?
What’s the FreePBX version?

If your IP addresses are static, you can declare them as Trusted like for example : 19.19.19.19/32

Templeusz · 2020-12-01 16:05:10 UTC

Responsive Firewall - Enabled
SIP Protocol (pjsip) - Disabled
Legacy SIP (chan_sip) - Disabled
IAX Protocol - Disabled

FreePBX 15.0.16.72

When I declare the IP address 19.19.19.19 in the trusted zone, start the firewall and then restart the VOIP gateway, the connection is established (works)
When the address 19.19.19.19 is not in the trusted site and the firewall is on, the VOIP gateway does not connect (does not work)
Unfortunately, the IP addresses change every 2 days

sorvani · 2020-12-01 16:48:51 UTC

Does the gateway register?
If not, there is nothing for the responsive firewall to look for.

Templeusz · 2020-12-01 17:49:29 UTC

The remote gateway is not registering.
I swapped two gates places (without changing the configuration), moved gate 102 to location 103 and gate 103 to location 102.

While I have my firewall turned off

101 / sip: 101@15.15.15.10: 5060
102 / sip: 102@15.20.15.10: 5060
103 / sip: 103@19.19.19.19: 14523
104 / sip: 104@27.15.15.10: 5060

When I turned on the firewall and restarted VoIP gateways

101 / sip: 101@15.15.15.10: 5060
102 / sip: 102@15.20.15.10: 5060
104 / sip: 104@27.15.15.10: 5060

It follows that the problem only occurs in one location.
I cannot connect from the computer using the 3CX Phone application when the firewall is on, when the firewall is turned off, it gets a connection (I log in to my account).
When connected to 3cx, I also have a different port than 5060 in the “Asterisk info” tab

Templeusz · 2021-01-03 14:57:09 UTC

I decided to start the firewall again.
The conclusions I have at the moment are that the reason is the operator providing the internet or the router at the client 102 (no possibility to change the internet operator).
As I replaced the voip gates in two locations, the problem remained in location 102 all the time.
For some reason, the voip gateway of this Internet operator at the client 102 uses a different port than 5060, the same is the case when I connect to the SIP account using the 3cx program on the computer, in the Asterisk Info tab by the user there is a port other than 5060.

PS. I have a VoIP server on port 24867
Everything works fine when I turn off the firewall.
When the firewall is on, the phones work only at the clients 101,103,104, but they do not work at the client 101 and on the computer in the 3cx application

lgaetz · 2021-01-03 17:41:16 UTC

You have responsive enabled, but all the responsive protocols are disabled. You must enable whichever driver(s) you need for remote access.

Templeusz · 2021-01-03 18:56:54 UTC

It worked, it was that simple.
The only question is why some clients who used port 5060, despite the “SIP Protocol (pjsip)” option turned off, were able to connect without any problems, while clients who used port other than 5060 could not get a connection.

lgaetz · 2021-01-03 19:47:13 UTC

For the FreePBX firewall source port is irrelevant, only source IP.