Noob has a few questions related to FreePBX/PBXact

Good morning all,

I am posting these questions in hopes someone will be kind enough to take a little time and answer them with best practices. I have used Asterisk for many years, but I am new to the whole FreePBX/PBXact ecosystem, and there is a lot to digest.

** Zulu issue **
When sign in with Zulu, I can only get the option to dial with deskphone. I can’t select anything else. Some forum posts have suggested reinstalling zulu, others have cited the freepbx guide for setting up Zulu, which I have gone through.

Q: Why doesn’t the softphone option show up?

** UCP Error **
I had a UCP error – I kept getting an error talking about requesting a valid directory. I did a bunch of reading on the forums and blog posts and I finally ran across someone from back in 2018 I believe suggest to reinstall the PMS module. I thought, why would this help, its a brand new install, but figured I would try it. Sure enough, it worked after that.

One thing that may or may not be related is that I was setting up the Groups, and I saw one called “Property Management”. I thought, hmm, I don’t need this group, it must be a demo group or something and deleted it.

Q: Did I bork up UCP by deleting this group, or was it likely something in the fresh install/update process that wasn’t working right?

** Firewall ports **
This install is behind a pfSense firewall. I have port forwarded the following ports unrestricted (and are configured in PBXact) :

… TCP/4443(ucp)
… TCP/8003 (node secure)
… TCP/8089(webrtc encrypted)
… TCP/1443(https provisioning)
… TCP/2443(restful api)
… TCP/3443(restful phone apps)
… TCP/8002(zulu3)
… UDP/10000-20000

I also have the following ports open but restricted to the CIDRs the SIP provider provided :
… TCP/5060-5061
… UDP/5060

I have to move an existing OpenVPN server to another port so I can use OpenVPN with PBXact. It is my understanding we cannot modify the port in PBXact. Once done, I will open UDP/1194.

One side note - I had to modify the Smart Office bind port as it was stepping on toes with 3443. Smart Office is disabled, yet it still would not let me set 3443 for RESTful Apps.

All HTTP ports are disabled in port management, except for my admin port…

Q: Does this seem like a reasonable configuration and everything should work?

Q: Should I be re-enabling the HTTP ports (but not port forwarding through firewall) as phones will be used almost entirely from the local network?

** Endpoint Manager & inside/outside profiles **
Currently I have only https ports enabled. PBX and phones are on their own VLAN at office. There are two other VLANs in use at office that will access Zulu. These are all separate networks, connected only by a common firewall to the world but firewalled from eachother.

Q: Given the above configuration, do you expect I will be fine without change, or will need to setup some local routing and DNS overrides, or perhaps some NAT reflection to get Zulu to login from one private network to another private network, behind the same firewall?

Q: For local phones, do you recommend re-enabling HTTP ports and using this on the inside profiles only?

Q: How does this (re-neabling local ports) work with VPN users?

Q: Is it true, you cannot have more than 1 user at a remote location access FreePBX/PBXact via VPN at the same time?

Thanks,

Zulu is a separate (and soon deprecated) product that is being replaced by Sangoma Connect. It doesn’t sound like you’ve bought Zulu, since it’s not showing up in UCP.

PMS is the Property Management Service that is a separate commercial module, but the hooks and infrastructure are all in the base install of the system. It’s a weird dependency tree, but reinstalling PMS should have put it all back.

Seems reasonable, even if it seems like you have a lot of ports open to the outside world. If all of your phones (for example) are in the local network, then you shouldn’t most of those open to the outside world.

The HTTP port isn’t necessarily for the phones - it’s how you connect to the management interface. Enabling it on the server and allowing access from the local network should be fine.

This is going to require some trial and error, I think. Routing services from lan to lan is always a perilous thing, so getting the services set up (which is a good start) and getting the routing rules for them (which is the hard experimental part) are two levels of difficulty. Using VLANs (instead of real routing domains) makes this one layer trickier.

If you use the Integrated Firewall, you should be able to make this work reasonably simply.

I think that would depend on a whole slew of variables. It depends on how you implement the VPN and if you are doing it per phone or per network. In general, as long as there is an unambiguous routing path to the phone (the addresses all appear to be local LAN addresses, for example) you should be able to stack a few phones up per location.

The scenario you might be thinking about is if you are using double-natted phones (phones live behind one NAT and connect to your server through another NAT). In this case, it is a real challenge to get everything working so that two phones can live at that location. With VPNs, you should be able to overcome this headache fairly simply.

Thanks @cynjut for the reply.

Q: Why doesn’t the softphone option show up?

Zulu is a separate (and soon deprecated) product that is being replaced by Sangoma Connect. It doesn’t sound like you’ve bought Zulu, since it’s not showing up in UCP.

I am curious to hear Zulu is being depreciated. Sangoma Connect - will that be desktop and mobile? Users were excited to be using click to dial and CRM integration on their desktops.

We have the PBXact licensing, which as I understood it, included Zulu. In the Admin panel, it shows xx users out of 1000 used. I can sign into Zulu just fine. I just can’t dial the soft phone, it only lets me initiate dial to Deskphone.

Q: Did I bork up UCP by deleting this group, or was it likely something in the fresh install/update process that wasn’t working right?

PMS is the Property Management Service that is a separate commercial module, but the hooks and infrastructure are all in the base install of the system. It’s a weird dependency tree, but reinstalling PMS should have put it all back.

Reinstalling did make it work, yes. I am just trying to confirm I guess - I likely broke it when I removed the “Property Management Group” and it would be wise to not remove it again?

Q: Does this seem like a reasonable configuration and everything should work?

Q: Should I be re-enabling the HTTP ports (but not port forwarding through firewall) as

Q: Does this seem like a reasonable configuration and everything should work?

Seems reasonable, even if it seems like you have a lot of ports open to the outside world. If all of your phones (for example) are in the local network, then you shouldn’t most of those open to the outside world.

All phones will be in local, except for Zulu and the occasional home worker that I plan to use VPN for. It sounds like I could close some ports?

Q: Should I be re-enabling the HTTP ports (but not port forwarding through firewall) as phones will be used almost entirely from the local network?

The HTTP port isn’t necessarily for the phones - it’s how you connect to the management interface. Enabling it on the server and allowing access from the local network should be fine.

It sounds like I could enable some services non-encrypted and use those for internal phones.

Q: Given the above configuration, do you expect I will be fine without change, or will need to setup some local routing and DNS overrides, or perhaps some NAT reflection to get Zulu to login from one private network to another private network, behind the same firewall?

This is going to require some trial and error, I think. Routing services from lan to lan is always a perilous thing, so getting the services set up (which is a good start) and getting the routing rules for them (which is the hard experimental part) are two levels of difficulty. Using VLANs (instead of real routing domains) makes this one layer trickier.

Thats fine. I thought I may have to address this. We’ll see when I log the first user in!

Q: For local phones, do you recommend re-enabling HTTP ports and using this on the inside profiles only?

If you use the Integrated Firewall, you should be able to make this work reasonably simply.

We are using the integrated firewall, but it sits behind pfSense - no DMZ set up. From comments above I believe I can probably re-enable non-secure ports for local use, and maybe even shut down some secure ports in the firewall, as I’d be using Zulu and VPN from outside only.

Q: Is it true, you cannot have more than 1 user at a remote location access FreePBX/PBXact via VPN at the same time?

I think that would depend on a whole slew of variables. It depends on how you implement the VPN and if you are doing it per phone or per network. In general, as long as there is an unambiguous routing path to the phone (the addresses all appear to be local LAN addresses, for example) you should be able to stack a few phones up per location.

The scenario you might be thinking about is if you are using double-natted phones (phones live behind one NAT and connect to your server through another NAT). In this case, it is a real challenge to get everything working so that two phones can live at that location. With VPNs, you should be able to overcome this headache fairly simply.

I was asking, I guess, in the sense of using the built in vpn server capability in PBXact. So per phone? I had saw a video on YT talking about vpn setup in FreePBX/PBXact and the person stating that if you have more than one phone on vpn behind the same remote connection, it won’t work and you should instead do a site to site vpn and not on the individual phones. My reasoning for asking was basically this- if a user connects their phone over vpn, great. if a second from that same location connects, it would be nice for it to work, or maybe even a 3rd, and know okay, now its time to start thinking about a site-to-site vpn. Rather than 1 user - okay a second one connected and now its non-functional, lets hurry up and deploy a site-to-site VPN.

At my age, the doctor never tells me this anymore, but “If it hurts, don’t do that.”

I likely broke it when I removed the “Property Management Group” and it would be wise to not remove it again?

At my age, the doctor never tells me this anymore, but “If it hurts, don’t do that.”

Point well taken.

I’m not sure I’d make that statement. Each connection from the phone is going to go over an encrypted traffic path that should go “point to point” to the phones, so a ‘per-phone’ VPN should work regardless of where it is.

If you set up a per-network (or site) VPN, the phones have to know about the connection points, and the “gateway” for the network needs to know where to send the traffic, but still, this is basically a single encrypted tunnel.

There are, of course, variants and ‘frobs’ that you may need to tweak on both, but it would violate the Rule of Least Astonishment for me if they didn’t “just work”.

Thanks. I don’t know on what basis the comments in the video were made. I would have expected they would work fine too. I’d much rather gracefully transition from a phone or two individually on vpn over to a site-to-site than find out after someone connected another device and all #$ breaks loose.

One thing thats coming up and I can’t seem to get past - VPN setup.

I went through the setup here : VPN Tutuorial

When phone boots up, it says VPN Activated, but when you look at status, its 0.0.0.0. Also, if you log into web gui, it shows for VPN IPV4 address, “File not exist”.

Thoughts?

Nope - I don’t use any per-phone VPNs, so I’m going to have to bow out and let someone more experienced that me help. Sorry.

No worries- thanks.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.