Phones outside of network


I’m using

  • FreePBX 16.0.39
  • EndPoint Manager to provision my phones (a mix Digium, Yeaklink and GrandStream)
  • pfSense 22.05 as a firewall.

Currently, I have a NAT rule forwarding ports 5060-5061 and 5160-5161 to FreePBX.
I use an IP filter to only let the IP of my SIP trunk (SIPSTATION) go through, nothing else.

For the first time, I want to let some phones outside of my LAN connect to my FreePBX.
I’ve got three home offices that I want to provide with VOIP phones.

I’m looking for best practice.
I’ve been looking around but I couldn’t find a definitive answer.

I’m considering the following:

  1. Open up the ports 5060-5061 and 5160-5161 without an IP filter.
    And rely on FreePBX firewall to deal with trafic.

  2. Require the home offices to have Dynamic IP domains and add them to the 5060-5061 and 5160-5161 IP filter.

I’d like recommendations on what I should do.

I would also like to know if there are other ports I need to open, so phones can provision with EndPoint manager, including getting firmware updates.

Thank you!

Your most secure topology setup and the one that will avoid the most issues will be setting up Site-to-Site VPNs between the offices and running phone traffic over those. All of our multi site installs utilize some form of site-to-site VPN configuration (and we have a lot running pfSense firewalls as well).

If you can’t get a static IP for each location a WireGuard VPN will allow you to setup site-to-site VPNs with only the main site needing to have a static IP.

Thank you for your answer.

The issue, however, is that the phones are going to be located in home offices.

Therefore, site-to-VPN is not possible.

What phones will you be using? I know Sangoma phones have built in VPN support that you can configure to work with the builtin VPN server on FreePBX.

As a last resort I would change the PJSIP port that’s listening for SIP traffic to something random/nondefault as well as the protocol from UDP to TCP to strengthen the security of the system if you end up just needing to allow SIP access from the internet.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.