Ok, so I setup a new client yesterday with PBXact and all S705. Port 84 is port forwarded along with the normal PJSIP UDP and TCP ports and RTP ports to the PBXact static LAN IP. Phones were claimed by MAC in Sangoma Portal and Redirect settings are properly setup.
Extensions all setup and EPM is being used. In Extension Mapping MAC entered and extension selected.
PBXact and all phones via VLAN are all using a dedicated VOIP VLAN (192,168.15.0/24). Within Untangle NG this entire VLAN is bypassed.
When plugging in phones yesterday internally, auto provision worked great. All phones on the local VOIP VLAN in the office provisioned and work great.
Now, I have a Remote phone Im trying to setup (another S705), Port 84 is forwarded to PBXact, phone is added and claimed in Sangoma Portal just like all the internal phones… Redirect settings are exactly the same which is our FQDN and the username and password from SysAdmin-Provisioning protocals… Phone is setup with an extension and extension mapping within EPM with MAC.
I have full remote access to the office both PBXact Admin interface and Untangle NG.
When I plug the phone in here at the remote site, it boots up, grabs an ip, says retreiving redirect (watching sessions in Untangle NG, I see port 84 pop up when the phone says retrieving redirect config) and NG says it was forwarded 84 to my PBXact static LAN IP.
The weird part is Asterick Full Log shows nothing. doesnt show any connection attempt. I was puzzled as Ive done this before with success so I tried adding it to a second system (a FreePBX) system, I just updated the redirect settings in the Portal for that MAC/Phone and same result.
No, the remote site is just a standard internet connect router to the outside world. When I plug this phone into the remote site internet, and the screen says redirect retreiving config, I see the Main site NG Firewall Sessions log port 84 pop up with Source IP the WAN of the remote site router and it says forwarded to PBXact LAN IP… So redirect service is working…
No thats not the case and I didnt give you all the info so I understand why you are saying that.
VLAN is not configured anywhere in PBXact. Nothing is configured VLAN wise in EPM or PBXact. VLAN tagging takes place on the switch ports.
So VOIP VLAN 15 (192.168.15.0/24) is configured as an interface in Untangle. the ports on the 48 port POE LAN switches that IP phones are plugged into are tagged with VLAN 15 so those internal phones are handed DHCP addresses within the VOIP VLAN. PBXact’s LAN IP is statically set to 192.168.15.2…
Weird thing is phone says Retrieving Config (displays sangoma redirect url) then says Retrieving background image, retrieving ringtones, checking firmware then it just loads to the default Sangoma screen with no config… During all this I see the connection coming into NG Sessions and Port 84 and says forwarded to 192.168.15.2 PBXact Server IP. I dont understand why nothing shows in the Asterisk Full log…
Well I just found the culprit. Its PBxact Firewall or Intrusion Detection. I just turned them both off to see if they were causing it then plugged the phone back in at the remote site. Sure enough it pulled the PBXact server LAN IP and provisioned. Its all setup and working…
So now why is the PBXact firewall blocking? I thought the whole point of the Firewall/Responsive/Intrusion was to allow remote connections through that properly authenticated??? Responsive firewall worked in the past letting remote endpoints through
Responsive allows SIP registrations from source IPs that are not whitelisted, not full access to all services. Once a device successfully registers to Asterisk, then the source IP is opened up for other services (UCP, provisioning, phone apps). So you have a chicken-egg situation on a new unprovisioned phone. You can’t provision without registration, and you can’t register without provisioning, which is why the very first time a phone provisions, it must do so from a zone specifically allowed by the provisioning service. After that it will work as expected, unless something changes to block the sip registration.
So is the best practice here in this situation to plug the phone into the local LAN at the main site, let it provision and register then take it to the remote site to prevent this in the future?
I spoke to soon. So after the phone pulled the config, rebooted, it then showed the correct PBXact IP during boot up the 2nd time, it then loads to the main screen and shows the correct extension but I have a red line over the 3 LINES and it wont make calls… It also failed to pull in the background image. So it obviously communicated with PBXact pulled a config and correct extension but the 3 LINES show a black phone with red line through it and any number I dial including *43 or *97 its just dead. no ringing…
Additional, this is all I keep seeing every 8 minutes in Asterk Logs > Full
Also, I have Intrusion Detection Firewall SYNC enabled and just noticed that IP’s Ived add to the Network Tab as Trusted are not syncing or showing in Intrusion detection whitelist and I dont see any way to add/whitelist IP’s manually with Sync enabled???