How to setup firewall for work-from-home dynamic IP addresses


(Felotus) #1

I have a FreePBX OS installed with FreePBX’s official hosting partner OPL and since Covid everyone is working from home.
I have Responsive Firewall turned on, SIP Protocol enabled and Legacy SIP / IAX Disabled. I essentially add the IP addresses of everyone’s home to be Trusted (Excluded from Firewall), but the problem is that their IP address change often. My understanding was that it wouldn’t matter as once the phone is registered it’s whitelisted somehow, but everytime the employees’ IP address change, their phone no longer connects.

What’s the correct configuration for a WFH system where each client has a seldom changing IP address ?

Kind regards


(Itzik) #2

Are you sure you have the responsive setting enabled?

As a workaround, you can setup DDNS clients and whitelist the FQDNs in the firewall.


(Felotus) #3

It doesn’t show an Enabled button but I’m assuming the unchecked DIsable button means it’s enabled


#4

if you do a whois on the current ip, the underlying network will be exposed, the work at homer will always have an ip awarded within that network. , some networks (like apple ) are huge, but mostly thats not where the bad guys are


(Felotus) #5

Doing so on one of the employee showed the following range:

NetRange: 86.0.0.0 - 86.255.255.255

That’s essentially 1/255th of the worlds traffic, correct? If each emplyoee is in a different range, you quickly do 10-15 x 255th of the worlds traffic, whitelisting all of it sounds like bad practice security-wise

Isn’t the firewall supposed to let the clients try a few times before blocking them?


(Felotus) #6

Doesn’t this mean we shouldn’t even have to whitelist IPs ?


#7

That’s exactly the idea behind responsive firewall, that you don’t need to whitelist specific IPs, because the firewall automatically takes care of that based on successful authentications.


(Lorne Gaetz) #8

Should be an obvious question, but it’s not addressed. Are you using pjsip extensions or chan_sip (or both)? The responsive firewall config shown will only allow untrusted access to the PJSIP transports.


#9

That doesn’t seem right. 86.0.x.x is Virgin Media, 86.128.x.x is BT, 86.192.x.x is Orange (France), etc.
There are some pretty big blocks, but nothing close to a /8.

Possibly, the client device is sending some sort of keepalive that is getting them blocked. Try setting a short registration interval e.g. 120 seconds and turning keepalive off.

If the IP change occurred during business hours, it’s possible that an outgoing call attempt caused the block. Frequent registration should help that, too.


#10

86/8 is a generic redirect, chances are that that ip is static so a /24 would likely cover if a /32 doesnt work


(Felotus) #11

One of the client’s IP was 86.151.xxx.xxx and a few weeks later it changed into 86.158.xxx.xxx
I’ll try to turn off the keepalive and shorten reg. interval.

But this problem happens seldomly, like every week or two

Also the firewall is already whitelisting 86.158.xx.xx/32 by default and we still have the problem once a week or every two weeks


#12

To allow all 86.158.xx.xx, you need to whitelist 86.158.0.0/16


(Felotus) #13

Yes but a week ago, his IP was 86.151 and now 86.158 so it wouldn’t even help


#14

According to https://whois.domaintools.com/86.151.1.1 , BT’s block is 86.148.0.0 - 86.159.255.255
so 86.148.0.0/14 and 86.152.0.0/13

If his IP was changing because it’s DSL and losing sync, proper modem/router setup can fix that. Or, if caused by a noisy line, you may be able to get BT to fix it.


#15

slice it and dice it any way you want

86.148.0.0/14 comment "GB ripencc BT-CENTRAL-PLUS "

covers it , yes its unnecessarily large but so is BT :wink: If your firewall doesn’t work effectively then you can allow that network.


(Jared Busch) #16

When a user cannot connect, you should see them blocked. Did you check that?

Also there are two things that can block you. The Firewall and Intrusion detection. Even worse, they don’t talk to each other. Or at least did not last time I tested.

Intrusion Detection is in SysAdmin.

So when a user is blocked, check.


(Felotus) #17

All extensions are listed as using pjsip
image


(Felotus) #18

I didn’t knowa bout Intrusion Detection but it shows no banned IP

In the “Status” of the first screenshot, there’s a bunch of blocked IPs but none of them are 86.x


#19

I am getting this as well on one of my clients PBXs.
FreePBX 14.0.13.34
System Firewall13.0.60.3
All PJSIP extensions
PJSIP enabled for responsive firewall
New IPs dont show in Intrusion list when they cant connect.
I have to keep asking them to send me their new pub IP and I add this to their firewall - and their phone starts working again. Only happening to 2-3 phones out of 20 but one of these is a director so I’d love to get a fix. Next step could be changing a problematic Extension to use VPN or change to SIP and see if responsive firewall works then.


(Dave Burgess) #20

My next step would be to start using a Dynamic DNS setup and allow by name. While that’s cooking, see if you can get a VPN going.