I don’t have any experience with sangoma connect, but most phones either have a field for the signalling port or you add :nnnnn to the registrar address.
All phones eventually to achieve the goal but you could add an iptables rewrite rule to forward udp/5060 to udp/nnnnn temporarily as you transition them.
Thank you @dicko! You have given me a lot to consider. I started exploring FreePBX to see if we could use an ip phone type system in my business - what features we should look for if we decide to pay to have someone come in and take care of it, and how our POTS and internet lines would stand up to it. There is clearly a lot to learn. Thank you for sticking with me here an in other posts as I try to sort through all of this. I’m going to look at setting up the port flooding firewall rules to keep the unwanted SIP attacks outside my system.
There were many problems discussed in this thread. I wish I could mark all of the solutions…
The flood rules should be last on your list, they will almost never come into play if you choose your port wisely.
When you provision a Sangoma Connect client or a Sangoma phone with EPM, it will determine the SIP port(s) from the pbx config and automatically generate appropriate provisioning files. Setting up Connect or a phone will work exactly the same whether SIP is bound to 5060 or 53769.
@lgaetz
Do I change this under Settings>SIP Settings > SIP Settings [chan_pjsip]?
Are there any other areas I need to change this at?
Speaking of certificates a bit ago, my FreePBX dashboard has said “Some SSL/TLS Certificates have been automatically updated. You may need to ensure all services have the correctly update certificate by restarting PBX services” for several weeks now, after several reboots. I tried updating, but I have an update failed. I understand this thread has strayed from it’s otherwise broad topic, and understand if you want me to create a new one. Just say the word!
@dicko You say choose ports wisely - do you mean a random high number port, or is there a list you have in mind.
Thank you everyone for your help!
My list would probably be anything in the range of 49152 to 65535 which are considered private and dynamic
https://www.sciencedirect.com/topics/computer-science/registered-port
you would be unlikely to collide with any other port you are currently using (unless you are aware of one) and anything attempting to connect in that range would likely be nefarious so you can happily ban anything that attempts to connect to more than any two of those ports that is in that range but NOT your chosen port in any period of time.
(Actually I would ban for life anything that attempted more than a very small number of connections on anything I am not listening on)
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.