I have a FreePBX OS installed with FreePBX’s official hosting partner OPL and since Covid everyone is working from home.
I have Responsive Firewall turned on, SIP Protocol enabled and Legacy SIP / IAX Disabled. I essentially add the IP addresses of everyone’s home to be Trusted (Excluded from Firewall), but the problem is that their IP address change often. My understanding was that it wouldn’t matter as once the phone is registered it’s whitelisted somehow, but everytime the employees’ IP address change, their phone no longer connects.
What’s the correct configuration for a WFH system where each client has a seldom changing IP address ?
if you do a whois on the current ip, the underlying network will be exposed, the work at homer will always have an ip awarded within that network. , some networks (like apple ) are huge, but mostly thats not where the bad guys are
Doing so on one of the employee showed the following range:
NetRange: 86.0.0.0 - 86.255.255.255
That’s essentially 1/255th of the worlds traffic, correct? If each emplyoee is in a different range, you quickly do 10-15 x 255th of the worlds traffic, whitelisting all of it sounds like bad practice security-wise
Isn’t the firewall supposed to let the clients try a few times before blocking them?
That’s exactly the idea behind responsive firewall, that you don’t need to whitelist specific IPs, because the firewall automatically takes care of that based on successful authentications.
Should be an obvious question, but it’s not addressed. Are you using pjsip extensions or chan_sip (or both)? The responsive firewall config shown will only allow untrusted access to the PJSIP transports.
That doesn’t seem right. 86.0.x.x is Virgin Media, 86.128.x.x is BT, 86.192.x.x is Orange (France), etc.
There are some pretty big blocks, but nothing close to a /8.
Possibly, the client device is sending some sort of keepalive that is getting them blocked. Try setting a short registration interval e.g. 120 seconds and turning keepalive off.
If the IP change occurred during business hours, it’s possible that an outgoing call attempt caused the block. Frequent registration should help that, too.
One of the client’s IP was 86.151.xxx.xxx and a few weeks later it changed into 86.158.xxx.xxx
I’ll try to turn off the keepalive and shorten reg. interval.
But this problem happens seldomly, like every week or two
Also the firewall is already whitelisting 86.158.xx.xx/32 by default and we still have the problem once a week or every two weeks
If his IP was changing because it’s DSL and losing sync, proper modem/router setup can fix that. Or, if caused by a noisy line, you may be able to get BT to fix it.
Also there are two things that can block you. The Firewall and Intrusion detection. Even worse, they don’t talk to each other. Or at least did not last time I tested.
I am getting this as well on one of my clients PBXs.
FreePBX 14.0.13.34
System Firewall13.0.60.3
All PJSIP extensions
PJSIP enabled for responsive firewall
New IPs dont show in Intrusion list when they cant connect.
I have to keep asking them to send me their new pub IP and I add this to their firewall - and their phone starts working again. Only happening to 2-3 phones out of 20 but one of these is a director so I’d love to get a fix. Next step could be changing a problematic Extension to use VPN or change to SIP and see if responsive firewall works then.
If your firewall doesn’t work effectively then you can allow that network.
