Issues with freepbx firewall and HT801 ATA's

firewall
Tags: #<Tag:0x00007fb47ab9f808>

(ledoktre) #1

Hey everyone.

I’ve been having some sporadic connectivity issues with a few HT-801 units I have. I use them sometimes for connecting up to fax machines, or sometimes just to connect cordless phones to FreePBX, etc.

I have a ticket open with Grandstream, and they tell me “From previous traces we found the server is not responding the REGISTER to the HT unit”. On Asterisk CLI, I see no connection attempts.

When I check fail2ban, its not listed. I check in ipables, not listed that I can tell. When I ran fwconsole firewall disable on one box, a failed unit came online almost immediately. Hmm.

On the other box I was having issues, I logged in and saw the public IP address of the unit listed under Blocked Hosts, specifically under the Blocked Attackers section.

I am a big curious as to why my HT801 boxes seem to be randomly hitting this or what I might have to do to make it happy again. Im not sure where to troubleshoot or what makes the Blocked Hosts kick in. It doesn’t appear to be fail2ban, but Im pretty confused at the moment.

One box that failed had no other connections to the server it was failing to. The one I mentioned last, where I found the IP address on the Blocked Hosts, it also has a desk phone connecting from the same public IP address. It would appear that the desk phone is offline as well.

Help - TIA :slight_smile:

UPDATE: I did seem to find some information on the desk phones I use that their re-registration is defaulted to 15, so I set these ATA’s to that. Previously they had been set to 5. Anyone care to comment, feel free. I have no idea how many registrations causes it to block, if it is unique to username or just so many in a period from a certain IP. I have no idea. But trying something anyway!


#2

If the HT is behind a NAT and connecting to a remote PBX (cloud or at another office), try setting NAT Traversal to No and Register Expiration to 2.

If the HT is on the same LAN subnet as an on-site PBX (and you are not concerned about attacks from devices on the LAN), try marking the LAN subnet as Trusted in FreePBX firewall.

For other setups, please provide details of your configuration.


(ledoktre) #3

@Stewart1, the HT’s are all behind a NAT yes, and the ones so far that have had the issue are being hosted off site. Each FreePBX box is actually configured with a public IP, so no NAT on that side. But yes on the HT side.

I dont know if you saw the update I just edited above, or if it was the right thing to do - but I changed my re-register in the HT from 5 to 15. Here is the relevant settings from the HT’s (including the re-register at 15 above):

######System Settings - Security Settings######
276=0
1650=2
######FXS - SIP Settings######
32=15
243=1
2330=0
20501=1
20505=1
52=2
730=2
######FXS - Call Settings######
91=1
186=1
714=1
######FXS - Codec Settings######
132=2
133=0
824=1
4441=1

I will read what you just wrote and see what I can try. Thanks,