FreePBX | Register | Issues | Wiki | Portal | Support

Second NIC added for external access

(tty0744) #1

Asterisk 13.18.0
SHMZ release 6.6 (Final)

I’ve added a secondary NIC to allow me to access the FreePBX GUI, and for remote extensions, from the outside world. My concern is being compromised due to exposure. Is the recommendation to enable the FreePBX internal firewall? Also, I’ve listed the planned config below, to add to my secondary NIC. What am I missing, if anything?

IPV6INIT=no (External IP from ISP)
DNS1= (Google DNS)
DNS2= (Google DNS)

(Dave Burgess) #2

If you are connecting the server directly to the Internet (which your post implies) you need AT LEAST the integrated firewall. You also need to make sure that “Anonymous Connections” are disabled and, if possible, that you lock the system down to specific IP addresses for your incoming web connections.

If your external phones are going to be connecting from “dynamic” addresses, you can use DDNS to set up the phones and connect through one of the many DDNS services available. This way, you can whitelist your phones by Dynamic IP to Name conversion.

(tty0744) #3

Will do. However, with the eth1 config in place, I’m not able to ping my server from the outside. The firewall is currently not active. What am I missing here?

(Dave Burgess) #4

Did you enable the eth1 interface yet?

Log into the system console as ‘root’ and check with “ifconfig -a” and make sure the interface is setup and configured correctly. Once there, you will also need to make sure that your route information is correct. Try “netstat -nr | head” and make sure your “default” route is pointing out through eth1 (so that unknown Internet addresses are handled through the external address).

To verify that it isn’t the firewall getting in your way, you can use “tcpdump -u eth1” and watch for inbound traffic. If you are seeing traffic on the raw interface and not on the system, you can assume that it’s either a routing problem or a firewall problem.

(tty0744) #5

eth0 and eth1 were assigned with valid, different gateways. The solution was to eliminate the default gw for eth0. Now, I’m able to ping the external IP, which eth1 is routed through. It appears that a conflict existed, even though we’re talking separate interfaces, with different configs/gw’s. Does this make any sense?