I HAVE A DREAM Remote extensions on PBX behind NAT firewall (neither with fixed external IPs)

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
I have set up a pbx some years back (Incredible PBX 12.0.70 ) that is sitting in a managed office where I have no access or control over the firewall. The 7 local extensions all work fine and can make and receive calls with no issues (there is just a single SIP Trunk registered on the PBX).

I have now been asked if one of the staff can take a phone home (maternity leave) and if it colb be connected to the office phone system. I do not want to 'reinvent' the wheel, and I'm sure this situation crops up fairly frequently. Can anyone give me poiunters on how to achieve this. I'm guessing it the solution would have to involve some kind of cloud-based 'middle man' to which both the phone and the PBX would talk through.

All help greatly appreciated
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Deploy Ward's IncrediblePBX for the cloud on a $5/mnth Vultr or Digital Ocean instance. Setup IAX trunks between Office & Cloud based PBX (this will require you to forward port 4569 at the Office firewall to the Office pbx though). Move phone from Office to Cloud. Setup dialplans accordingly.

Sounds like the biggest hurdle will be to get the port forwarded.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Deploy Ward's IncrediblePBX for the cloud on a $5/mnth Vultr or Digital Ocean instance. Setup IAX trunks between Office & Cloud based PBX (this will require you to forward port 4569 at the Office firewall to the Office pbx though). Move phone from Office to Cloud. Setup dialplans accordingly.

Sounds like the biggest hurdle will be to get the port forwarded.
Thanks for this suggestion.
I already have a (separate) cloud based VPS on digital ocean and I'm sure I could successfully set up a trunk on each PBX (cloud PBX and office PBX), to route calls between an extension on the cloud PBX and the local office PBX with out the need to configure anything on the office firewall BUT... the remote extension would have to register to the cloud PBX and would therefore not get the normal full feature set (such as BLFs would not function) I'm after a solution the would effectively allow the phone to register (albeit via a 3rd device) on the office PBX. It is also imperative that the solution does not require ANY configuration on the office firewall-router.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
Well, instead of a hard phone on the remote worker, if they can use a SIP softphone there is always the option of using NEORouter. That shouldn't require any firewall manipulation that I am aware of...
Perhaps it will have to remain a 'dream' but I really wanted/need to do it using the hardware the workers are already familiar with. I guess the users would only have to change the registration server address on their endpoint (many phones allow 2 servers to be defined, one as a backup, so even this would not need altering when taking the phone off-site). I appreciate that if doable it would involve a lot of setup both on the office existing office pbx and the new '3rd device (cloud VPS)' that handles the connections, I'm just not sure where to begin coupled with the 'feeling' that surely someone must have already done this or something similar already.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
VPN is easiest if you have no control over your office firewall..

Assuming no control over her router/firewall:
  • Setup openvpn server on the cloud instance.
  • Setup openvpn client on the PBX,
  • Plug her phone into an an old router set up as a wireless client with openvpn client capabilities (or that you can load OpenWRT/DDWRT/Tomato/etc on - or just buy one of these),
  • Connect router vpn client and PBX vpn client to the cloud vpn server.
  • Her phone and your LAN (via the VPN) are firewalled away from her LAN by the the client router.
  • You can control how big a hole you make open to the phone. You have iptables at the PBX and client router available to restrict traffic.
  • You've also just connected the phone wirelessly to her home network, making placement in the home much easier.
It doesn't have to be OpenVPN, use whatever VPN your good with. Neorouter has an OpenWRT client (and wouldn't require your own central server).

If you are OK with setting up a port forward on her internet router, then the OpenVPN server could run on your remote device and also skip a central server,

If you have an unused Pi or similar sitting around - that would work in place of the remote router (but may take a little more tinkering).
 
Last edited:

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
VPN is easiest if you have no control over your office firewall..

Assuming no control over her router/firewall:
  • Setup openvpn server on the cloud instance.
  • Setup openvpn client on the PBX,
  • Plug her phone into an an old router set up as a wireless client with openvpn client capabilities (or that you can load OpenWRT/DDWRT/Tomato/etc on - or just buy one of these),
  • Connect router vpn client and PBX vpn client to the cloud vpn server.
  • Her phone and your LAN (via the VPN) are firewalled away from her LAN by the the client router.
  • You can control how big a hole you make open to the phone. You have iptables at the PBX and client router available to restrict traffic.
  • You've also just connected the phone wirelessly to her home network, making placement in the home much easier.
It doesn't have to be OpenVPN, use whatever VPN your good with. Neorouter has an OpenWRT client (and wouldn't require your own central server).

If you are OK with setting up a port forward on her internet router, then the OpenVPN server could run on your remote device and also skip a central server,

If you have an unused Pi or similar sitting around - that would work in place of the remote router (but may take a little more tinkering).
Have ordered the GL.iNet GL-MT300N-V2 Mini Travel Router and will start setting up the cloud instance tomorrow. I'll keep everyone posted. Perhaps if the phone has inbuilt VPN client (which the ones I'm using at present don't this solution can be streamlined even further.
 

smarks

Guru
Joined
Jan 7, 2015
Messages
116
Reaction score
26
You want a remote extension and nothing else. Just open the required ports on the router. Done! What am I missing?

And I don't mean the inevitable "OMG but security" type responses. Of course you want to make it secure and it will be. But then you get into tradeoffs between security and ease of use. Get it working first and don't use easily guessed passwords. If you want to make it even more secure you can do that later.
 

smarks

Guru
Joined
Jan 7, 2015
Messages
116
Reaction score
26

Sorry I missed that part. I wouldn't even touch something like that.
 
Last edited:

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I have now been asked if one of the staff can take a phone home (maternity leave) and if it colb be connected to the office phone system. I do not want to 'reinvent' the wheel.

All help greatly appreciated

Who is her internet carrier and do they have a semi-static IP (I've found that most carriers now such as AT&T, Comcast, Spectrum - will leave the same public IP on your system for many months before it ever changes).

If this is so, then you can whitelist their IP allowing their phone to register in to the PBX.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235

I was assuming that the firewall was there to allow 5060 traffic to the PBX, and that he does have access to the PBX where he could setup whitelist for the remote extension. If the firewall blocks the traffic or if he doesn't have access to iptables of the PBX, then of course, this wouldn't be a valid scenario.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I was assuming that the firewall was there to allow 5060 traffic to the PBX, and that he does have access to the PBX where he could setup whitelist for the remote extension. If the firewall blocks the traffic or if he doesn't have access to iptables of the PBX, then of course, this wouldn't be a valid scenario.
Quite possibly, I assumed registered trunks with no firewall mods needed. Maybe @GerryGerry can clarify.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Quite possibly, I assumed registered trunks with no firewall mods needed. Maybe @GerryGerry can clarify.
I have no access to the firewall at all. The pbx is in a serviced office environment. Hopefully I'll have something up and running along the lines of jerrm's earlier post. I'll try to document it as I go so that the community will have some sort of resource to draw upon (if successful)
 

Rob Traffie

Member
Joined
Aug 23, 2016
Messages
41
Reaction score
2
Following, I am trying essentially the same thing - but I DO have access to the firewall.
I want to register a SIP phone (Linphone or similar) on an iPhone to my PBX, behind NAT firewall.
Since the iPhone will always have a dynamic IP - I am struggling to see how to do that.

For remote extensions, I setup an openVPN on the remote phone itself (Yealink T-48S) with an Untangle firewall.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Interestingly, all Iphones (or any other phone, android, microsoft, nokia? but they would be carrier specific networks) will have an ip within the network that is returned by

whois the.ip.address.ofyourphone

As I am a pragmatist, I suggest that you can relatively safely add this "huge" network to your allowed SIP networks white-list, I have as yet never seen an attack from that network over many years and servers

(waiting for all your flack . . . .)
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
As I am a pragmatist, I suggest that you can relatively safely add this "huge" network to your white-list, I have as yet never seen an attack from that network over many years and servers

(waiting for all your flack . . . .)
Not really flack, but I wouldn't use the default IPBX rules with such a big opening. Maybe open SIP on the firewall to the network block, but use something closer to @wardmundy's "wide open" rules on the PBX.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
I accept that and I have been more explicit. having SIP on 34254 or only accept TLS or TCP connections would further limit any risk.
 

Members online

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top