TIPS Remote Users and dynamic IPs

[brianpbxnoob]

Hey Everyone!

Brand new here to PIAF and very excited that our company finally has its own phone service. I just set up a new Wable VPS and installed INcredible PBX for CENTOS on it and got it all configured with my Flowroute DID yesterday. There were certainly some bumps in the road but having a pbx server for $8 a month is amazing!

One issue I am running into though is the IPTables setup. I let it alone as it comes in the install (mostly because I wouldnt have the first clue about modifying any files for it) and ended up having to add IP's to the whitelist to get my colleagues able to register their softphones with the server. It is finally working properly but the whitelist brings up a concerning issue.

We are a telecommute company. Our employees and contractors all work from home and use the PBX system to make and receive calls from the company line. We have some pretty high turnover with our salespeople and having to add and remove their IP's to give them access to the phones looks to be a pretty time consuming task in the future. Also, I am also concerned that many of them are not going to have a static IP address from their ISP so I could wake up one morning with 20 emails from frantic salespeople who's phones are not working suddenly.

Is there a way to allow for dynamic IP addresses? Or to identify machines by Mac Address or something that is static with their equipment?

Thanks so much for your input in advance. Please let me know any information I should supply to help you in helping me. This forum has already helped me so much already and I am so excited to be a part of such a great community.

 

[brianpbxnoob]

i tried this command: service iptables stop and then when I check the status i see the red DN notification next to IPTABLES but after a while when I check the status again it has restarted. Any way that I can get around this?

 

[Bill Dengler]

i tried this command: service iptables stop and then when I check the status i see the red DN notification next to IPTABLES but after a while when I check the status again it has restarted. Any way that I can get around this?

Try this (I've used this config on several systems, your mileage may vary) - log into your system as root, and run:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.ward
iptables -F
iptables-save > /etc/sysconfig/iptables
service iptables restart

 

[brianpbxnoob]

what does this do?

iptables -F flushes the settings right? so that will prevent remote users from being able to register because they will no longer be on the whitelist.

 

[Bill Dengler]

what does this do?

Disables Ward's default iptables config. If you ever want to bring it back, just do

rm /etc/sysconfig/iptables

mv /etc/sysconfig/iptables.ward /etc/sysconfig/iptables

iptables-restore /etc/sysconfig/iptables

 

[brianpbxnoob]

would it be safer to do add vpn capability? that way people could sign in and then register their softphone? would that keep the system secure and then also allow access to remote users?

 

[frederic]

VPN works very well for wired devices whether it be a plethora of SIP phones or a remote and trunked PBX. All I do is provide my customer with a VPN-capable appliance type router configured to backhaul to my VPN service, and then plug their phones into that router, maybe through a switch if they need more than four ports. The phones then appear on my phone network and can see the PBX they're supposed to see and the PBX doesn't have public internet access.

As long as the customer has decent bandwidth, this works fine. If their connection is flaky, then the VPN will time out and retry which sometimes takes 30-60 seconds depending on the situation. No dial tone on the customer end is bad.

 

[brianpbxnoob]

A few details on the goals of my PBX system may help. The PBX system is only used by a small number of folks at this point. There is myself, my business partner, and a few cold calling appointment setters. So everyone works from home and they all supply their own hardware (PC, Internet, headset etc). I would not be sending out any sort of equipment to them. Can I simply direct them to download a vpn client on their machine so that their softphone can register with the PBX? Or is it really just easier to disable IP tables during the day and turn it back on at close of business?

 

[brianpbxnoob]

I am trying to follow the instructions in this link to install a vpn system on the server and keep getting an error
http://www.photonvps.com/billing/knowledgebase.php?action=displayarticle&id=58

when I run this command
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
I get the error "Resolving dl.fedoraproject.org.... failed: Temporary failure in name resilution
wget: unable to resolve host address 'dl.fedoraproject.org'


any thoughts?

 

[brianpbxnoob]

oh and I am running putty on my home machine that is running Linux mint...any possible way to copy and paste into the putty terminal? would make me feel a lot better about typos and also be much faster. just cant seem to figure it out.

 

[brianpbxnoob]

following other links I get errors as well. trying to run this command here
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

i get Error Downloading Packages:
pam-devel-1.1.1-20.e16.....failure No More Mirrors to try

 

[brianpbxnoob]

so something that I did during a try to work on this stuff actually flushed out the iptables before I copied it to iptables.ward so now when I try your method I get the message, cannot stat '/etc/sysconfig/iptables': no such file or directory hahaha

 

[brianpbxnoob]

and now I cant even call my did. cell phone just hangs up so I am guessing something totally screwed up

 

[jerrm]

Running a server in the wild with no firewalling is guaranteed trouble.

For a dozen or so users, something like the Travelin' Man should be fine: http://pbxinaflash.com/community/index.php?resources/travelin-man-4.41/

I would use the DynDNS client approach of version 3. Setup should be a one time thing per employee. Version 4 adds the capability for users to call into an IVR and enter their IP address.

Disclaimer - I've never used the Travelin Man scripts, but have used essentially the same approach with my own scripts on various firewalls for 10+ years.

 

[krzykat]

You're going down a very slippery place leaving your server open without IPtables.

You mentioned Wable, so make sure your DNS is setup properly. From your server, just issue a simple DNS check like ping google.com and see what happens. My guess is that it isn't setup, so you'll need to look up where Ward detailed what to do on Wable for DNS fix.

 

[rchalk]

I am using Travelin Man 3 on a rentpbx server, with 8 remote offices, and about 15-20 other remote users. Be careful with the install, following Ward's instructions exactly, and you should be good to go.

On word of caution - ward's configuration sets two port numbers for SSH, and RentPBX uses a different one, so make sure you modify the line to include your specific port. Everything else should work by default.