Trouble with AMI over private IP address

gmilitello · March 25, 2021, 3:40pm

I am using asterisk-java to connect to my FreePBX server (15.0.17.24), when I connect over the public IP address, everything works perfectly, but when I am connecting over the internal IP address, I am getting this error.

15	[2021-03-25 15:34:48] NOTICE[30671] manager.c: 172.31.13.161 failed to pass IP ACL as 'myconnection'	
16	[2021-03-25 15:34:48] NOTICE[30671] manager.c: 172.31.13.161 failed to authenticate as 'myconnection'

I have the AMI user set up with the following config, set up via the Settings -> Asterisk Manager Users

[myconnection]
secret =  
deny=255.255.255.255/255.255.255.255
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
writetimeout = 100

Is there an ACL somewhere else that I need to configure so that I can use the AMI? Any help would be appreciated.

Thanks!

EDIT: The secret is not blank in the actual config. But I have it blank here because I know not to post information like that online.

dicko · March 25, 2021, 3:48pm

You need a secret. Allowing the whole internet with or without a password is not recommended

gmilitello · March 25, 2021, 3:55pm

I do have a secret, I just removed it for an example.

The server is limited on what IP can access it from the public internet so I am not super worried about that, and I will lock down the AMI user as soon as I am able to connect over its internal IP address.

lgaetz · March 25, 2021, 4:04pm

What is bindaddr set to in /etc/asterisk/manager.conf? If not set to 0.0.0.0 you will only be able to access from the specified interface.

gmilitello · March 25, 2021, 5:45pm

Here is a copy of my manager.conf

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+

[admin]
secret = REMOVED
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

#include manager_additional.conf
#include manager_custom.conf

It does look like bindaddr is set to 0.0.0.0. what should it be set to to allow connections from other servers? How do I set it?

dicko · March 25, 2021, 6:02pm

0.0.0.0 means it binds to all your network interfaces, so it’s good but you can set it to listen on your lan address if you want to so limit access. Given 192.168.2.253/24 then Your [myconnection] in manager_additional.conf and would be thus set to permit = 192.168.2.0/255.255.255.0 no need to deny anything. BTW, writetimeout is in milliseconds.

gmilitello · March 25, 2021, 7:08pm

I am a little confused about where I need to be looking to get this to work.

I am not able to have a null value for deny, FreePBX gives me an error when I do not have an ip address and subnet in that field.

My current value for Deny is 255.255.255.255/255.255.255.255

dicko · March 25, 2021, 7:24pm

You are denying no-one, what should work is

[general]
bindaddr =  172.16.0.1
.
.
[myconnection]
deny=0.0.0.0/0.0.0.0
permit =127.0.0.1/255.255.255.0&172.16.0.0/255.240.0.0

Assuming you PBX is at 172.16.0.1/12, to deny everything but your local PBX itself and all hosts in your LAN

system · June 3, 2021, 11:11pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.