For whatever reasons, we’ve had to urgently build a new FreePBX server. It’s sat behind a Unifi Security Gateway and uses SIP trunks from Gamma.
I’ve read about double NATing so have disabled the inbuilt firewall due to not being able to configure a DMZ on the Unifi Gateway Pro. I’ve also turned NAT to no under SIP Settings on FreePBX.
On the USG, i’ve allowed the following WAN out firewall rule settings.
All traffic from the internal IP address of the FreePBX to the Gamma SIP trunk server allowed.
On the WAN in firewall rule settings;
All traffic from the Gamma SIP trunk server to the internal IP of the FreePBX allowed.
I’ve also setup the following ports to forward to internal IP of the FreePBX server only allowed from our schools and SIP provider (Gamma).
Ports 5160, 5060, 84, 80, 82 and 69
I have one trunk registering through using SIP. I can get local extensions to register, but i can’t get any external one registering.
I’ve just done a test with the Zoiper app and it confirmed it can’t see SIP UDP.
I’m a bit lost as i’ve added an exception and forwarded the ports 5060 and 5160. I’ve also ensured that in the FreePBX firewall the network is set to trusted traffic so it shouldn’t be getting blocked.
I should note that i have some phones on the same network as the PBX that have connected fine, so it looks to be a networking issue somewhere along the line.
Can anyone recommend is upwork is a decent freelance site?
I have my PBX set up behind my USG Pro and my external devices can register.
Is your modem functioning as a router as well (you mentioned double NAT). If so, I strongly suggest you see about bridging your modem and letting your USG do all the routing. Then you can set up firewall rules on it accordingly.
Ok, so a few things: you need to make sure that some external port is forwarding to 5060 UDP (assuming pjsip) on your PBX.
Then you need to update the firewall on your PBX to allow external connections from your remote device(s) AND you need to place them in a group with access to your system. I recommend OTHER:
Port Forwarding for 5060 and 5160 (i’ll disable one when settled on SIP or PJSIP), this then hits the internal IP of the pbx. This interface is marked as Internet.
I’ve then added all the external IPs of the schools as Local and then double checked in services that Local is set on both SIP and PJSIP services.
I can confirm that i do not get any warnings from the firewall in the full log
Can you whitelist IP addresses on the Unify firewall so that only those addresses get allowed inbound?
If so why do you even bother setting up the FreePBX firewall now? It wouldn’t be needed then.
Port forwarding looks fine, assuming you’re using UDP on the (pj)sip ports.
You shouldn’t need WAN_IN rules for your remote locations unless you’re blocking everything and have specific rules to allow them access (inbound access is accepted by default).
Same thing with your WAN_OUT rules.
What do your firewall rules on the PBX look like (censor IPs if necessary)?