Responsive Firewall and external FreePBX users



  • My FreePBX system has been in production for a month, and here are some observations that I've made about firewall performance.

    1. Admin > System Admin > Intrustion Detection and Intrusion Detection > Whitelist seem to do nothing.
      Even though it really doesn't make sense to me, I wonder if this is a separate system from the Responsive Firewall. Adding IP addresses to this white list has no effect on whether or not they're blocked as attackers by the Responsive Firewall. Also, IPs that are blocked as attackers seem to not trigger the E-mail notification about intrusion detection.

    2. Connectivity > Firewall > Status (and its sub-tabs) tends to take a long time to load and spikes load averages if the firewall has been running for several days. Stopping and restarting the firewall will usually solve this performance problem.

    3. I have users whose Yealink phones and / or Linphone softphones are configured correctly, yet still occasionally have their IP addresses blocked as attackers by the Responsive Firewall.

    The solution I'm using right now for item 3 is to take these IP addresses and add them to the Local zone of the Responsive Firewall. I don't particularly like this, because I'm trusting traffic from these random home networks as well as taking the risk that the IP addresses for these networks can change.

    I suppose an alternative could be I find a way to once / day or so automatically stop and restart the firewall, which if a person was labeled as an attacker this would clear the IP address entry. The question then becomes "well, won't they automatically be considered an attacker again?" The answer to that is "sometimes," which is frustrating, since there's no configuration change happening with the end points.

    Folks that use FreePBX, do you experience this with remote users and the responsive firewall? If so, how do you deal with it?



  • @eddiejennings

    Yes, I’ll look and find the specific thread where I last saw it discussed. Particularly mobile apps are hard to keep connected.

    You could run a small sbc to register mobile users and then register their extensions to FreePBX from there, that is the only thing I could ever come up with.

    I have also seen, with responsive firewall, where a users access goes in and out (for a large Dropbox upload or sync) causing the phone to reregister too quickly. Which seems to trigger the block.

    Near the end of my FreePBX use of soemone was blocked I would just stop and start the firewall from the command line as the website sometimes was too slow...


  • Service Provider

    @bigbear when using STUN, does the registration come from the STUN server or the device? I never tested this.



  • @jaredbusch said in Responsive Firewall and external FreePBX users:

    @bigbear when using STUN, does the registration come from the STUN server or the device? I never tested this.

    I dont know, I never had to set a STUN server. Believe it is using RPORT.

    The devs had cited mobile phone apps as something they hadn't decided on a solution for when it was last asked about months ago. Something about the responsive firewall reading the event logs and being 15 seconds behind because of it.



  • @bigbear said in Responsive Firewall and external FreePBX users:

    You could run a small sbc to register mobile users and then register their extensions to FreePBX from there, that is the only thing I could ever come up with.

    Bit of a necropost, but this is going to become a thing soon, as we're planning to expand the external folks making calls through our PBX by about 80 users.

    I have some reading ahead of me about session border controllers, as I've never used one. I imagine the setup would be a Vultr VM functioning as the sbc for the FreePBX VM.



  • @eddiejennings said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    You could run a small sbc to register mobile users and then register their extensions to FreePBX from there, that is the only thing I could ever come up with.

    Bit of a necropost, but this is going to become a thing soon, as we're planning to expand the external folks making calls through our PBX by about 80 users.

    I have some reading ahead of me about session border controllers, as I've never used one. I imagine the setup would be a Vultr VM functioning as the sbc for the FreePBX VM.

    I know nothing about session border controllers but wouldn't them being external folks mean you don't need a sbc?



  • @dashrender said in Responsive Firewall and external FreePBX users:

    @eddiejennings said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    You could run a small sbc to register mobile users and then register their extensions to FreePBX from there, that is the only thing I could ever come up with.

    Bit of a necropost, but this is going to become a thing soon, as we're planning to expand the external folks making calls through our PBX by about 80 users.

    I have some reading ahead of me about session border controllers, as I've never used one. I imagine the setup would be a Vultr VM functioning as the sbc for the FreePBX VM.

    I know nothing about session border controllers but wouldn't them being external folks mean you don't need a sbc?

    I'm equally ignorant. The real issue being addressed is all of these folks connecting from their home networks, and trying to avoid whack-a-mole IP blocks. Since adding these folk's IPs to the local group is only effective while their ISP keeps handing them the same IP.



  • @eddiejennings said in Responsive Firewall and external FreePBX users:

    @dashrender said in Responsive Firewall and external FreePBX users:

    @eddiejennings said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    You could run a small sbc to register mobile users and then register their extensions to FreePBX from there, that is the only thing I could ever come up with.

    Bit of a necropost, but this is going to become a thing soon, as we're planning to expand the external folks making calls through our PBX by about 80 users.

    I have some reading ahead of me about session border controllers, as I've never used one. I imagine the setup would be a Vultr VM functioning as the sbc for the FreePBX VM.

    I know nothing about session border controllers but wouldn't them being external folks mean you don't need a sbc?

    I'm equally ignorant. The real issue being addressed is all of these folks connecting from their home networks, and trying to avoid whack-a-mole IP blocks. Since adding these folk's IPs to the local group is only effective while their ISP keeps handing them the same IP.

    So, how does a sbc solve that, wouldn't you want to have similar blocks happening on the sbc as you do on the FreePBX?

    I'm actually very interested in how you solve this. My own personal experience with just one phone (softphone) often gets blocked, even using something like DDNS is not solving the issue for me.



  • @dashrender said in Responsive Firewall and external FreePBX users:

    So, how does a sbc solve that, wouldn't you want to have similar blocks happening on the sbc as you do on the FreePBX?

    As I think a bit more, it likely won't, for the reason you mentioned. I'd probably run into the same problem.



  • @eddiejennings said in Responsive Firewall and external FreePBX users:

    @dashrender said in Responsive Firewall and external FreePBX users:

    So, how does a sbc solve that, wouldn't you want to have similar blocks happening on the sbc as you do on the FreePBX?

    As I think a bit more, it likely won't, for the reason you mentioned. I'd probably run into the same problem.

    You would not run into the same problem because an SBC doesn’t rely on the same mechanisms FreePBX uses for authentication and security. Not only will it solve the problem, using a border element for signaling and/media is the norm in voip.

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration. FreePBX does not make one, but Sangoma has for years.



  • Here is a guide to using Sangoma SBC with FreePBX

    https://wiki.freepbx.org/download/attachments/71828149/Sangoma-Software-SBC-for-Asterisk-PBX.pdf?version=1&modificationDate=1480001446000&api=v2

    I use Opensips for signaling and permiter security with Freeswitch, even though freeswitch has domain filtering and sip profiles built in.

    I also use Physical Genband and ACME packet SBC’s because they have physical CPU’s that can handle real time transcoding of tens of thousands of sessions concurrently, which a software solution can’t do. That is more typical for trunking but also necessary for things like Office 365 and Skye for Business calling integration.


  • Service Provider

    @bigbear said in Responsive Firewall and external FreePBX users:

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration.

    It's a proxy, not like a firewall or router. A bit different.



  • @scottalanmiller said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration.

    It's a proxy, not like a firewall or router. A bit different.

    There are overlapping features and use cases, but they are not one and the same. An SBC can use provide a sip proxy for registration but it is not required.

    The real point I guess is that FreePBX currently does not provide a "full compliment" solution for roaming users.

    To that end, a SIP Proxy or an SBC that provides a mobile access solution can be used to register roaming devices and then those extensions are registered from the Proxy or SBC to FreePBX as a static IP address, eliminating the need to rely on responsive firewall.



  • @bigbear said in Responsive Firewall and external FreePBX users:

    I also use Physical Genband and ACME packet SBC’s because they have physical CPU’s that can handle real time transcoding of tens of thousands of sessions concurrently, which a software solution can’t do. That is more typical for trunking but also necessary for things like Office 365 and Skye for Business calling integration.

    I used to believe statements like this, but then I see Scott making statements about Software RAID and how non of the big boys use hardware RAID, only software....soooo... what makes software unable to do this?



  • @bigbear said in Responsive Firewall and external FreePBX users:

    @scottalanmiller said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration.

    It's a proxy, not like a firewall or router. A bit different.

    There are overlapping features and use cases, but they are not one and the same. An SBC can use provide a sip proxy for registration but it is not required.

    The real point I guess is that FreePBX currently does not provide a "full compliment" solution for roaming users.

    To that end, a SIP Proxy or an SBC that provides a mobile access solution can be used to register roaming devices and then those extensions are registered from the Proxy or SBC to FreePBX as a static IP address, eliminating the need to rely on responsive firewall.

    Any idea why FreePBX doesn't do this? They haven't had time yet to dev it? It's not important to most of their users, as most users of FreePBX aren't mobile users? I'm curious.


  • Service Provider

    @dashrender said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    I also use Physical Genband and ACME packet SBC’s because they have physical CPU’s that can handle real time transcoding of tens of thousands of sessions concurrently, which a software solution can’t do. That is more typical for trunking but also necessary for things like Office 365 and Skye for Business calling integration.

    I used to believe statements like this, but then I see Scott making statements about Software RAID and how non of the big boys use hardware RAID, only software....soooo... what makes software unable to do this?

    Transcoding is VERY different from RAID math. In my video on software and hardware RAID, I talk specifically about how general purpose CPUs do RAID extremely well. And custom RAID hardware doesn't use ASICs, they use general purpose CPUs (normally PowerPCs) that are just low power. Just low end normal CPUs.

    Things like Nvidia graphics cards or bitmining machines or transcoding systems use ASICs that are hardware dedicated to the task that they do making them MUCH faster at that one task and practically useless as a normal computer.

    So while a hardware SBC might transcode 10,000 calls at once, it would suck for running your big Excel spreadsheet.


  • Service Provider

    @dashrender said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    @scottalanmiller said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration.

    It's a proxy, not like a firewall or router. A bit different.

    There are overlapping features and use cases, but they are not one and the same. An SBC can use provide a sip proxy for registration but it is not required.

    The real point I guess is that FreePBX currently does not provide a "full compliment" solution for roaming users.

    To that end, a SIP Proxy or an SBC that provides a mobile access solution can be used to register roaming devices and then those extensions are registered from the Proxy or SBC to FreePBX as a static IP address, eliminating the need to rely on responsive firewall.

    Any idea why FreePBX doesn't do this? They haven't had time yet to dev it? It's not important to most of their users, as most users of FreePBX aren't mobile users? I'm curious.

    1. FreePBX isn't a company, it's a product. So it's like asking "Why doesn't Windows make a Linux product?" The answer is, because it's a product and can't make things. Microsoft can (and does) make UNIX products. Sangoma, who makes FreePBX, is exactly the company that does make this.
    2. The FreePBX product is a GUI and GUI bundling, not a tech project. They don't make anything even remotely like this. The closest thing that they use is Asterisk, which they don't make, they only include it.

  • Service Provider

    @scottalanmiller said in Responsive Firewall and external FreePBX users:

    @dashrender said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    @scottalanmiller said in Responsive Firewall and external FreePBX users:

    @bigbear said in Responsive Firewall and external FreePBX users:

    Think of an SBC as a voip firewall and/or voip router, depending on its configuration.

    It's a proxy, not like a firewall or router. A bit different.

    There are overlapping features and use cases, but they are not one and the same. An SBC can use provide a sip proxy for registration but it is not required.

    The real point I guess is that FreePBX currently does not provide a "full compliment" solution for roaming users.

    To that end, a SIP Proxy or an SBC that provides a mobile access solution can be used to register roaming devices and then those extensions are registered from the Proxy or SBC to FreePBX as a static IP address, eliminating the need to rely on responsive firewall.

    Any idea why FreePBX doesn't do this? They haven't had time yet to dev it? It's not important to most of their users, as most users of FreePBX aren't mobile users? I'm curious.

    1. FreePBX isn't a company, it's a product. So it's like asking "Why doesn't Windows make a Linux product?" The answer is, because it's a product and can't make things. Microsoft can (and does) make UNIX products. Sangoma, who makes FreePBX, is exactly the company that does make this.
    2. The FreePBX product is a GUI and GUI bundling, not a tech project. They don't make anything even remotely like this. The closest thing that they use is Asterisk, which they don't make, they only include it.

    To drive home this point @Dashrender, Sangoma already sells this product (the SBC), just as they sell FreePBX.

    What are you wanting?

    Also, no one, has a simple FOSS SBC that I know of.



  • @dashrender you could see opensips as a software version of this, but in high load scenarios or in transcoding the example @scottalanmiller gives about restricted instruction sets on the video chip is a great example.

    If Asterisk was created after SIP standards were made it probably would have some type of domain filtering that would make the mobile issue a very easy fix.

    That being said the responsive firewall was a huge leap forward, but i don’t see anything in their big requests that indicates they are going to go further. I’ve not tried to use the Sangoma SBC or to fix the issue since I’ve moved on. I’m guessing the domain for mobile access is very low amongst FreePBX users, or maybe it’s used on desktops inside a LAN that is not using the responsive firewall.


 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.