Network setup


(Chris) #1

I’m getting confused as to the typical setup for FreePBX

I’ve created a vlan in our office for physical desk phones, our office network has it’s own PFsense router for computers / wifi etc.

Is it usually the case that a FreePBX server has
x1 nic for wan (used for sip trunks and people connecting from home)
x1 nic for lan. (used to the vlan deskphones)

I want the wan nic to not go via our PFSense router

every time i enable both NICs on FreePBX i get locked out of both WAN and LAN interfaces
even when i tell the build in firewall that the WAN nic is internet and the LAN nic is trusted


#2

Please tell us about the application. New system? If so, why on-site, rather than in the cloud? If not, what are you replacing and why? Approximate size (number of extensions, number of simultaneous calls)? Any non-VoIP trunks (POTS, PRI, GSM gateway, etc.)?

Why is a single NIC connected to your existing LAN unsuitable?

That implies either multiple public IP addresses or double NAT. Why do you want to do this? What equipment do you have now between the pfSense and your ISP(s)?

Is the machine virtual or physical? If virtual, which platform? If physical, can you connect a keyboard and monitor to it so you can troubleshoot when the network isn’t working?


(Chris) #3

I’m getting confused as to the typical setup for FreePBX

Please tell us about the application. New system? If so, why on-site, rather than in the cloud? If not, what are you replacing and why? Approximate size (number of extensions, number of simultaneous calls)? Any non-VoIP trunks (POTS, PRI, GSM gateway, etc.)?

Yes a new system, we already have a VM server on site, in order for me to start learning the system (and probably breaking it a few times) i have the ability to try and try again with an on site VM.

I’d say about 30 handsets on desks and 30 softphones with a single receptionist. No more than 5 simultaneous calls. no non voip trunks

Why is a single NIC connected to your existing LAN unsuitable?

because if the firewall is turned on that is a double firewall situation which isn’t recommended. if the firewall is turned off i’m having to set up quoite a few rules on our firewall and im still getting issues with calling but no audio between zulu for example

I want the wan nic to not go via our PFSense router

That implies either multiple public IP addresses or double NAT. Why do you want to do this? What equipment do you have now between the pfSense and your ISP(s)?

there’s only an edge switch between pfsense and isp.
At the moment it’s isp router --> edge switch --> pfsense --> freepbx --> softphones
but in that setup i’d be disabling either freepbx firewall or pfsense firewall.

every time i enable both NICs on FreePBX i get locked out of both WAN and LAN interfaces …

Is the machine virtual or physical? If virtual, which platform? If physical, can you connect a keyboard and monitor to it so you can troubleshoot when the network isn’t working?

virtual VMWARE EXSI and yes i can reboot and disable / enable nics very easily or rebuild from scratch, hence the reasons i prefer it on site.

so it boils down to. in a more traditional office setup with existing firewalls / vlans is it preferred to plug FREEPBX into a network switch port the same as a phone or computer and have clients contact it via an internal ip, or should it be wan facing and everything go out the building and back in again?


(Darcy Fisher) #4

I’m also interested in setting network. I’m a newbie here and don’t know much how to use it.


(Chris) #5

After speaking with Netgate about the best way to set this up here’s what we’ve done

on pfsense:
get a second ip from our isp to be used by freepbx
set the second ip up as a ‘virtual up’ on pfsense this means my single wan port on pfsense will act like two.
set up 1:1 nat policy that routes all traffic to the new second ip to the internal ip of freepbx
open up all the ports on the pfsense firewall for the above route

now my freepbx can have it’s firewall turned on without being ‘double firewalled’


(Darcy Fisher) #6

Thank you so much for you reply buddy. Glad to know more about this network setup.


#7

“Double NAT” should be avoided, but there isn’t anything wrong with “double firewalled.” It’s not uncommon to have the gateway firewall simply pass the ports and have the server itself do the finer grain control.

If your getting a second public IP, why bother with NAT at all?


(system) closed #8

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.