FreePBX14
all incoming calls to a particular extension are dropping after 16s. Outgoing calls are working fine.
Extension to Extension or a call from the PRI drop after 16s. Changed firmware on phone with no change.
Sounds like the port redirection from your firewall isn’t set up right. If that’s the case, though, it would be happening on all of your extensions, not just one.
So… After much digging it appears to be an issue with IP Tables. When IP Tables are on then majority of inbound calls and internal calls drop to the 10.100.200.X vlan. When IP Tables are off there are no issues at all.
This system (related to sangoma support ticket) was blocking phones from registering on ip tables but it doesn’t show up in intrusion detection.
Is there any way to access the IP tables setup to see if there is a misconfiguration?
@xrobau might be a good one to ask directly. If you have documentation, you could post an Issues ticket and ask Rob to look at is, since he was one of the principal architects of the Integrated Firewall.
iptables-save is the command you’re looking for. That dumps all the configuration. But it sounds like you don’t have 10.100.200.0/24 as an ‘internal’ network in Firewall.
I’ll be honest and admit that I don’t enable the internal firewall module. Mainly because I thought you couldn’t activate the internal firewall when the system is already behind a firewall/router. I do have the 10.100.200.0/24 in my intrusion detection whitelist though. The intrusion detection is what I typically use for the system security (besides the firewall in front of the system)
Later today I plan to turn ip tables back on, wait for the dropped calls and then run the iptables-save command to see what might be happening
But you’re saying your problem is happening with Firewall? Can you be a bit more specific, please?
Firewall module - Disabled
I do use the Intrusion Detection portion of Sys Admin Pro though.
FreePBX14 and Asterisk 13
Extensions for some reason were not registering. I worked with Lorne on a support ticket. He ran an sngrp? command and found that the system was blocking traffic even though nothing was showing up in intrusion detection. He suggested stopping ip tables. I ran service iptables stop and the phone registered. I then started ip tables and the phones stayed registered. miracle!
Fast forward. System gets turned up using a PRI for call traffic. Immediately inbound calls start dropping. Internal calls start dropping. Only happens to the 10.100.200.X network (same network system is on)
I run service iptables stop from the cli as I was thinking back to previous issues and magically no calls drop.
That’s fail2ban, not Firewall. fail2ban is actually defanged by Firewall, because Firewall is MUCH better. That could be your problem. fail2ban is prone to false positives, and adds a significant load to a busy machine. Firewall is light, fast, and it takes pretty awful misconfiguration to get a false positive out of it 8)
so my system is behind a router with port forwarding. based on the intro to the firewall module it seems to indicate only to utilize the module if the system is dmz’d to the internet
Perhaps it’s time to revisit that text… @xrobau has done a lot of work on the firewall to make it work well for everything the PBX needs it to do, including adding options to allow people to do things that normally wouldn’t be included in the firewall. The firewall is necessary for “publically exposed” systems, but is still highly recommended for everyone else (IMNSHO).
While there are people that swear they won’t use it, I’ve found it to be VERY reliable and a real boon to me in my installations.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.