I have a small company network with server DHCP, router and FreePBX with a fixed address. I have not been able to find instructions on how to configure the router to provide access to the pbx with FPBX firewall while still protecting the network.
Maybe I was’t clear. The FreePBX Firewall claims to secure a PBX exposed to the internet. What strategies can be used to expose the PBX through a router which is currently protecting a network? The extreme case is to set DMZ to the PBX. Is that advisable?
I am also curious about vLan. I have not used it. Is it a useful option?
I can’t fine any documentation of these type of questions.
the first question is whether or not you will have remote phones, i.e. phones outside the firewall. the second question is how are you getting calls? via analog lines, via a pri or via a sip trunk and if a sip trunk is the sip trunk out on the internet or is it terminated in the same location as the pbx.
vlans can be useful as they allow you to group things across different locations. for example you could have an accounting vlan that contains the computers and printers for your accounting people all across the company. or you can create a vlan for all phones, etc. each vlan is managed separately. think of vlans as a virtual connection on a physical connection. where we find vlans most useful in our business is when the customer has two different internet connections, one for data and one for voice but the building is not cabled to allow physically separating the networks. we put the phones on one vlan and have the voice router (session border controller) do dhcp for the phones and computers and printers on another vlan with either the data router or server (if there is one) doing dhcp for those devices. this allows the phones to be plug and play as well as the computers.
by the way google is your friend. there are lots of good articles on things like vlans.
I am definitely not the right person to answer this since I do not use the FreePBX firewall but I think that you should give more information on your network architecture if you want good answers…
Like I said I am not using the FreePBX firewall but it must be pretty close to the configuration the FreePBX firewall would have if it only had one network interface directly facing the Internet.
It would have to accept traffic to specific ports (SIP, RTP, SSH, HTTP(S)) from specific IPs or networks (maybe not for RTP, it depends on your provider, for some you can’t put ACLs on RTP).
Your router/firewall would, preferably, enforce similar rules though I guess you could just forward ports and let the FreePBX firewall decide if it lets the traffic pass. Another possibility is to enforce the IPs ranges which have access to the open ports there…
I don’t know how flexible the FreePBX firewall is so I am not sure if everything I am suggesting is doable or not…
I also don’t know what router/firewall you are using so maybe you can’t do what I described there either… One of the things you said suggest it might not be that flexible:
This suggests your router doesn’t have a real DMZ but actually this:
because you don’t set DMZ to the PBX for a real DMZ, you put the PBX in the DMZ… With a real DMZ, the PBX has to go through your router/firewall to talk to the internal network while the “DMZ” of a consumer grade router forwards the traffic to a host on the internal network and the router/firewall is in no way involved when the PBX talks to the internal network since the PBX itself is in the internal network…