SOLVED PBX Behind Pfsense Takes Long Time To Load GUI

[lwalker]

We have been using PBXinaFlash with 2 network cards for a while now, one on the outside world and one on our LAN. We know that even with Fail2Ban this is risky and the correct way is to have one NIC and place PBXinaFlash behind a firewall and open up ports as needed.

We are trying to install a test box behind a PFSense firewall now. We opened up the following ports in PFSense from the PBXinaFlash docs:

TCP 80 - HTTP
TCP 9080 - Duplicate HTTP
TCP 22 - SSH
TCP 9022 - Duplicate SSH
TCP 9001 - WebMin
UDP 10000-20000 - RTP
UDP 5004-5082 - SIP
UDP 4569 - IAX2
UDP 2727 - Media Gateway

The problem we are seeing is that it takes a few mins to get to the PBXinaFlash main GUI menu when you try to access the box from the real world IP. We also notice after it finally comes up that when we slide the bar over to admin that webmin is missing from the bottom menu. If we go to the LAN IP address of the PBX (from another computer on the same LAN), the main GUI menu comes up quickly and after we slide over to admin mode, webmin is there.

It's like webmin is timing out..any ideas?

Lee

 

[Snapdragon]

I believe the main GUI loads an RSS feed down the side as well, so you might be hanging up on the firewall with it trying to retrieve the feed and being blocked.

 

[edisoninfo]

Long delays almost always point to DNS issues. Make sure the configuration on the network card has a valid dns server listed.

 

[lwalker]

Thanks for your replies.

We checked DNS, that's not it. The funny thing is that you can bypass the main GUI screen and go directly without delay to the FreePBX URL of:

http://publicip/menu.php?id=admin

Maybe it has something to do with PFSense & Webmin, we haven't tried it behind another firewall.

Once again, Webmin doesn't show up on the main GUI menu after waiting the 1-2 min delay. But Webmin does show up on the main GUI menu if you go to the local LAN IP address.

 

[blanchae]

Could be your server name: pbx.local? It could be trying to authenticate the name against DNS as pbx.local.<domain name>.com and if it isn't recorded then it will take a long time.

 

[lwalker]

We are still having this problem behind our pfsense BSD firewall.

We tried a DD-WRT firewall and the entire main menu came right now with no delay.

It really looks like a pfsense problem with webmin.

 

[blanchae]

I'm running Ubuntu as my desktop computer and couldn't connect to Webmin on a new install from my PiaF server. It looked like Webmin wasn't running. I was sure that it was a PiaF problem until I tried:

1. On the PiaF server
- ps -ax showed that miniserv was running (that's Webmin's server)
- telnet 127.0.0.1 9001 then typed get and got a http error message, miniserv is responding on port 9001 on the loopback interface, that's good
- telnet 192.168.20.103 9001, then typed get and got another http error message which is good because miniserv is responding on eth0 also.

That indicated that it was NOT a PiaF server problem

From my Ubuntu desktop:
- telnet 192.168.20.103 9001 timed out. Indicates that Ubuntu is not talking to the PiaF server on port 9001
- checked syslog, kern.log and both indicated that port 9001 was being dropped on communications to 192.168.20.103
- Checked the firewall on Ubuntu: guarddog (great GUI for UFW and IPtables) and it was blocking port 9001. No matter how I tried to allow port 9001, it remained blocked. And packets dropped.
- Finally shut the firewall off and then I could connect to Webmin.

Only took 1 week to figure out! BTW FreePBX always worked fine.

 

[macspengo]

I am having this same problem. I have reinstalled, triple checked DNS and all kinds of stuff. If I am internal it takes forever to load. Coming in on the WAN takes forever to load. I noticed after one of the reinstalls (there has been many) before I updated scripts and fixes. The site loaded internally really fast. But no matter what, the WAN access takes up to five minutes to load the Main Menu. I am using IP addresses to communicate, so DNS should not have a role in the problem. Any suggestion on a cure are greatly appreciated.

 

[wardmundy]

We've seen it on some systems. Don't know why. You should be able to access FreePBX directly: http://serverip/admin

 

[Bitnetix]

Let me see if I got this right:

You're on LAN segment A. Your PIAF box is on LAN segment A as well. Your firewall is on WAN segment B. So you're trying to go from desktop (LAN) to firewall (WAN) to have it come back in to LAN to get to PIAF server?

I'm guessing your firewall isn't smart enough to know that internal addresses are allowed to get through from the WAN even though they came from the LAN. This is a guess, and I know nothing about PFsense, but this is a common thing to have happen with some router software distros.

 

[MyKroFt]

I use a PfSense router setup here as well, and nothing has been setup for Piaf and I do not get this pause.

Wan is on interface 1, lan interface 2, and wireless interface 3, all see and work with each other

 

[macspengo]

I have still not been able to find a work around for this. I have reinstalled and everything. Even if I access from internal LAN it still takes about 1 min. 15 seconds to load. If I come in over the WAN. I might as well get a cup of coffee. But if I going to
http://<serverip>/admin
It comes right up asking me for my login information. Does anyone have any other ideas. This is driving me and my employees crazy.

 

[MyKroFt]

something is not dns resolving in your menu - most likely its webmin, check your /etc/resolf.conf for your nameservers.....

 

[vbhoj74]

I just installed pfsense with PiaF behind it, and I've same problem as macspengo. I checked the resolv.conf for nameservers and it seems fine.

@macspengo: can you share your pfsense setup for PiAF? are you using siproxd ? I have audio issues with remote SIP clients.

EDIT: The advance outband NAT static port setting seems to have fixed the issue for me.

 

[dswartz]

glad the static port fixed it!

I just installed pfsense with PiaF behind it, and I've same problem as macspengo. I checked the resolv.conf for nameservers and it seems fine.

@macspengo: can you share your pfsense setup for PiAF? are you using siproxd ? I have audio issues with remote SIP clients.

EDIT: The advance outband NAT static port setting seems to have fixed the issue for me.

this should almost be a sticky here - i can't count how many people (myself included) have had that issue using pfsense. i love the firewall software, but that particular default is not a good one.

 

[daniel..]

Setting static ports for outbound traffic solved also all my issues after moving to pfsense.

Instructions:

After forwarding the necessary ports under NAT, you need to enable static ports for the outbound traffic.
Firewall - > NAT - > Outbound
Switch to manual outbound nat rule generation and modify the record it creates for you, near the bottom of the page, under translation: enable "static-port"


This was already mentioned here:

http://pbxinaflash.com/community/threads/pass-did-from-one-asterisk-to-another.7900/#post-48137

Pfsense is a great firewall and makes a very good piaf companion after making this change.

 

[dswartz]

One compromise that is possible: if you really do not like not allowing pfsense to rewrite outbound ports, consider that the great majority of outbound traffic is TCP, not UDP, you can add a 2nd NAT rule that only applies to UDP, make it the first rule, and enable static ports for it, and leave the 2nd (default) rule with static port off.

 

[jpe]

I had that problem and another a while ago couldn't figure it out and went with untangle. Missed the memo about the static port.

 

[lakecoder]

@dswartz:

Would you be so kind as to flesh out a bit more what the NAT rules would look like?

It sounds like you would still set the NAT rule generation to "Manual" but then what would the rule(s) look like? I did not see an option to choose UDP protocol when creating a new "Firewall: NAT: Outbound: Edit" rule...

Thanks!

 

[boeingpilot]

Same problem - Sonic Wall

Just started an install with a customer who has a Sonicwall, I'm getting the same thing (drove me nuts until I figured it out).

There's no way I can get this customer off the sonicwall, hope this isn't the death of me.