The firewall is intended to protect from dynamic endpoints, from phones logging in from untrusted networks where there is no consistency in the IP assignments. It is useless if the FreePBX server NEVER has to allow for outside incoming SIP from the Internet. If you are an admin of a FreePBX system that doesn’t have to expose it to incoming VoIP calls from the outside you WOULDN’T. You would just turn off the firewall completely since it’s unnecessary and make sure there’s no port forwarding to it.
You have a network where all your phones are coming in from known subnets that you assigned. You therefore have a solution in front of you that would take 10 minutes to implement and you would be done with it and you could go on to other things - and that solution is add all your trusted subnets to the list of trusted subnets so the firewall ignores them.
I don’t completely understand your complaint. On one post you say all your phones are coming in from VPNs. In another you say you also have problems from phones coming in from dynamically assigned public IP addresses.
As I said, there are problems with running extensions over the Internet not inside a VPN that are more than just the firewall acting up. The firewall is a poor substitute, a last ditch attempt to make a horrible situation better. Unless your remote phones are all encrypting their calls, your VoIP going over the public internet can easily be evesdropped there’s some fun videos on YouTube that show how to use Cain and Able to do it. Lots of phones out there have very poor password control they won’t allow passwords longer than 8 characters, and many admins use poor passwords anyway. So why fight against use of a VPN? You can, for free, setup an OpenVPN server, run OpenVPN clients on your single dynamic hosts and softphones on those machines. That solves the firewall issue as well as protects your calls as well as fixes any timeout issues.
I have news for you we got another 10 months to go before a vaccine is going to be widely available. Until then you are going to have a lot of folks at home. If you are going to have your security with it’s back door hanging wide open for a year, your gonna get gunned. You are acting like this business is “just a few months and we can go back to normal” and this remote from home stuff is a bandaid you are looking forward to tearing off.
Grow the eff up and start taking this seriously.