This thread got busy after I replied - I will try to answer everything I know…
First, to Dicko’s point, Kamailio is one hell of a Project - I actually talked one of the developers at the last Astricon I attended - I want very badly to implement it because it does have a lot of reliability features built in - but it also has a lot of complexity to manage and we are currently in the process of training our tech staff up to par - Kamailio right now is that extra step too far - for now. In the future, you bet!
So to answer you question, it will do all that what it won’t do is allow for provisioning over individual servers without tunneling, if you don’t tunnel then your ucp/fop2/everything will be highly problematic
This is why we went with an IP per box and why we are using a SonicWALL to hide all the Customer PBX’s behind it - FreePBX uses MANY different ports for all the services it offers. Multiply that times the number of PBX’s you are contemplating and Port Management on the same IP get’s tricky - and provisioning in the wild is a requirement - so we went with 1 IP per box. This is why we also used a Software Defined Networking company (Bigleaf) - they can give me the IPV4 space I need to have one per box.
Something else to really think about is Zero-Day exploits - no one wants to think about it, but it happens and when it does, if you have 1 box to protect, you shut off whatever service is affected until the hole is fixed and you are safe - but imagine if you have 50 boxes to individually turn off a service - then it gets to be a pain.
SonicWALL (and I assume all competent Firewalls) has the ability to “Template” the services offered to any individual IP address - so all my protected boxes have the same services on the same ports exposed to the Internet - but for instance, if someone discovers a Zero-Day exploit on the UCP interface for FreePBX, it is two clicks of the mouse to close that port for ALL my boxes - this is why we don’t use the Sangoma Firewall - I like it very much for stand alone boxes, but when you are dealing with LOTS of boxes, it’s too many individual places to go to fix the problem.
When you say far end firewall, do you mean the firewall at the server side or the phone side?
Phone Side.
I do not want to complicate things, so we are going to use 1 public IP for every FreePBX. Also minimize the risk for a firewall change to take down multiple customers.
That is the conclusion we came to also.
On the phone side firewall we only need to open 5060, 5061 udp and 10,000-20,000 udp and lock it down to the FreePBX public Ip and to any ip on the inside, correct?
If you only want to allow phones to talk, yes - but I like remote Admin, Provisioning, and UCP, so I open those ports as well - Provisioning can be done with Authenticated HTTP and it works very well - so we use that.
Would you recommend using 2 interfaces on the FreePBX, one for clients and another for Siptrunk? or it doesnt matter?
We are actually using the Link Aggregation in Hyper-V, so we only use a single interface in the VM and it works well.
Any recommendations on firewalls?
SonicWALL - it has done very well by us over the years and you will find lots of people that have knowledge on them - and since they broke away from Dell, they have a renewed sense of purpose - I like them LOTS but most Competent firewalls are fine - the only one we have consistently had trouble with is Fortinet - those things suck!
Sorry this is so long.
