I HAVE A DREAM Remote extensions on PBX behind NAT firewall (neither with fixed external IPs)

GerryGerry

Member
Joined
Dec 26, 2015
Messages
38
Reaction score
5
I have set up a pbx some years back (Incredible PBX 12.0.70 ) that is sitting in a managed office where I have no access or control over the firewall. The 7 local extensions all work fine and can make and receive calls with no issues (there is just a single SIP Trunk registered on the PBX).

I have now been asked if one of the staff can take a phone home (maternity leave) and if it colb be connected to the office phone system. I do not want to 'reinvent' the wheel, and I'm sure this situation crops up fairly frequently. Can anyone give me poiunters on how to achieve this. I'm guessing it the solution would have to involve some kind of cloud-based 'middle man' to which both the phone and the PBX would talk through.

All help greatly appreciated
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
Deploy Ward's IncrediblePBX for the cloud on a $5/mnth Vultr or Digital Ocean instance. Setup IAX trunks between Office & Cloud based PBX (this will require you to forward port 4569 at the Office firewall to the Office pbx though). Move phone from Office to Cloud. Setup dialplans accordingly.

Sounds like the biggest hurdle will be to get the port forwarded.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
38
Reaction score
5
Deploy Ward's IncrediblePBX for the cloud on a $5/mnth Vultr or Digital Ocean instance. Setup IAX trunks between Office & Cloud based PBX (this will require you to forward port 4569 at the Office firewall to the Office pbx though). Move phone from Office to Cloud. Setup dialplans accordingly.

Sounds like the biggest hurdle will be to get the port forwarded.
Thanks for this suggestion.
I already have a (separate) cloud based VPS on digital ocean and I'm sure I could successfully set up a trunk on each PBX (cloud PBX and office PBX), to route calls between an extension on the cloud PBX and the local office PBX with out the need to configure anything on the office firewall BUT... the remote extension would have to register to the cloud PBX and would therefore not get the normal full feature set (such as BLFs would not function) I'm after a solution the would effectively allow the phone to register (albeit via a 3rd device) on the office PBX. It is also imperative that the solution does not require ANY configuration on the office firewall-router.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
38
Reaction score
5
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
Perhaps it will have to remain a 'dream' but I really wanted/need to do it using the hardware the workers are already familiar with. I guess the users would only have to change the registration server address on their endpoint (many phones allow 2 servers to be defined, one as a backup, so even this would not need altering when taking the phone off-site). I appreciate that if doable it would involve a lot of setup both on the office existing office pbx and the new '3rd device (cloud VPS)' that handles the connections, I'm just not sure where to begin coupled with the 'feeling' that surely someone must have already done this or something similar already.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
516
Reaction score
213
VPN is easiest if you have no control over your office firewall..

Assuming no control over her router/firewall:
  • Setup openvpn server on the cloud instance.
  • Setup openvpn client on the PBX,
  • Plug her phone into an an old router set up as a wireless client with openvpn client capabilities (or that you can load OpenWRT/DDWRT/Tomato/etc on - or just buy one of these),
  • Connect router vpn client and PBX vpn client to the cloud vpn server.
  • Her phone and your LAN (via the VPN) are firewalled away from her LAN by the the client router.
  • You can control how big a hole you make open to the phone. You have iptables at the PBX and client router available to restrict traffic.
  • You've also just connected the phone wirelessly to her home network, making placement in the home much easier.
It doesn't have to be OpenVPN, use whatever VPN your good with. Neorouter has an OpenWRT client (and wouldn't require your own central server).

If you are OK with setting up a port forward on her internet router, then the OpenVPN server could run on your remote device and also skip a central server,

If you have an unused Pi or similar sitting around - that would work in place of the remote router (but may take a little more tinkering).
 
Last edited:
  • Like
Reactions: wardmundy

GerryGerry

Member
Joined
Dec 26, 2015
Messages
38
Reaction score
5
VPN is easiest if you have no control over your office firewall..

Assuming no control over her router/firewall:
  • Setup openvpn server on the cloud instance.
  • Setup openvpn client on the PBX,
  • Plug her phone into an an old router set up as a wireless client with openvpn client capabilities (or that you can load OpenWRT/DDWRT/Tomato/etc on - or just buy one of these),
  • Connect router vpn client and PBX vpn client to the cloud vpn server.
  • Her phone and your LAN (via the VPN) are firewalled away from her LAN by the the client router.
  • You can control how big a hole you make open to the phone. You have iptables at the PBX and client router available to restrict traffic.
  • You've also just connected the phone wirelessly to her home network, making placement in the home much easier.
It doesn't have to be OpenVPN, use whatever VPN your good with. Neorouter has an OpenWRT client (and wouldn't require your own central server).

If you are OK with setting up a port forward on her internet router, then the OpenVPN server could run on your remote device and also skip a central server,

If you have an unused Pi or similar sitting around - that would work in place of the remote router (but may take a little more tinkering).
Have ordered the GL.iNet GL-MT300N-V2 Mini Travel Router and will start setting up the cloud instance tomorrow. I'll keep everyone posted. Perhaps if the phone has inbuilt VPN client (which the ones I'm using at present don't this solution can be streamlined even further.
 

smarks

Guru
Joined
Jan 7, 2015
Messages
110
Reaction score
25
You want a remote extension and nothing else. Just open the required ports on the router. Done! What am I missing?

And I don't mean the inevitable "OMG but security" type responses. Of course you want to make it secure and it will be. But then you get into tradeoffs between security and ease of use. Get it working first and don't use easily guessed passwords. If you want to make it even more secure you can do that later.
 

smarks

Guru
Joined
Jan 7, 2015
Messages
110
Reaction score
25
Sorry I missed that part. I wouldn't even touch something like that.
 
Last edited:

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,543
Reaction score
415
Location
South Florida
I have now been asked if one of the staff can take a phone home (maternity leave) and if it colb be connected to the office phone system. I do not want to 'reinvent' the wheel.

All help greatly appreciated
Who is her internet carrier and do they have a semi-static IP (I've found that most carriers now such as AT&T, Comcast, Spectrum - will leave the same public IP on your system for many months before it ever changes).

If this is so, then you can whitelist their IP allowing their phone to register in to the PBX.
 
  • Like
Reactions: randy7376

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,543
Reaction score
415
Location
South Florida
I was assuming that the firewall was there to allow 5060 traffic to the PBX, and that he does have access to the PBX where he could setup whitelist for the remote extension. If the firewall blocks the traffic or if he doesn't have access to iptables of the PBX, then of course, this wouldn't be a valid scenario.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
516
Reaction score
213
I was assuming that the firewall was there to allow 5060 traffic to the PBX, and that he does have access to the PBX where he could setup whitelist for the remote extension. If the firewall blocks the traffic or if he doesn't have access to iptables of the PBX, then of course, this wouldn't be a valid scenario.
Quite possibly, I assumed registered trunks with no firewall mods needed. Maybe @GerryGerry can clarify.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
38
Reaction score
5
Quite possibly, I assumed registered trunks with no firewall mods needed. Maybe @GerryGerry can clarify.
I have no access to the firewall at all. The pbx is in a serviced office environment. Hopefully I'll have something up and running along the lines of jerrm's earlier post. I'll try to document it as I go so that the community will have some sort of resource to draw upon (if successful)
 

Rob Traffie

New Member
Joined
Aug 23, 2016
Messages
9
Reaction score
0
Following, I am trying essentially the same thing - but I DO have access to the firewall.
I want to register a SIP phone (Linphone or similar) on an iPhone to my PBX, behind NAT firewall.
Since the iPhone will always have a dynamic IP - I am struggling to see how to do that.

For remote extensions, I setup an openVPN on the remote phone itself (Yealink T-48S) with an Untangle firewall.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
651
Reaction score
238
Interestingly, all Iphones (or any other phone, android, microsoft, nokia? but they would be carrier specific networks) will have an ip within the network that is returned by

whois the.ip.address.ofyourphone

As I am a pragmatist, I suggest that you can relatively safely add this "huge" network to your allowed SIP networks white-list, I have as yet never seen an attack from that network over many years and servers

(waiting for all your flack . . . .)
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
516
Reaction score
213
As I am a pragmatist, I suggest that you can relatively safely add this "huge" network to your white-list, I have as yet never seen an attack from that network over many years and servers

(waiting for all your flack . . . .)
Not really flack, but I wouldn't use the default IPBX rules with such a big opening. Maybe open SIP on the firewall to the network block, but use something closer to @wardmundy's "wide open" rules on the PBX.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
651
Reaction score
238
I accept that and I have been more explicit. having SIP on 34254 or only accept TLS or TCP connections would further limit any risk.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,371
Messages
137,398
Members
14,576
Latest member
emmonks