Urgent Help - New setup


(Nathan) #1

For whatever reasons, we’ve had to urgently build a new FreePBX server. It’s sat behind a Unifi Security Gateway and uses SIP trunks from Gamma.

I’ve read about double NATing so have disabled the inbuilt firewall due to not being able to configure a DMZ on the Unifi Gateway Pro. I’ve also turned NAT to no under SIP Settings on FreePBX.

On the USG, i’ve allowed the following WAN out firewall rule settings.

  • All traffic from the internal IP address of the FreePBX to the Gamma SIP trunk server allowed.
    On the WAN in firewall rule settings;
  • All traffic from the Gamma SIP trunk server to the internal IP of the FreePBX allowed.

I’ve also setup the following ports to forward to internal IP of the FreePBX server only allowed from our schools and SIP provider (Gamma).

  • Ports 5160, 5060, 84, 80, 82 and 69

I have one trunk registering through using SIP. I can get local extensions to register, but i can’t get any external one registering.


Issues with Time Conditions module
(Avayax) #3

NAT must be set to yes if your PBX is behind NAT on a private IP address.


(Nathan) #4

after further reading i discovered that and so set it to yes.

What should i do about the FreePBX firewall as i’m using the Unifi Security Gateway that has a real lack of logging for the firewall :roll_eyes:

Do i keep it enabled or disable it and what would you recommend setting eth0 too? trusted, local or keep it at internet


#5

You can keep it enabled and configure it accordingly.


(Nathan) #6

Should i set the interface to internet?

I’ve just done a test with the Zoiper app and it confirmed it can’t see SIP UDP.

I’m a bit lost as i’ve added an exception and forwarded the ports 5060 and 5160. I’ve also ensured that in the FreePBX firewall the network is set to trusted traffic so it shouldn’t be getting blocked.

I should note that i have some phones on the same network as the PBX that have connected fine, so it looks to be a networking issue somewhere along the line.

Can anyone recommend is upwork is a decent freelance site?


(Luke C) #7

(Nathan) #8

Unfortunately $200 an hour is out of my price range as our school can’t afford it so i’ll have to pay for it personally.


(AC-Jay) #9

I have my PBX set up behind my USG Pro and my external devices can register.

Is your modem functioning as a router as well (you mentioned double NAT). If so, I strongly suggest you see about bridging your modem and letting your USG do all the routing. Then you can set up firewall rules on it accordingly.


(Nathan) #10

I was mistaken originally. It’s just the USG Pro so no double NAT.


(AC-Jay) #11

Ok, so a few things: you need to make sure that some external port is forwarding to 5060 UDP (assuming pjsip) on your PBX.

Then you need to update the firewall on your PBX to allow external connections from your remote device(s) AND you need to place them in a group with access to your system. I recommend OTHER:

image

You’ll need to grant the OTHER group SIP access:

Under Services:
image

Make sure Other is selected:


(Nathan) #12

I can confirm that i have the following set:

Port Forwarding for 5060 and 5160 (i’ll disable one when settled on SIP or PJSIP), this then hits the internal IP of the pbx. This interface is marked as Internet.

I’ve then added all the external IPs of the schools as Local and then double checked in services that Local is set on both SIP and PJSIP services.

I can confirm that i do not get any warnings from the firewall in the full log


(AC-Jay) #13

Can you please:

  1. Show your FW rules (just to be sure)
  2. Telnet from one of your remote sites to your external port(s) and see if you can make a connection
  3. Try the OTHER group (rather than Local).

(Nathan) #14

FW rules on the USG or the rules on the pbx?


(AC-Jay) #15

Might as well show everything I suppose. :slight_smile:


(Nathan) #16

Firstly the port forwards from the USG Pro.

Then the WAN IN firewall rules, with the group being the schools external IPs

Finally the WAN OUT firewall rules.

The services.


(Avayax) #17

Can you whitelist IP addresses on the Unify firewall so that only those addresses get allowed inbound?
If so why do you even bother setting up the FreePBX firewall now? It wouldn’t be needed then.


(Nathan) #18

if i were to just disabled the freepbx firewall, would it just allow traffic through?

There is no reason, i was just wondering if it would cause an issue.


(Nathan) #19

also trying to telnet via 5060 or 5160 to the pbx from an external site just results in connection refused.


(AC-Jay) #20

Port forwarding looks fine, assuming you’re using UDP on the (pj)sip ports.

You shouldn’t need WAN_IN rules for your remote locations unless you’re blocking everything and have specific rules to allow them access (inbound access is accepted by default).

Same thing with your WAN_OUT rules.

What do your firewall rules on the PBX look like (censor IPs if necessary)?


(Nathan) #21

Pretty much the same as your previous post Urgent Help - New setup

Just the external IP