Zulu - External users


(Robert Gemmell) #1

Hi FreePBX community.

I have setup a new FreePBX running v15 with Zulu 3. I am wanting to buy additional licensing (i have two trial licenses) for Zulu but before I do I wanted to make sure I can get it all working 100%.
So far internally Zulu works perfectly however when trying to get the softphone on either Windows, iOS or Android connected it fails. But when I disable the FreePBX firewall it works fine. Of course i cant just disable the firewall without dire consequences so I need your advise on what I should be checking/changing on the firewall to get this working.

So far I have changed the Firewall under the services (extra services) section to allow Zulu UC on the Internet interface as well as Local and Other. What else should I change?
I have tried enabling other services one at a time but so far I haven’t had any luck. What am I missing?


(Lorne Gaetz) #2

What is the WebRTC service set to in Firewall? It should allow Local.


(Robert Gemmell) #3

Hi Lorne.
Thanks for the response.
Its currently set to Local only.


(Lorne Gaetz) #4

That’s odd. I don’t think it should be necessary, but for testing purposes is there any change if WebRTC includes Internet?


(Robert Gemmell) #5

Just tried but no luck, I managed to register my android phone using VPN but then after disconnecting the VPN the phone wont connect. Just says “cannot reach the server”
If a delete the account on my phone and try setup again i get a “Registration data is not valid”
If I scan the QR code then i get a message saying the QR code is invalid.


(Lorne Gaetz) #6

There is a blacklist in the firewall module, for completeness check to ensure your IP is not listed there, otherwise I’m stumped. This is a VERY common configuration, and I don’t know of any similar reports.


(Robert Gemmell) #7

Ok checked that but its empty.
Initially I thought our perimeter firewall might be at fault but everything works fine if I disable the FreePBX firewall.


(Robert Gemmell) #8

Here is the config under advanced but it all seems correct


(Lorne Gaetz) #9

Do you have any custom firewall rules defined?
If you add the IP you’re registering from to the networks tab as trusted, can you login?
If you change the interface zone to trusted instead of internet, are you able to login?


(Robert Gemmell) #10

No custom firewall rules except for a custom SNMP service.
I tried adding my phones IP as trusted but it didnt work.

Now the interface zone was set to Reject, i tried setting it to Internet but I was still unable to connect but changing it to Trusted I was finally able to connect.
Ill try create new interfaces for the various VLANs and a dedicated interface for external users and see how that changes things.


(Lorne Gaetz) #11

This is the issue. The zone you set for the interface is the default zone for all incoming IP traffic on that interface. By setting it to reject you are saying don’t allow any inbound traffic on this interface. Trusted is also a misconfiguration, you want either Local (only if there is zero chance of untrusted inbound traffic) or Internet.


(Robert Gemmell) #12

Ok awesome. Thank you very much.
I will reconfigure additional interfaces and assign them accordingly. I will advise shortly if i have further issues.
Thanks again.


(Lorne Gaetz) #13

Recent thread here linking a video and discussing zones for interfaces: Open Source Pro Tips #2 - Firewall Basics


(Robert Gemmell) #14

Hi Lorne

I have a lot to do in terms of creating dedicated internal only and internet facing interfaces but your help yesterday and the video you shared which I had somehow missed watching (i had watched most of the others) was phenomenal and only reinforces my faith in FreePBX and Sangoma.

With it set to Internet, while i plan additional interfaces, is working a charm.

Thanks again, its greatly appreciated.


(system) closed #15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.