Trouble with AMI over private IP address

configuration
freepbx
asterisk
Tags: #<Tag:0x00007f70237826f8> #<Tag:0x00007f70237823d8> #<Tag:0x00007f7023782248>

(Greg Militello) #1

I am using asterisk-java to connect to my FreePBX server (15.0.17.24), when I connect over the public IP address, everything works perfectly, but when I am connecting over the internal IP address, I am getting this error.

15	[2021-03-25 15:34:48] NOTICE[30671] manager.c: 172.31.13.161 failed to pass IP ACL as 'myconnection'	
16	[2021-03-25 15:34:48] NOTICE[30671] manager.c: 172.31.13.161 failed to authenticate as 'myconnection'

I have the AMI user set up with the following config, set up via the Settings -> Asterisk Manager Users

[myconnection]
secret =  
deny=255.255.255.255/255.255.255.255
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
writetimeout = 100

Is there an ACL somewhere else that I need to configure so that I can use the AMI? Any help would be appreciated.

Thanks!

EDIT: The secret is not blank in the actual config. But I have it blank here because I know not to post information like that online.


#2

You need a secret. Allowing the whole internet with or without a password is not recommended


(Greg Militello) #3

I do have a secret, I just removed it for an example.

The server is limited on what IP can access it from the public internet so I am not super worried about that, and I will lock down the AMI user as soon as I am able to connect over its internal IP address.


(Lorne Gaetz) #4

What is bindaddr set to in /etc/asterisk/manager.conf? If not set to 0.0.0.0 you will only be able to access from the specified interface.


(Greg Militello) #5

Here is a copy of my manager.conf

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+

[admin]
secret = REMOVED
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

#include manager_additional.conf
#include manager_custom.conf

It does look like bindaddr is set to 0.0.0.0. what should it be set to to allow connections from other servers? How do I set it?


#6

0.0.0.0 means it binds to all your network interfaces, so it’s good but you can set it to listen on your lan address if you want to so limit access. Given 192.168.2.253/24 then Your [myconnection] in manager_additional.conf and would be thus set to permit = 192.168.2.0/255.255.255.0 no need to deny anything. BTW, writetimeout is in milliseconds.


(Greg Militello) #7

I am a little confused about where I need to be looking to get this to work.

I am not able to have a null value for deny, FreePBX gives me an error when I do not have an ip address and subnet in that field.

image

My current value for Deny is 255.255.255.255/255.255.255.255


#8

You are denying no-one, what should work is

[general]
bindaddr =  172.16.0.1
.
.
[myconnection]
deny=0.0.0.0/0.0.0.0
permit =127.0.0.1/255.255.255.0&172.16.0.0/255.240.0.0

Assuming you PBX is at 172.16.0.1/12, to deny everything but your local PBX itself and all hosts in your LAN