I just installed a fresk FreePBX distro 15. I restored my old config with success. Now, I am trying to add the phones and, after so struggling, I found that the phones cannot register when the SIP channel driver is set to BOTH ( in Advanced Settings).
When I set the driver to chan_sip only, my phones can register happily.
All my extensions are defined as the legacy chan_sip.
Is that a known issue or am I doing something wrong ?
You need to be aware that there are 2 SIP drivers, each bound to a different port. When registering a device, you need to specify the port correctly in your client. The port shoes when you edit the extension.
Interesting. I went back to using BOTH, restarted asterisk and when I edit the extension, I still see 5060 in the Advanced tab for that extension. Is it what you meant:
Look in Settings/Asterisk SIP Settings
There you’ll see tabs for chan_sip and chan_pjsip. In those tabs you’ll see the ports used are defined.
For a given extension, the Port will initially be set to the port defined for that channel type. I do not think you want to ever manually change it.
Also, if one is changing these, the phone itself will not get the change automatically unless one is using the EPM and the phones are set to periodically check for config file updates. But I think one still has to rebuild the EPM config files too if changing the ports.
The conversion on the PBX will work fine, but the phone must also be reconfigured with the new port setting at the same time. If you allow the phone config to continue to attempt registration once the PBX is updated, then you can trigger firewall blocks and fail2ban bans.
As @dicko is usually quick to point out, 5060 and 5160 (or 5062) are the defaults, but certainly not “best practice” addresses.
There are a couple of ways to deal with the default SIP port. The first thing to remember is that the script-kiddies scan for 5060 and 5160 (or 5062) when looking for exploitable SIP gateways. We, as a community, recommend dealing with this in one of three ways. The first (and usually easiest) way is to set up your inbound firewall so that only authorized hosts (your SIP provider, for example) can connect to port SIP. The second way to deal with this is to use encryption, either through TLS or VPN. The third is to use the Adapting Firewall that locks out sources that abuse the system.
As far as I’m concerned, there are no “wrong” answers, except for doing nothing. Since the distro comes with the Firewall turned on and installed, doing nothing is an active decision that can cause you all sorts of problems. Like other herd immunity, the more effort we take to lock these services down to authorized users, the less value scanning and exploiting the ports has and eventually the “sk” will just stop asking.