SUGGESTIONS Recommended firewall OS for PBX in the cloud

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
What firewall OS works well with a PBX in the cloud and IP Phones behind the firewall?
PFsense I can attest is not friendly to this setup. I am done trying to make PFSense work.
MIcrotik was recommended somewhere but I have read some not good news about their security.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I have used PFsense successfully, but lately my go to router / firewall is using Ubiquiti Edgerouter. The ERx is priced perfectly and is very feature rich.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I have used PFsense successfully, but lately my go to router / firewall is using Ubiquiti Edgerouter. The ERx is priced perfectly and is very feature rich.
I had no luck with PFsense. Did you use siproxd or it just worked? I have 8 phones and i can get them to connect reliably to an iPBX on Vultr.
I am tinkering with OPNsense (fork from PFsense) perhaps this one will work. I will report on this project outcome. I have one of those fanless Intel x86 4 LAN boxes and for this reason I am looking for a Router x86 OS solution.
In case this fails I looked up Ubiquity EdgeRouters and EdgeRouter 4 seems to fit the bill ( i need 2 WAN failover and OpenVPN). I saw dual WAN is an option for ERx but I am not sure about the OpenVPN.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I worked with and without siproxd ... my clients were behind the pfSense, while I was in the cloud. Pretty certain ERx works with OpenVPN, a quick google n their site should show you.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
So, am I right? everything you guys are seeing and trying to protect against are attempts against UDP/5060?

If so, why don't you just stop even thinking about needing that dumb-ass vector or anything even close being a thing?

(this has been my confusion for more than ten years, its a trivial fix yet nobody seems to understand the simplicity of the fix and it's effectiveness )
 
Last edited:

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
So, am I right? everything you guys are seeing and trying to protect against are attempts against UDP/5060?

If so, why don't you just stop even thinking about needing that dumb-ass vector being a thing?

(this has been my confusion for more than ten years, its a trivial fix yet nobody seems to understand the simplicity of the fix and it's effectiveness )

I use whitelist, so no issues for me, but otherwise and even with - Sure - changing the port is a no brainer. Likewise, allowing registration only by allowing fqdn is as well. I think the more keys you put in place the better off you are. For example, I also limit user-agent names.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
You really don't need a whitelist, all your clients can register to a random port above 20001 and below (safely) 60000 that you decide, and that is the port your sip server (whatever you decide chan_pjsip or chan_sip if asterisk sofia if freeswitch) is listening on

Sure add domain=blah in asterisk, but i'm pretty sure that your noise will be pretty well gone, seriously, just try it :cool:
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
Update on my quest on finding a friendly firewall for PBX in the cloud.

Ubiquiti Edgerouter 4 works very well. For the PBX in the cloud I did not have to make any special setup, it just works.
It is powerful enough to run well OpenVPN too. The only issue the OpenVPN server setup is in CLI mode and it can be a bit tricky. Ubiquiti has a write up instructions for OpenVPN.

I gave up on PFSense. Now I am trying OpnSense, it looks promising although at the time of this writing is not yet working. The Forum for OpnSense is much more friendlier than the PFSense one.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
I have ubiquiti edgerouter at home which I got secondhand. It handles everything I have thrown at it including custom DHCP configs for Cisco phones, ipv6 prefix distribution, vpns, and custom DNS. I switched in bind instead of dnsmasq. I disabled SIP ALG in favor of Asterisk's NAT handling (of course). Works great.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
For what it's worth, a MikroTik sized to suit, will get you more than happy for very few bucks.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I have ubiquiti edgerouter at home which I got secondhand. It handles everything I have thrown at it including custom DHCP configs for Cisco phones, ipv6 prefix distribution, vpns, and custom DNS. I switched in bind instead of dnsmasq. I disabled SIP ALG in favor of Asterisk's NAT handling (of course). Works great.
your post reminded me to turn off the SIP ALG. This is one feature which I dont quite understand its existence, it is supposed to help with SIP but instead makes things worst. Go figure
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
For what it's worth, a MikroTik sized to suit, will get you more than happy for very few bucks.
I looked at MikroTik and i read about their issues with security. Apparently a couple of years ago there was a very significant and well known security issue and took them more than a year to patch it. It turned me off, hopefully they are doing better now with security patches
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
your post reminded me to turn off the SIP ALG. This is one feature which I dont quite understand its existence, it is supposed to help with SIP but instead makes things worst. Go figure

SIP ALG is actually a nice idea and often works fine. It gets a bad rap because some firewalls implement it poorly and then it just doesn't work.

With SIP ALG, the firewall examines SIP traffic and replaces private IP addresses with the public address of the firewall so that media and reply signaling can come back to the right place. The firewall has to maintain a table of connections to translate this external mapping to internal. I think that's where it usually comes unglued with cheap routers.

I turn it off and use Asterisk's NAT handling instead because I'm used to how it works, and it's reliable. You can read about it in Asterisk docs but in short, it uses the received-from IP address to send signaling back to the phone (even if the phone advertises itself on a private IP) and symmetric RTP to get audio packets back to the NAT'ted phone after the phone has sent some audio packets to it, opening a path through the NAT and a pinhole in the firewall.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
It turns out Edgerouter SIP ALG is beneficial for my setup with the PBX in the cloud. When I turned it off only 2 devices could connect.
I will do some reading in regards to Asterisk NAT. I am a novice and I did not know about it. This could be my solution with the OPNsense/PFSense firewall issues.
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
I looked at MikroTik and i read about their issues with security. Apparently a couple of years ago there was a very significant and well known security issue and took them more than a year to patch it. It turned me off, hopefully they are doing better now with security patches

A little late to this party but I don't think that's even close to true. I'm not sure what you read (and I'm happy to see a link) but MT are and have been VERY GOOD about patches for as long as I remember but especially over the last two years.

They had a very high profile vuln released (nation state actor - MT are very popular carrier grade routers in Europe and particularly in Ukraine) and had a working patch out in 4 hours. I've never seen Cisco, UBNT or any major player have a patch out in 4 hours. And yes there have been other vulns, every vendor has them. Cisco had some 10 crtitical vulns disclosed just a couple weeks ago. What matters is how fast things are fixed up. MT has been extremely good about that.

So not sure what you read about that was unpatched for over a year but I think it's misread or mistaken.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
First of all I am not an expert and perhaps i read those news wrong. A simple google search for mikrotik vulnerabilities will show several links. the one that states it took a year to patch was from Techrepublic.
Perhaps the author was wrong, i do not have the knowledge to be able to criticize him.
now since you clarified Mikrotik current policy with patches I will give Mikrotik a try.
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
Hey now Eliad.

Actually I thought you were referring to a different vuln but yes, that did exist. I'm not sure MT was actually *aware* of it for a year but absolutely it did happen.

That vuln however was never a security breach or RCE or other escalation vector, it was only able to DOS the router and only if you used IPv6. Not to say that isn't serious - but it was never a threat that someone could use to breach your network or compromise your security - the most they could do is cause the router to freeze up and need a reboot.

I think part of the problem for MT on that particular issue was that patching it properly required some serious work on their IPv6 stack and a re-architecting of the stack was already happening elsewhere (but would take a while to reach release.) Since this wasn't an RCE or major issue to security I think they were a bit lax on letting it be. They also caught a lot of s**t from their community over it and I think learned from it.
No company is perfect but MT has made some very serious strides on security. Bugs in software WILL happen. How a company reacts and works to fix, especially serious, bugs is a big factor. At least imo.

The routers are definitely industrial grade. It might take some learning on your part but they are also definitely worth a look. Pound per dollar they are amazing value and some of the smallest units have solved some of the biggest challenges for us at the network edges. They also don't require any "cloud key" or other servers for management and they just run and run and run. They are our go-to device everywhere except for UTMs (because they don't make UTMs.) We are evaluating Sophos for that.

Btw, there is also a "virtual" router (Mikrotik CHR) that you can get for a license fee but also for free with some limitations (I think 10Mbps total throughput, not sure what else) CHR is a great platform if you want to run it in the cloud at like Vutlr or smth, for example as a VPN concentrator, firewall to other cloud devices, etc. I'm putting this out there for you because it's also a great way to get started without spending much as you can put it on any x86 hardware you have lying around (or a vm if you have a hyper-v or vm ware server). Just need a couple of NICs.

hth.
 
Last edited:

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I will give MikroTik a spin and see how it goes.
At present time I use Opnsense. I need to have 2 gateway switching and this works well with Opnsense. Make sure if you have MultiWAN, you enable Reset all states when a dynamic IP address changes under firewall settings, advanced.

For the SIP to work i followed Opnsense forum advice (they are very good and friendly by the way). Bellow are the instructions.

Disable source port rewriting - by default, opnsense rewrites the source port on all outbound traffic. This is necessary for proper NAT in some circumstances such as having multiple SIP phones behind a single public IP registering to a single external PBX. With a minority of providers, rewriting the source port of RTP can cause one way audio. In that case, you want to use manual outbound NAT and Static Port on all UDP traffic potentially with the exclusion of UDP 5060.
Set Conservative state table optimization - pf's default UDP timeouts are too low for some VoIP services. If your phones mostly work, but randomly disconnect, set "Firewall Optimization Options" to Conservative under System -> Advanced. Note this only works on 1.2.3-RC1 and newer as pf itself never increases UDP timeouts, our code changed to do this.

On the PBX side I did not quite understand the NAT implementation. NAT must be enable on each SIP extension by going to Advanced tab.
iPBX2020 i use PJSIP and works as a charm.
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top