SOLVED - New Appliance 60 - Errors, no audio and unable to connect inbound or outbound!

So I have been unsuccessful at making a call inbound. Keep in mind I am semi new to FreePBX and the world of VoIP in general. Here is a basic breakdown of what is happening.

I have programmed a trunk from Flowroute: (been using them for a few months now!) 2016-02-14 01:52:26 FPBX-13.0.62(13.7.2) - (Connect info from Flowroute Dashboard)

I added an inbound route and set DID to “Terminate: SIT” no tones heard. If I take the server offline then I get the default message from the provider. If I delete all details of the “Inbound Route” then I get the FreePBX default message (once only)

(Removed the log had a couple references I left laying around there that had private data!)

Do I need to adjust “Responsive Firewall”? I have no firewall on static IP’s thru the gateway.

Also here is a link to a Comcast page about ports being blocked

I hope I have provided enough information for a little help, I know it is hard help someone who cant or wont provide enough information to start the conversation.

I wrestled with the Firewall in FreePBX 13 for a couple of weeks.

The nutshell version is to run the Wizard, then start from the bottom and work your way up.

Once the wizard is done running, go to the “Zones” and set up your blacklisted zones (if you have any).

Next, set up your trusted Networks. Get these right the first time and your life should be reasonably simpler. Mark all of your trusted zones as “trusted”. Mark your Internal network as “Internal” as well. Do not save any as “blank” - I did that and it took me two weeks to get it fixed (I ended up in the FreePBX database doing database updates by hand to fix that).

Next, go into your interfaces and mark the Internal and External interfaces.

After you get those set up, go into services and set up the ports that you need open. In theory, if you set up your VOIP provider as a trusted network, you shouldn’t need to do anything to the services, but that may or may not be true. Set up your inbound port number (assuming you changed your local SIP connections away from 5060) or numbers (if you are using both Chan_SIP and PJSIP). Open your UDP port addresses for RTP as well.

Once you get done with all of that, but before you actually start the firewall up, check to see if you have the SysAdmin module installed. The “Intrusion Detection” option in there may or may not mess with the Integrated Firewall. I did find that setting the whitelist and blacklist in there was much more effective than the integrated firewall, but I think that both of them may be needed, even though the Firewall module implies that we should just trust it and that it’s got it covered.

One note - at some point, the firewall module may decide to switch your internal and external interfaces around. At this point, I’m pretty sure you are hosed, but a hardware reboot should solve your problem there. Also, even though you may stop the firewall at the command line (to get something working), the system may decide that you really meant that you wanted it on and will restart it for you for no good reason. Just go with it.

Have fun and enjoy.

I spent over an hour on the phone with Comcast technical support for business. Thankfully they know a heck of a lot more than the residential folks. At one point he got frustrated with me and all my questions. Then he logged into my computer and keyed some username and password that gave me full access to my modem for our session. I was able to verify all the settings and literally I opened the box up to world. There is no firewall running, there is no ports being blocked etc.

I ran this test and passed with flying colors. No ALG on SIP!! I would post a link but my IP’s are listed there. Then I used a terminal session to start checking ports to a VPS machine. Other than 25 all necessary ports are open and responding.

The box is sitting on the outside world and has a static IP. I am using Google DNS too!!

Apparently, I should have mentioned this earlier.

If you are using FreePBX 13, you have a firewall ON YOUR PBX. The good old days of setting up the firewall and letting the PBX talk through it appear to be over. We are now at the mercy of Sangoma.

So, we now have to rely on the PBX software to get all of the myriad iptables settings and fail2ban settings correct and don’t really get a vote in it. It appears that we do, ecause we have settings pages, but I’m not convinced they work.

There are problems with the integrated firewall, but I don’t see a way to uninstall them. As long as you never start the integrated firewall in the PBX software, you might be OK. The problem really appear to compound with dual-NIC setups, which are actually VERY common (at least, all of my systems are).

If you have started the PBX, I recommend you follow it’s lead. If it wants the external interface to be on eth0 but numbers it (or whatever it randomly decides to do), just play along. Move the cables so that the port with the internal address can see the internal network, and the port with the external address so it can see the external network.

Yes, by the way, I am a little frustrated with the way the integrated firewall is working.

One of my customers has two addresses for they incoming VOIP provider. I ended up rewiring the connections (switching eth0 and eth1) so that the PBX would stop switching them back and forth. I went into the /etc/sysconfig/network-scripts/ directory and tied the eth0 and eth1 config files down to specific MAC addresses and added all of the network routes myself. After that, I still had the system try to switch eth0 and eth1 around WHILE THE SYSTEM WAS UP. Once it did that, I had to drive 30 miles to reset the system and get it back under control.

I think I understand your frustration.

Note that, even though everything else is perfect, the IPtables and fail2ban parts may well screw you up. Remember the customer with two incoming phone systems sources? He can receive calls from one of them, but not the other. Both are whitelisted, neither are in jail, there’s no good reason why traffic from x.x.24.31 should work as well as x.x.23.30. Except that it doesn’t work. Oh, and I had to use Chan_SIP for the connections because PJSIP doesn’t do host-based authentication yet, so that might also be messing with me.

And perhaps you. Check your port mapping and make sure you are using the right SIP interface. PJSIP and Chan-SIP use different ports on your server. PJSIP uses 5060 and Chan-SIP uses 5061 OOTB as I recall. In order to the server half-working, I had to remove the PJSIP driver from the module list entirely.

Good luck.

1 Like

You realize the firewall we include is off by default and you can disable it anytime if you turn it on. It is not forced on you. Nothing we do in a firewall module would ever touch your NIC settings or setting them up. Sorry firewall module has nothing to do with that.

As far as trying to bring calls in on two IP’s good luck with chan_sip on that. You also would have to setup static routing for it all as Asterisk will just send all traffic out the default gateway and a gateway can only belong to 1 interface.

Have you gone into SIP Settings module in FreePBX and setup your NAT rules for SIP and Chan_SIP?

OH no I have been using FreePBX 13 since beta basically. I think I am square on the Firewall But I need to get audio thru on this thing. I bought an Appliance so that I would not have problems associated “build your own” equipment.

I thank the team for that firewall. I actually like it and used it in my hosted environment. And I definitely know that it wont touch my NIC settings.

Now on the fun stuff, I have no other firewall in place and my machine is actually public internet facing.

@tonyclewis with my limited knowledge I knew instantly when I was in there what had happened. It had my NAT set to yes and I went ahead and set my external address manually. Now the whole system is working again, thank you so very much.

1 Like