How to use Cell Phones without Opening SIP port for all IP addresses

So I am still somewhat new with FreePBX. I have been using it for about a year and have maybe only a dozen deployments so far. My main thing I am trying to figure out now is how to use Software like Zoiper on Cell Phones to register SIP without using a VPN.

We have rules in our firewalls for: SIPTrunking Provider IP address -> Using ports 5060 and 5160 -> forward to PBX

As you can see this is very strict. Also because of this we cant register Cell Phones/ WAN DHCP remote offices very well. What are some solutions to this. I have researched so much but never come up with any good solutions.

We use Sophos UTM Firewalls.

In order to let your cell phone VoIP apps like Zoiper register you are going to have to open ports on the firewall where your PBX is located.

The CIDR ranges for the cell phone providers your end user’s subscribe to can be added to a safe list.

If you use sip over TLS then the call signalling and login credentials are encrypted. Add SRTP to encrypt the RTP audio.

Open 5060 on your firewall to your PBX and use the responsive firewall in the PBX to safeguard it from attacks.

Yes I do understand that I have port forward 5060 but I don’t want to open it up to all IPs.

Is that really my only way? I can’t use some SSL cert to encrypt the data, or use a dns name response. This way I can do some crazy long cname record and use that?

Does Zooper plan on having Android or iOS? @tonyclewis

How would a FQDN solve your issue. It still resolves to a IP. Again using SSL wont help as you would have to open TLS port which you could do instead of SIP but again u would have to open it to the whole world.

Why won’t u trust the firewall in FreePBX to protect your SIP ports. It’s why we designed it and it’s really smart. Go look in the wiki on the firewall module as its a fully protected firewall.

You truly trust the firewall? I know you guys designed it specifically for phone systems in mind… But coming from the windows world I don’t trust Windows firewall for anything. Lol

If you truly believe in your active firewall system, I will give it a go.

Is there any way the phone system could be hacked and access to Internal inside networks? If I can, do you recommend we always go around the firewall
i.e: eth0 connects to WAN modem and eth1 connects to LAN

I use the OpenVPN server built in to the distro as well as I have also used the OpenVPN server built into PFsense (open source router platform) then just place the OpenVPN client on the cell phone. Connect to the vpn then to your FreePBX server via your Bria, Zoiper, or your choice of soft phone. Works awesome and totally secure.

The new freepbx firewall and responsive firewall are big game changers. Incredibly secure and does all the heavy lifting for you. Its a big reason why I am investing time in FreePBX.

Using a sip app from a roaming mobile phone is a trivial issue. I register mine to a border controller and then to a FreePBX installation from there.

Since you are running local you could probably pick up a small Sangoma SBC and work out all your issues. :wink:

I want to stay away from VPN’s as often they are too complex to understand for some execs that “just want it to work”.

As for the SBC, I do have one but the config looked very complex. Lol

I guess I will have to give in and do the responsive firewall. :slight_smile:

Hi!

Everything is possible… If someone found a vulnerability in one of the services on your PBX he could later try to hack the rest of your network from there especially if it is on your LAN…

Many people don’t expect an attack to come from the inside and don’t protect the servers/devices on their LAN well enough…

My PBX is in another segment (ie not the LAN) for that reason. It doesn’t allow all traffic by default (essentially what enterprise grade routers/firewalls call a DMZ which is different from what a home router/firewall calls a DMZ) so I have to open ports for each protocol I want to allow inbound traffic from or outbound traffic to and put the appropriate ACLs…

With one (or multiple) quad ports NICs on a dedicated firewall running something like pfSense (which is what I use), it becomes pretty easy to decide to put servers/devices which are more exposed to the Internet in a different network segment…

As for opening holes in your firewall, I don’t use this for SIP but my mobile phone updates an entry on a dynamic DNS site and I use this entry in the ACLs of my firewall… Once in a while the firewall verifies if my IP changes and changes its rules accordingly… Many routers and mobile apps can do this…

Good luck and have a nice day!

Nick

Yes I did deploy a few on VLANs but it’s not feasible for all clients. We use Sophos Firewalls so with no UPnP we have allow traffic both ways. Not just inbound.

That DDNS trick is neat. Never thought of that.

I know there is 100 ways to setup access, I am more or less looking for best practice and with Tony’s response I guess I will try the built in firewall, I am just wondering if it’s better using eth0 for WAN directly connected to modem and eth1 on a VLAN for the internal Network or keeping it behind a 2ns IPS/Firewall

If that’s the route you would like to go, I would suggest you select an obscure port for sip, and only open up sip to the world (if you must offer the UCP as well, I would suggest you select an obscure port that also).

Selecting an obscure port will keep you away from most bots looking for pbx systems on 5060, but there are still some that attempt to scan your systems ports for vulnerabilities it can exploit.

That was actually going to be my fist suggestion. If you can get the phone to register with DDNS, you can use the DDNS hostname as your IP and add that to your “safe” list.

Be warned that this makes your PBX’s correct operation reliant on your DNS working flawlessly, so if you have any sketchiness built into your system, make sure it isn’t DNS that’s not working 100%.

This would only be for cell phones so DDNS would work. I will try that and the PBXFirewall and see how well it works. My security guys just got me going about how PBX hacking is the next big thing. So its got me scared about allowing all these connections in.

Hi!

Please keep in mind that your cell phones might change IPs during the day and that the change of rules on your firewall won’t be instantaneous…

In my case I use pfSense and it tries to re-resolve the FQDNs used in aliases (this is how I do it) each 300 seconds by default…

You can lower it but it puts more burden on your DNS…

See : https://doc.pfsense.org/index.php/Aliases#Aliases_and_Hostnames

Of course your firewall might have different delays and no possibility to tune them…

Good luck and have a nice day!

Nick

I have switched from SIP based softphones on my cell phones, to Zoiper. I use Zioper IAX protocol. IAX has a few HUGE advantages, #1 works with NAT with no issues at all, same can not be said for SIP. #2 you only need to open one port on your firewall and point it at your PBX. #3 being a far less used protocol, it is not one of the main things hackers go after.

1 Like

This is an interesting way of looking at it. I will actually try that tonight.

I’m opposed to opening ports to all traffic. It is just too risky.

Your options are:

  1. OpenVPN - I use this and it works great. The Distro includes OpenVPN. You just have to generate the keys and put the configuration files in the correct place and start the server. OpenVPN has apps for both Android and iOS.

  2. Port knocking. Google it. Ward Mundy (of PBX In A Flash) has some scripts available that allow you to implement port knocking easily. He calls them “Travellin’ Man.”

  3. Register your external devices with an ITSP rather than with your PBX. This is really the easiest way. For example, you could setup a trunk with Callcentric, and then set-up each of your external VOIP phones to register as extensions with Callcentric.

I read Tony’s suggestion of using responsive firewall. But, without more details as to how it works (and what its limitations might be), I cannot recommend it.

VPN works, DDNS client + port forwarding works, I have tried them but in reality it’s not really practical to implement.
With a couple of users it’s fine but if you have 50+ it’s really a pain to set up. Manage FQDN and VPN for all of your users, teaching them how to set them up on their cell phones or doing it for them, we decided that was too much.

It’s my hope that Sangoma will sooner or later add mobile integration to Zulu with mobile soft phone clients, one-click setup simplicity, conferencing and WebRTC apps (+screen sharing), etc, something like 3CX has.

In the meantime you can run a trunk from your FPBX machine to a PBX in the cloud where you have your mobile soft clients run off of a 3CX installation. You don’t need to worry about VPN and FQDN then.
It works and here is how it’s done:
http://nerdvittles.com/?p=21498

http://wiki.freepbx.org/display/FPG/Responsive+Firewall