TIPS IncrediblePBX in the cloud, IP phones behind PfSense

[Eliad]

First of all, i am not an expert at all.
My dream is to be able to use IncrediblePBX in the cloud instead of my current on site PBX.
I got the IncrediblePBX working on Vultr.
Now I have trouble connecting my 7 phones which are behind a PfSense firewall. I can connect just one phone when using Chan-SIP. The rest are blocked by the PfSense. I have played with the PfSense Firewall but no luck so far.
Does anybody have a similar setup? Any advice on how I can make it work? My phones are Yealink if that matters.
I have read somewhere PJSIP is better through a firewall than the Chan-SIP. I tried it and I get all phones connected but the Asterisk CLI shows the phones get connected in and out.

 

[krzykat]

I have a client with a Vultr server and pfsense firewall. I do NOT use PJSIP, as I am still not convinced its ready for prime-time. I would make sure to whitelist your public IP on the server, and then add your vultr IP to the PFsense box. Does your PFsense box have a public IP on its WAN, and is there another router or firewall between it and the internet? FYI ... I've stopped using PFsense unless there is a real need for it and now use Ubiquiti ER-X for firewall / VPN / Router. Pretty inexpensive, and easy to setup.

 

[tbrummell]

I'm running a similar setup using Vultr and pfSense for home use with 10 IP phones in the house. I do remember having issues having phones connect through pfSense so I went a more secure route and setup an OpenVPN tunnel between server and home. Although I run IPBX as the OpenVPN "Client" and pfSense as the "Server", it can be easily done in reverse. I did it this way as I already have OpenVPN configured for PC access to the house, as well as hosting a mail server in the cloud.
I've been running this way across multiple versions of IPBX now for at least 7 years or so.
My only downtime is when my home IP changes and the PBX has to wait for DNS records to update across the web to pick up the new association. I've never noticed it happen, but I'm sure it does.
NOTE: when I set this solution up I was on a cable modem where the IP rarely changed, it was nothing to go a year or more on the same IP. Now on fiber, the provider will change the IP at any PPPoE connection drop/change, so that can happen at almost anytime.

 

[Eliad]

I do have a dual WAN PfSense box. Both they have static IP. I already have the OpenVPN server running on my Pfsense. I will try to install the OpenVPN client on the Vultr IncrediblePBX and see if I can make it work this way. My only concern would be if the IncrediblePBX server on Vultr is somehow hacked then my LAN will be exposed.

As a second thought. Just adding the Vultr IP to the pfsense firewall for a full access to LAN would accomplish the same as using OpenVPN except the encryption provided by the OpenVPN. I tried to avoid this route thinking about the possibility of a hack on the incrediblePBX in the cloud.

I know IncrediblePBX is very well secured and this is the reason I have been using it instead of just plain FreePBX.

I am a physician running his own IT for my own practice. This is the reason I am concerned about the security of my LAN.

 

[krzykat]

I've never had a Vultr PBX hacked (not that its not possible) - but lock them down tight, use whitelist, and then whitelist your static WAN IP's. Since you're on vultr, you can always disable SSH access, and if you want, disable HTTP for additional security, then you can go to console on Vultr to renable whichever you need when you want. I'd then tell the PFsense to allow the PBX in ... if you want additional security on the PFsense, create a rule allowing 5060 (assuming 5060 SIP) and then ports 10,000-20,000 for the RTP traffic. Then even if your PBX got compromised, they could only hit you on port 5060 which will get them nowhere.

 

[Eliad]

I've never had a Vultr PBX hacked (not that its not possible) - but lock them down tight, use whitelist, and then whitelist your static WAN IP's. Since you're on vultr, you can always disable SSH access, and if you want, disable HTTP for additional security, then you can go to console on Vultr to renable whichever you need when you want. I'd then tell the PFsense to allow the PBX in ... if you want additional security on the PFsense, create a rule allowing 5060 (assuming 5060 SIP) and then ports 10,000-20,000 for the RTP traffic. Then even if your PBX got compromised, they could only hit you on port 5060 which will get them nowhere.

Thank you for your suggestions. I like your ideas. I will work on those. My in house PBX works really well, I will keep tinkering with the Vultr PBX. I like the idea of PBX in the cloud because my internet providers are spotty, this is the reason I have a dual WAN.

 

[wardmundy]

p.s. Hackers can't hack what they can't see. So long as the Travelin' Man 3 firewall is working, your server's IP address is completely hidden from public discovery. And I can't ever remember Vultr being down. For an extra dollar a month (on the $5 platform), you can enable automatic backups.

The simple way to test the firewall is to reboot your server. Then login as root and issue command: iptables -nL. Make sure all of the whitelisted entries appear rather than just a half dozen lines of code. Run pbxstatus and make sure it shows IPtables and Fail2Ban UP. If so, sleep well.

 

[Eliad]

If I understand correctly IncrediblePBX build in firewall will block any connection which is not on the whitelist, this includes SSH connection, am I correct?

 

[wardmundy]

If I understand correctly IncrediblePBX build in firewall will block any connection which is not on the whitelist, this includes SSH connection, am I correct?

Correct.

 

[Eliad]

i followed http://nerdvittles.com/?p=28900 to install the client on my IncrediblePBX on Vultr.
The instructions do not enable the epel repo and then the OpenVPN you get installed might end up being version 2.2.2. This was not good client for me because my PfSense OpenVPN is 2.4.7. Odd thing is sometimes even without the epel repo listed I got the newer client version installed. (snapshoots on Vultr are awesome)
If you run yum repolist you will see epel repository is not listed. To get the epel repo listed I used this
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sudo rpm -Uvh epel-release-6*.rpm
After this if you run yum repolist you will see epel listed.
Installing OpenVPN 2.4.7 allowed me to log in my Pfsense OpenVPN server.
I whitelisted my local LAN networks including the OpenVPN private LAN.
For some reason I have to whitelist my IP in the iptables and also in fail2ban jail.conf
I am able to connect 3 phones so far. Now I will have to do some real life testing next week.

 

[wardmundy]

Actually, epel is on the server. It's just disabled by default.