QUESTION Recommended firewall OS for PBX in the cloud

Eliad

Member
Joined
Aug 13, 2017
Messages
171
Reaction score
24
What firewall OS works well with a PBX in the cloud and IP Phones behind the firewall?
PFsense I can attest is not friendly to this setup. I am done trying to make PFSense work.
MIcrotik was recommended somewhere but I have read some not good news about their security.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,541
Reaction score
415
Location
South Florida
I have used PFsense successfully, but lately my go to router / firewall is using Ubiquiti Edgerouter. The ERx is priced perfectly and is very feature rich.
 
  • Like
Reactions: billsimon

Eliad

Member
Joined
Aug 13, 2017
Messages
171
Reaction score
24
I have used PFsense successfully, but lately my go to router / firewall is using Ubiquiti Edgerouter. The ERx is priced perfectly and is very feature rich.
I had no luck with PFsense. Did you use siproxd or it just worked? I have 8 phones and i can get them to connect reliably to an iPBX on Vultr.
I am tinkering with OPNsense (fork from PFsense) perhaps this one will work. I will report on this project outcome. I have one of those fanless Intel x86 4 LAN boxes and for this reason I am looking for a Router x86 OS solution.
In case this fails I looked up Ubiquity EdgeRouters and EdgeRouter 4 seems to fit the bill ( i need 2 WAN failover and OpenVPN). I saw dual WAN is an option for ERx but I am not sure about the OpenVPN.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,541
Reaction score
415
Location
South Florida
I worked with and without siproxd ... my clients were behind the pfSense, while I was in the cloud. Pretty certain ERx works with OpenVPN, a quick google n their site should show you.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
So, am I right? everything you guys are seeing and trying to protect against are attempts against UDP/5060?

If so, why don't you just stop even thinking about needing that dumb-ass vector or anything even close being a thing?

(this has been my confusion for more than ten years, its a trivial fix yet nobody seems to understand the simplicity of the fix and it's effectiveness )
 
Last edited:

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,541
Reaction score
415
Location
South Florida
So, am I right? everything you guys are seeing and trying to protect against are attempts against UDP/5060?

If so, why don't you just stop even thinking about needing that dumb-ass vector being a thing?

(this has been my confusion for more than ten years, its a trivial fix yet nobody seems to understand the simplicity of the fix and it's effectiveness )
I use whitelist, so no issues for me, but otherwise and even with - Sure - changing the port is a no brainer. Likewise, allowing registration only by allowing fqdn is as well. I think the more keys you put in place the better off you are. For example, I also limit user-agent names.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
You really don't need a whitelist, all your clients can register to a random port above 20001 and below (safely) 60000 that you decide, and that is the port your sip server (whatever you decide chan_pjsip or chan_sip if asterisk sofia if freeswitch) is listening on

Sure add domain=blah in asterisk, but i'm pretty sure that your noise will be pretty well gone, seriously, just try it :cool:
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,367
Messages
137,355
Members
14,575
Latest member
Issue