That’s not how ZenGuard Loader works. There are specific versions for specific PHP releases and OS releases. The ZenGuard Loader that FreePBX uses is for PHP 5 and CentOS/RHEL.
This goes back to my previous comments about the differences between manual and distro based installs and things that are lacking in manual installs.
On the topic of firewalls. PFSense has a horrid track record of dealing with SIP mainly when the phones or PBX are behind NAT. @xekon You have said you have a static IP which pretty much means no NAT for the PBX. This will not be the case for many users. It it just not the right firewall for SIP devices that will be behind NAT.
Let’s be clear on another thing, fail2ban is not a firewall. Not at all. Nadda. Ziltch. It is an “intrusion detection” program. It reads the logs for activity that ALREADY happened on the server. If you are looking for real time firewalling on the PBX use iptables because that is exactly what the FreePBX Firewall is, iptables.
IPTables is how Linux systems have firewalled themselves for over 10 years. It’s pretty proven.
While I agree that Fail2Ban is not a firewall it is Very good to use in addition to the firewall, it is great for stopping brute force attacks on legitimate ports/login interface, such as somebody trying to brute force crack your SSH login, and you can configure how many times you allow them to use a wrong password before getting banned as well as how long to ban the IP address for. In addition I recommend using RSA keys with a passphrase instead of simple password login.
That is how I understood things as well, and is why I use UFW/Iptables. Good to know that iptables is what the FreePBX Firewall is! I was actually wondering what types of security measures the FreePBX firewall used, thank you.
I was working on installing the dependencies for the FreePBX firewall, I finished installing Zend Guard Loader, but it sounds like even with the dependencies met, the FreePBX firewall would still not install because this system is Debian based instead of Redhat/centos.
The freepbx firewall will only work on the freepbx distro. It won’t work on standard CentOS machines. Sorry.
What I do is put my VMs hosed in datacenters in a walled garden and put Vyatta (or VyOS) as the router to them which has a pretty extensive firewall capability including stopping brute force attacks. Just be sure to turn off the interfaces most providers sometimes leave on when you setup the VMs and only have the VMs routed through your own VM router.
Bill,
Maybe you would be willing to document at least what you recall of this? I am interested specifically in how you did this on the ISO. I want the Sangoma Active firewall with GVSIP and tried 20 ways to do it now . The cleanup I can probably fiogure out if it is all asterisk files. I think where my installs on ISO have gone bad is asterisk files letd on Hard disk from previous (freepbx) version as I can see asterisk NAF start then exits.
@markosjal Get this idea out of your head right now. It’s not going to happen anytime soon. The version of ASterisk that is being used for this is a FORK which means it’s not an official release from Digium (Asterisk maintainers/developers) so that means FreePBX is not going to support it as it uses official Asterisk releases.
At this time Digium has no plans to incorporate this. As well, if they are going to then Nafg needs to clean up his patches to meet Digium standards and even then it is still up to Digium is merge those patches into the core.
Let’s also not forget, Polycom buys Obihai then Obihai releases new OBITalks with GV branding on them followed by Google actively tearing down the XMPP connections they say have been dying for the last 3+ years AND THEN announce they have a SIP based platform which is completely branded with Obihai. This isn’t a setup that screams “Oh yeah, we’ll let any ole device connect to our branded platform that we spent a lot of money on”. So there is no guarantees this is going to be the correct solution.
Let’s be clear on this GVSIP in Asterisk, more importantly FreePBX, is a hack/kludge solution. It requires an unofficial release of Asterisk and a non-Distro install of FreePBX. That alone now makes official support no longer viable from Sangoma. It also means that there is no support for the commercial modules such as System Admin. Without System Admin you cannot activate the PBX. No ability to activate no support, no commercial modules and no way to install modules that depend on System Admin like the System Firewall.
At this point if you are doing anything at a business level the idea of GV+FreePBX is no longer viable. You are better off sucking it up and getting a real ITSP/voice service because it will be less cost in the long run vs the time spent trying to make this kludge work properly or dealing with the downtime when either GV makes another change or a new update is released and causes issues.
Excuse me , but there are people here, in this very thread, saying they HAVE installed NAF GVSIP to Cent OS and the ISO, so it ALREADY HAS HAPPENED . It may never come in the ISO, but also keep in mind NAF’s work is being merged to asterisk , so yes “some day” it may come to FPBX built-in
Do I care if it breaks the ability to do upgrades? Probablty not if I uopdate the system before doing the install, it is probably about the best I can do, and probably no worse than the other options. There are all kinds of people on these forums that have re-compiled asterisk for freepBX whether it be to support PRACK or Cisco phones just search its all here.
Uhm, the logic of “Look, other people have done it” isn’t the best logic here. Other people have eaten Tide Pods or smoked Bath Salts. I’m pretty sure you’re not doing that and telling people “But other people have done it”. So my point is, just because other people have done it doesn’t mean it is the right thing to do.
Having your business rely on a service that is an unsupported, no guarantees, no SLAs and lacking basic features all other Telephony services offer that could be shut down in a moments notice is a bad idea. Period. It does not and will not save you money down the road. As you have pointed out you have multiple servers running in a data center and it seems you are attempting this for multiple systems. So right now the time you have spent working on this for your “free” service is a cost to the company.
first off you have NO IDEA what my application is, nor do you need to know nor will I tell you. It is NOT a lifeline situation nor is it for a business. Nuf said.
Second if Bill Simons (and others) says in this thread that he installed into ISO, I believe that.
third lets take a look at Google Voice, and we will assume that you know ALL as you seem to imply. Okay it gets shut down tomorrow via SIP you can still forward to a PSTN number . I doubt its going away completely any time soon. SIP gets shut down you still get incoming forwarded to another number, and can still answer said calls. Boo Hoo I will pay for outbounds, wait no I won’t, as I have another free way to do those too. Just because you were raised into and fell for consumerism does not mean that I have to fall victim to consumerism.
Now get the chigger out of your behind so you can sit down more comfortably without irritation.
This is your first and only warning. Maybe you are allowed to say these things on other forums but not here. We will not tolerate insults to users like this. From either side.
@BlazeStudios and @markosjal please refrain from addressing each other there is the ability to ignore in your profiles. Utilize it if you need.
Thanks for the excellent guide! Was able to get up and running without too many hurdles.
Is the debug=true line required in pjsip_custom_post.conf file once I’m satisfied the system is working correctly?
The issue i’ve encountered so far is calling other gv numbers that don’t get answered. Instead of going to gv voicemail, the call is dropped with a 503 error. This is easily reproducible by calling your own gv #. In the past it would play back your vm’s or tell you you have no messages, press #2 to make outgoing call, etc. Here it just drops the call.
Thanks again!
Will try reproducing this myself, chances are it has to do with the implementation of the new gvsip and will resolve itself eventually. (from google’s end)
you can change the debug=true to debug=false, however if you encounter an issue and wish to report it to Naf in his technical discussion thread, he will want logs and cli output with debug=true, so keep that in mind if you run into issues you will wanna switch it back to true.
I called my cellphone which is using google hangouts on a different google voice number, I have the cell phone set to vibrate, vibrated 12 times, but it did eventually drop the call and I got the voicemail recording:
“The google subscriber you have called is not available, please leave a message after the tone … beeeeep”
Calling my own number however I do get the dropped call/busy tone with 503 Service Unavailable.
I get the same result when testing the same way (with hangouts).
Try it without hangouts and you’ll get the same result I do. That is, gv forwards to a carrier number, which also forwards to another gv # for vm purposes.
Or, just calling another gv # which doesn’t forward anywhere results in the 503 after it times out ringing and tries to go to vm.
Re: debug line, if it’s set to false, is it even necessary?
Thanks for the quick responses.
no, the line can be removed entirely if you wish.
I really think this would be better installed into the ISO. I have made over 20 different attempts over the last few days for the current and older ISOs. I think the firewall is imprerative.
Also I found another gem which may be of interest to folks here because so many of you seem so “bleeding edge” . Its great for the configs I install on virtual machines.
There is an Open source (???) SBC , and if you do not know what that is , it is a Session Border Controller . It is a security method used on many VOIP Provider networks and wholesale providers.
Unfortunatly , I tried two installs today and they seemed run fine (without configuring) till I installed the GUI then the network interfaces were GONE . Maybe someone here who is interested in it might find out what the fix is for that.
Mark
I made the comment over on the DSLReports forums and found that most people had the same issue . It is the only way to change your voice mail greeting!. I also tried to spoof the GV caller ID calling into the same account from a VoIP line and the call also dropped.
Maye there is a limitation of 1 simultaneous call, and for that reason it happens?
On the call not going to voice mail after several rings, I have seen this too , but have seen it work also. I suppose the best work around for that is answering the call on first ring and using asterisk voice mail.
Mark
Hello! So I believe I have set everything up successfully on the FreePBX side. My logs do not have any errors upon startup. However, I cannot get my Cisco SPA504G to register. I have 701 setup for GV, and I created 702 just to test. 701 on the phone, blinks orange and says Not Registered (Not Reachable) and 702 says Not Registered (No Response). I tried also using 702 from a softphone on my Andriod and no registration there either. Logs on Asterisk do not indicate any activity to the phone. I know this is vague, and can provide the logs if necessary. Using the IP address to the SIP in the config. I am configuring the phone manually.
Thanks for any help. I am too attempting to get my GV back working on my phone. (Was using Bills service)
So I just ran Wireshark while the phone was rebooting and it says that the phone is trying to contact 255.255.255.255 instead of the IP address of my server. I know this is the catchall address, any ideas?
229 41.339533 192.168.1.120 255.255.255.255 UDP 70 55656 → 55656 Len=28