Using DDNS to allow traffic through the firewall

We have several remote offices that have remote phones. When we open a remote location we have to add the location’s WAN IP to the PBX firewall. When that IP changes those phones go offline and we have to update the IP address in the firewall. Is there a way to use a DDNS like DuckDNS.org to update the firewall when the IP address changes?

I know we could use VPN with the Sangoma phones, but that doesn’t work well for our situation. Our offices are several hours away and we have had issues with the VPN in the past that required us to drive to each office to fix the issue. We ditched VPN at that point.

That’s going to depend on your firewall since that will have to do DNS lookups against the FQDN in there. So if you want office2.duckdns.org and put that in the firewall, the firewall needs to know what office2.duckdns.org resolves to. With iptables it does the lookup when iptables is started and that is it. If the A record for that domain is changed, iptables will continue to resolve it to the IP from the initial lookup.

Are these remote locations other offices or employee home locations? Because if these are other offices, get static IPs for them. It’s worth the cost vs setting up an entire structure to handle dynamic IPs.

Another thing to consider. By basing it on an FQDN and someone manages to spoof that they can look like they are coming from that domain and get their IP added to your firewall which would then give them access to your network.

If you are using the FreePBX Distro, the built-in firewall will monitor dynamic DNS automatically. The instructions on the Networks tab say: “You may also enter hostnames here (including Dynamic DNS hosts), which will be automatically monitored and updated.”

However, DuckDNS or similar would be near the bottom of my list of solutions.

First, consider setting up a routed VPN at each branch that connects to headquarters. This is useful for file sharing, centralized back-end and many other things unrelated to phones. With luck, the existing routers/firewalls have this capability built in. Once set up, all phones are effectively on the HQ LAN and can connect to FreePBX directly.

Assuming that the branch has internet connectivity, just connect to a PC there with TeamViewer or similar, so you can access their router and fix the problem.

If branch-wide VPN is not feasible, try the Responsive Firewall, which will likely do the job automatically.

Next, if you need dynamic DNS, your domain registrar likely offers this service at no extra cost. Popular ones such as Google, GoDaddy and NameCheap all have dynamic DNS.

If you must use a separate dynamic DNS provider, choose a reputable paid one. You don’t want your business depending on a free service with no support.

When / how often do these addresses change? What kind of internet service (fiber, cable, DSL, 4G, etc.)? There may be ways to greatly reduce the frequency of changes, or force them to occur at night when the office is unoccupied.

Thanks for the feedback. I am using the FreePBX Distro and the built-in Firewall. I’ll try working with that and a reputable DDNS service to see if that works.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.