But none of the others, such as ssh, http, etc?
No, just the asterisk goes to the phone system
Have you found out if there is an option for your port forwarding rules to only allow specific IP addresses inbound?
That would probably be some column called “source” or something like that.
yes! It needs a source and destination IP
You should then call your SIP providers, ask them to give you the IP addresses of the servers their signalling would come from and put those in the source field.
Is the source filed now set to “any” or something like that?
Can you show us?
You can safely remove the 5060-5080 forwarding altogether, if all of the following conditions are met:
- All extensions are on site.
- You use registration (not IP authentication) with both trunking providers.
- You have qualify=yes for both providers.
- Both providers have server-side NAT traversal (you could connect a phone behind NAT to the provider directly).
If you try this, confirm immediately that incoming calls work properly and that both incoming and outgoing calls can remain connected for at least 15 minutes without being dropped.
ok, so we do have 3 sip/trunks providers, which leads me to believe i will need to whitelist all 3… correct me if i am wrong.
I added an IP ACL rule that only allows the current phonepower sip/trunk to go to the phone server.
Yes, but if @Stewart1’s conditions are met, you will probably not need port forwarding at all.
Also you don’t need it to be a port range from 5060-5080. Usually it’s only port 5060, but you should check on the server to which port the PBX binds to.
Do you have IP whitelist rules on your other forwarded ports as well?
If not, then this would likely also be a security risk.
Just my Opinion
the OP said right up front
…I am going to be very upfront, I have absolutely NO KNOWLEDGE of VoIP systems…
She has a completely broken system, with very few ways out. You should all put him out of his agony, he needs to get Professional help from somewhere, this thread although fascinating can only go on for a seeming eternity as he is peppershot from all sides with sometimes conflicting advice. If @ITChica has a halfway understanding of all the nuances she will experience, she is a StandUpGal and so far seems to be just so, If you guys can communally save her from the disgraces of her bosses, then tick. . . .tock . . .
However, If I was @ITChica I would get my bosses to drop a few hundred greenbacks either to Sangoma or one of you guys if that doesn’t work out.
(Yes , I have ridden this bike a few times around the cyclodrome)
3 Likes
Just a point of clarification, Elastix was not an offshoot of FreePBX. Elastix existed before there was ever a FreePBX distro. Elastix used the FreePBX GUI like many other projects did, because it was the best open source interface to manage Asterisk.
FreeePBX, the distro, came later.
(That sounds like it should be a movie poster meme! FreePBX, the distro!)
Exactly this.
This thread is a great bit of immediate triage, but this thing is seriously bad. As a consultant with a personal skill in telephony, I am certainly biased.
But this setup is just bad juju.
And it totally sounds like she has zero external extensions. so I would simply remove all port forwarding that points to the PBX and call it a winner.
Also, wow… That first screen shot said Elastix 1.6… OMG kill it now… That is from like 2011. The security implications are astounding.
No it was not an offshoot, it was a fork up, that added illconsidered homegrown code and bloatware that broke the core. They ended up getting stuck in limbo, and lost several main supporters (my self included) attempts to use kamailio as a multi-tenant backend was a miserable failure (4.0) and it was ultimately sold out by its proprietor. RIP
Well, you will certainly not catch me arguing with this statement.
IT Chica,
You need professional help BUT NOT ON THE PHONE SYSTEM at least, not now. You need a professional to come in and lock your firewall down. You had a running phone system that was, my impression is, working fine until you opened the gate. Yes I get that you are new at this but all these phone system guys here have total tunnel vision. If your firewall is now wide open to allow the creepie crawlies to attack your antique phone system it is now wide open to allow the creepie crawlies to attack all your other stuff.
You need to secure your network FIRST. Undoubtedly you have OTHER antique IT systems in place that are also wide open and flapping in the wind. Oh sure, you can blow your wad on Sangoma and give all these phone guys the happy happies. But for now, you can lock down the phone system and it will go back to what it was doing previously - which was working and being ignored - and concentrate on more important things. Such as password control and desktop antivirus and USER EDUCATION.
Even if you have the most secure firewall in the world unless your users and management have a security mindset someone is going to gun your system eventually.
There is nothing wrong with an antique IT system that is horribly insecure if it’s on a secure network. I run systems like this every day. In fact I’ll give a million bucks to any smartmouth on this board that can gun one of them over the Internet and I’ll even post the password here. They won’t be able to you know why? Because that horribly insecure system I run isn’t CONNECTED to the Internet. Har har har!!
The point is that it is a LOT easier to lock down access to an antique insecure IT system than replace that system. A new phone system is going to work differently. A responsible replacement would involve at the least updating firmware in all your phones which probably right now are also running antique firmware. The responsible thing to do with the phone system is to take your time, get familiar with how your system is working and how your business is using it then get familiar with a replacement system and be sure that it’s going to work in a way that at least, is the same and at most, has lots of cool new features that your users can really use and will like. That way putting in a new phone system doesn’t become a running gunbattle with you shooting down a long list of problems that nobody thought of and your users getting more and more pissed and a consultant that is bleeding you dry while you are spinning because you don’t understand the system.
You already broke the firewall so breaking it more by getting in a professional to lock down all the insecure hacks that prior users put in it won’t get you any more itch-bay points. And I assure you in the long run you will be happier later by pulling that 3389 port forward out and forcing whoever it is to use a VPN, and other stuff that mean old security people do to make life difficult for users who think a secure password is a 5 letter word from the dictionary that falls out of their lips a dozen times a day.
1 Like
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.