Responsive Firewall always blocks "good" external users

goranj · 2020-12-11 17:40:33 UTC

Hi everyone,

I have deployed dozens of FreePBXs in the last 4-5 years, versions 13,14 now 15 and responsive firewall has never worked properly for me. All PBXs are on a static IP address and no physical firewalls in between the PBX and the remote user. For the remote phones to work I always have to add the end user public IP or the remote subnet in the Firewall>Networks tab otherwise their phone will never get registered. This has been a real problem for me especially for remote users with dynamic IP address from their Internet providers. As long as their IP does not change their phones are fine. As soon as that IP changes for them, their phone gets locked out of the PBX. What am I missing here? Besides this problem (and Zulu never works too) FreePBX has been an awesome platform for me. Even with the Responsive Firewall not working right I still wont replace FreePBX for anything in the world. My workaround for the dynamic IP client side is to setup VPN routers to the end users and register the phones tru the VPN tunnel.

Any help is appreciated. Thanks,

goranj · 2020-12-14 16:25:58 UTC

Just to update Responsive Firewall is enabled only for SIP protocol since thats what I use.

goranj · 2020-12-23 16:55:57 UTC

Bump for no responses yet

goranj · 2021-01-06 18:34:02 UTC

Looks like I am the only one with this problem lol

bpbp · 2021-01-07 01:23:52 UTC

Hi goranj
I have the same issue. It’s never worked properly.

bpbp · 2021-01-07 22:24:53 UTC

I did a test this morning, registered a new endpoint. Logs show:

1610058005: Firewall-Monitoring - x.x.x.75 reported as good, adding to whitelist.
1610058034: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s x.x.x.75/32 -j fpbxknownreg

The web UI still says “No Endpoints have been allowed through the Responsive Firewall”

Would be great to get to the bottom of this, we are constantly adding new IPs for one of our customers with a dynamic IP.

comtech · 2021-01-08 00:12:24 UTC

What do the logs show for blocked users? Why are they getting blocked?

holness_202 · 2021-01-08 09:59:10 UTC

Exact same problem here, but its not consistent, sometimes its fine for a few days then it blocks them again and they have to be removed from connectivity -> firewall -> status -> blocked hosts. No block reason seems to appear in the logs as far as I can tell.

Right now i have a known good user blocked and the logs show:

OUT >>> [2021-01-08 02:28:43] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-07 15:43:16] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-07 15:40:19] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-05 10:22:57] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-05 10:22:22] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-05 08:35:41] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-05 08:33:39] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-04 21:04:24] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-04 21:01:28] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-04 12:24:07] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-04 12:21:57] - /sbin/iptables -w5 -W10000 -D fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-02 13:56:27] - /sbin/iptables -w5 -W10000 -A fpbxregistrations -s XX.XXX.XX.XXX/32 -j fpbxknownreg
OUT >>> [2021-01-02 13:55:53] - Firewall-Monitoring - XX.XXX.XX.XXX reported as good, adding to whitelist.

Driving me and my users crazy.

longqvo · 2021-01-08 14:41:24 UTC

I am the same problem here as well. Luckily for me I only have a few users with remote phones so I have memorized their WAN IP address. once their WAN IP changes I will have memorize another set of IPs.

chrischevy · 2021-01-08 20:08:02 UTC

Same problem here.

At random time, a valid (registered phone) IP will get blacklisted after X period. Even worse, some customers with a fixed IP will also get blocked, even if their IP is whitelisted. I could never find out why.

cynjut · 2021-01-11 19:20:45 UTC

Perhaps one of the more experienced amongst the folks on the thread could check for an open ticket in Jira and, if there isn’t one, create one. Then all of you could provide data and the team can get to the bottom of it. They don’t follow the forums as closely as us “mere mortals” do, so they might not be seeing the issue.

holness_202 · 2021-01-12 08:58:36 UTC

Have opened an issue, feel free to add any more info you guys have
https://issues.freepbx.org/browse/FREEPBX-22170
@goranj
@chrischevy
@bpbp

goranj · 2021-01-12 16:28:49 UTC

Same here. For years… No update ever fixed this .

goranj · 2021-01-12 16:29:26 UTC

Thanks a lot. Much appreciated.

goranj · 2021-01-12 16:38:36 UTC

If the Responsive Firewall worked correctly and reliably I would have deployed mobile clients for all my remote users long time ago. Thats their most requested feature. But there is no way for a mobile app to work well when the mobile phone is bouncing from tower to tower also changing IPs constantly and the firewal blocking all new IP even tho the client has the correct creds. Heck, I even tested the the official Zulu mobile app and after a long setup (including CLI) it never worked good. In the mean time RingCentral is killing my client base with these “features” they offer clients…especially for remote users. We are years behind on some of this stuff.