FreePBX | Register | Issues | Wiki | Portal | Support

Process to get remote extensions working


(JT Harvey) #1

In my PBXAct setup, all new phones look to a local IP address to receive their configuration. This has worked well though now I am looking to add a local extension.

Is there a defined process to get remote extensions to work?

Our SIP provider is SipStation.

Thank you,


(Itzik) #2

https://wiki.freepbx.org/pages/viewpage.action?pageId=4161590

You basically need to forward 5060 and 10000-20000 to your PBX and register your phone against the WAN IP.

Don’t open these ports publicly.


(Dave Burgess) #3

… and if you do, be sure to turn on the Adaptive Firewall to block unsavory characters from trying to access your phone system. If the remote phone has a static IP address or can use DynDNS, you can use the Integrated firewall and lock everyone else out, or you can set up a VPN from the remote network or from the phone (if the phone supports it) to the server.

There isn’t a short answer to your problem - there are a ton of ways to do this and it will depend largely on what else is going on in the connection scheme.


(JT Harvey) #4

Maybe a bit too oversimplified…

I do have the Adaptive Firewall turned on and a new Ubiquiti EdgeRouter Pro that is giving me fits.

The PBXact system does have the public WAN address registered with SipStation.

The new phone is going in at an employee’s house so it will be DHCP but looking for my server at a DDNS address though I don’t believe any traffic is making it past the firewall.

The phone is a Sangoma s500IP and I think it may have VPN capabilities.


(JT Harvey) #5

And I realize I should know this, though how do you port-forward “privately”?


(Dave Burgess) #6

You don’t, per se.

You limit who can talk to the port using a combination of blacklists and whitelists. You then port forward “all traffic” on that port to the PBX. The UDP forward for 10000-20000 isn’t critical, since it’s the audio, locking it down to specific addresses is probably overkill.

If you want to (for example) limit who can talk to port 5060 to just your ITSP, you set that up with a comprehensive blacklist and whitelist your ISP.

For your “dyndns” host, I’d recommend picking a different “external” port (say, 6050 or 31415 or something else) and forward that to 5060 on the PBX. This ‘off-channel’ port won’t be scanned by the script kiddies. You can then open up DynDNS on the firewall and let the PBX manage the connections. Set up the phone at the dyndns location so that it talks to your external address and port (40.40.40.40:31415, for example) and go to town.

Of course, you can do the same thing using either a phone based VPN connection, or connecting the remote network to your phone number using a network VPN. Standard caveats apply.