I’ve been trying to remotely access the web interface of my FreePBX server and the connection is timing out.
I’m able to access other server that’s on the same network though.
I have an Archer A6, which I’m guessing is similar. When a client connects to it via OpenVPN, it is assigned a tunnel address 10.8.0.x, which appears as the source address to the device on the remote LAN. So, you should include 10.8.0.0/24 as local trusted traffic (and in Local Networks for Asterisk if you want to do non-NAT VoIP over the link).
However, you turned the FreePBX firewall completely off and that didn’t help, so I’m guessing that you have a routing problem of some sort. Try running tcpdump on the PBX (which captures pre-firewall inbound and post-firewall outbound) and see whether your requests are coming in and any responses are going out.
Well, with requests coming in but no responses (not even port unreachable, etc.), it sure looks like iptables are blocking them. Of course, that conflicts with your observation that turning FreePBX firewall completely off doesn’t help.
So, I’m guessing that the firewall service is somehow malfunctioning.
Though the VPN, can you access other services on the PBX, e.g. SSH?
You could look at the current iptables rules to see whether packets from 192.168.2.x should be accepted. (iptables -L -n -v)
Or, you could try iptables -F
(flush all rules) to see if that lets you in.
It’s interesting. Even when the firewall is disabled, I can’t access the web interface via OpenVPN.
Some things to clarify:
I changed the settings on firewall to reject the packet, instead off it silently discarding it. Either way, it didn’t make difference on the tcpdump log;
Safe mode was already enabled. But just in case I rebooted the system twice within a short period of time;
My freepbx is not a virtual machine. It runs on a computer with two ethernet interfaces. Both are enabled. The IP addressess are 192.168.1.x (static eth0) and 10.2.0.x (DHCP and secondary)
I can’t also access FreePBX SSH (port 22) through VPN. Same behavior.
Here’s some output from the commands (note that when I flush, the system says “Firewall Rules corrupted!”. I’ve been taking a look at the file /var/log/asterisk/firewall.log but I haven’t found anything relevant.
iptables -L -n -v
[…]
Chain fpbxnets (1 references)
pkts bytes target prot opt in out source destination
44 2699 zone-internal all – * * 192.168.1.80 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.61 0.0.0.0/0
26 2853 zone-internal all – * * 192.168.1.50 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.81 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.62 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.1.69 0.0.0.0/0
0 0 zone-trusted all – * * 10.2.0.12 0.0.0.0/0
100 7296 zone-trusted all – * * 192.168.1.2 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.2.6 0.0.0.0/0
136 10608 zone-trusted all – * * 192.168.1.1 0.0.0.0/0
127 10867 zone-internal all – * * 192.168.1.0/24 0.0.0.0/0
0 0 zone-trusted all – * * 10.2.0.0/24 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.2.0/24 0.0.0.0/0
[…]
fwconsole firewall list trusted
All entries in zone ‘trusted’:
192.168.1.0/24
192.168.1.69/32
10.2.0.0/24
10.2.0.12/32
192.168.1.2/32
192.168.2.0/24
192.168.2.6/32
Flush IPTables (Firewall rules corrupted)
iptables -F
Broadcast message from [email protected] (Sun Jan 24 20:11:50 2021):
Firewall Rules corrupted! Restarting in 5 seconds
More information available in /var/log/asterisk/firewall.log
Broadcast message from [email protected] (Sun Jan 24 20:12:04 2021):
What is the LAN IP of the remote PC? If it’s 192.168.1.x or 192.168.2.x, there could be a conflict that is not properly resolved.
Is the 10.2.0.x interface a connection to an ISP-supplied SBC and used only for your SIP trunks? If not, please explain.
Sorry, I forgot that the FreePBX firewall watches iptables, which quickly undid your iptables -F. I suppose you could first kill the voipfirewalld processes, though a simpler test might be to see whether you can get in during the five seconds before iptables is restarted.
It worked! The comand ip route showed that the default via was eth1 10.2.0.1.
#ip route
default via 10.2.0.1 dev eth1
10.2.0.0/24 dev eth1 proto kernel scope link src 10.2.0.x
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.x
It was supposed to be eth0 192.168.1.1. So the command: