Rolling Firewall and Tribox together on one box Anyone done this?

Hi, I am looking to move and upgrade my 2.20 Trixbox (asterisk at home) to 2.6, and as a new install, was thinking of setting up routing and firewall functions on the same linux platform. Has anyone done this? I will need 2 nics and need the Asterisk software to listen for sip inbound calls, as well as outbound SIP calls on both internal and external interfaces. This move to to get away from NAT to the otherside, making SIP more friendly to natted outside extensions. This is a home system with little traffic, so I can’t see system load being a problem. Anyone have any input please?


Yes people have done it. There are hundred s of reasons why not, security is just one as trixbox is not a secure platform. also in my humble opinion trixbox 2.2.x is probably the most stable of all trixbox releases and I’d not move off of it. If you are still interested I’m sure that a decent set of directions for doing it are located in the site. As firewalls, setup and support of on a box is not something FreePBX has anything to do with (has to work with yes)…

If you go reading around a bit here and search for the word fontality you’ll get a number of possible other reasons to not go to tb 2.6 and that is up to you to decide of it’s something you want to do. I’d recommend upgrading your existing setup to the latest tb 2.2.x (which was 2.2.12 last I checked) and then upgrade to the latest FreePBX directly from this site. I has produced a VERY stable platform for me.

of exposing any more than needed. NAT issues can be resolved and it is always safer to have a firewall at the head end and most of (if not all) of your stuff behind it.
That being said, PBX in a Flash comes with IPTABLES enabled and FailToBan. Those are pretty good tools and they make it easy to use them.

As someone who started on my journey with trixbox I have a bit of advice for you. As fskrotzki pointed out trix 2.2 was the last release from them that truly ‘had it all together’. Now that Fonality has forked FreePBX the distribution of FreePBX updates lags behind. In fact we have not seen this process at work.

FreePBX 2.5 will be the acid test of Fonality’s ability to slipstream in updates. I can’t recommend to anyone to update a running trixbox from Fonailty’s repositories.

It is very simple to use the migration tool and move update to FreePBX 2.4. You can also update Asterisk to 1.4.

I would hate to see you hose up a running system.


You can buy a PFSense appliance from for less than $200 US. It comes with 3 ethernet ports and PFSense or Mon0wall preloaded. You can also take a P-II with 128 meg of RAM and load PFSense on that. Put in 2 nics and it makes a dandy firewall router. I have used my PBX as a firewall, but as I grow older and gain additional adversion to non-billable work, I steer away from that :slight_smile:

Shorewall runs well on most of these systems and can be setup through Webmin.
The best advice would be to use another distro or just roll your own.
I am not sure if you would break something in TB by doing this.

Thanks for the input! So now I’m not replacing my P3 machine. and I don’t think there is any reason to upgrade to 2.6, after reading comments here.
I may upgrade from 2.20 to 2.4, but I don’t think it adds or fixes anything I need anyway. If it aint broke, don’t fix it! As for my Nat issues, I lucked into a free Cisco 1720, which I am programming to replace my Netgear RT311 (P.O.S.) router, that at this point I am blaming for the issue I have.
Here’s the story. I serve outside extensions from my home PBX, like a softphone on my laptop, and an ATA at the cottage. The cottage seems the worst for this problem. Both the FreePBX box and the remote ATA are behind a NATing router. Sometimes the Netgear at home messes up and there is no voice path through the nat. The only fix I have found to work is to reboot the router, which also changes my ip address :(. then reboot the pbx. After that, wait about 5 minutes and the restart the remote ATA, (Linksys RT32p2). Most of the time this works, but sometimes I have to repeat this. The NATs change the inbound port from 5600 to something around 2400, and increments upword each attempt, until it all works. I hope a real router will help fix this. The Cisco will also still be Nating to the same subnet, in a plug and prey replacement, with lots of open UDP ports… SIP is a wonderful protocol, but not through NAT.

I understand the ramifications, security-wise, but decided to anyway. I don’t run trixbox, though. I run a clarkconnect firewall/gateway (based on RHEL4). I installed asterisk 1.4 manually, with freepbx on top. It was a bit of a hassle to get working, but has been stable for quite awhile now.

One is use a Digium IAXy which is an ATA (fxs) through IAX and therefor very few NAT issues. For remote, I have had great success with Hamachi and softphones. If you find yourself behind an ISA or other proxy server, Hamachi may not work… But, otherwise not to bad.

The cheapest and simplest solution that I have found for this is to get yourself a linksys wrt54gl router and load it with the ddwrt firmware. I think you can get one of these for about $50 at
You can use one of these on both ends - PBX and remote. To get around the dynamic nat problem you can go to some place like and get a name registered. Register your ATA or IP phone to this name from any remote locations.
See setup directions here