Community discussions

MikroTik App
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 3:59 pm

Hello

I have my freepbx device configured on LAN with 192.168.88.100 address.
Now in order for it to work with external devices some forwarding needs to be put in place.
Ports 5060 and 10000-20000 udp need to be forwarded to freepbx.

I have found some articles which I followed but it doesn't seem to work.

SIP clients from the outside/Internet are not able to log on and register with pbx.

Here is my firewall export, if someone could tell me what I am doing wrong I would really appreciate it.

[dawid@Dave_MikroTik] > ip firewall export
# sep/11/2015 13:58:33 by RouterOS 6.31
# software id = BZDL-2H4H
#
/ip firewall filter
add chain=input src-address=77.108.128.0/24
add chain=input connection-state=related
add chain=input in-interface=ether1-gateway
add chain=input dst-port=5060 log=yes protocol=udp
add chain=input dst-port=10000-20000 log=yes protocol=udp
add chain=input connection-state=established
add chain=input protocol=icmp
add chain=input src-address=77.108.150.226
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=input in-interface=pppoe-out1
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1-gateway \
protocol=udp to-addresses=192.168.88.100 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=\
ether1-gateway protocol=udp to-addresses=192.168.88.100 to-ports=\
10000-20000
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall service-port
set sip disabled=yes



Thank you inadvance
Dave
Last edited by dawidku on Fri Sep 11, 2015 4:52 pm, edited 1 time in total.
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 4:34 pm

it doesn't seem to work
This is incredibly vague, we need more info.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 4:56 pm

it doesn't seem to work
This is incredibly vague, we need more info.

marrold

I have updated origial post, what other information would you need to help me resolve this?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1772
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 5:11 pm

voip + nat = problem
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 5:53 pm

voip + nat = problem
Complete bullshit. It can be a problem, but 9 out of 10 times it can be made to work.

Especially with a Mikrotik 8)
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1772
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 6:16 pm

personally i prefer avoiding nat on voip implementations using vpns or tunnels
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 6:34 pm

It does work for in another location also behind firewall (Sonicwall) without any problems.
I am sure this can be done with Mikrotik but I ma total newbie when it comes to these devices.

Do you guys need any extra information?
 
gtj
Member Candidate
Member Candidate
Posts: 121
Joined: Thu Apr 30, 2015 2:52 am
Location: Colorado US

Re: freepbx / asterisk firewall and nat rules

Fri Sep 11, 2015 9:18 pm

NAT + Asterisk = complete success IF you have patience and know how to set up both. I do it all the time.

The biggest trick is to turn olf any specific SIP helpers in the firewall.
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Mon Sep 14, 2015 9:20 am

Could someone actually tell me what is wrong with my configuration?
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: freepbx / asterisk firewall and nat rules

Mon Sep 14, 2015 12:38 pm

add chain=input dst-port=5060 log=yes protocol=udp
add chain=input dst-port=10000-20000 log=yes protocol=udp
These rules should be in the forward chain.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Mon Sep 14, 2015 8:18 pm

add chain=input dst-port=5060 log=yes protocol=udp
add chain=input dst-port=10000-20000 log=yes protocol=udp
These rules should be in the forward chain.
marrold

Changed to forward and disabled SIP helper and all works now.

Thank you very much
dawidku
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: freepbx / asterisk firewall and nat rules

Mon Sep 14, 2015 10:14 pm

I'm glad that's worked. However if you leave your PBX open to the world, you're likely to get hacked.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Tue Sep 15, 2015 11:06 am

I'm glad that's worked. However if you leave your PBX open to the world, you're likely to get hacked.
marrold

I only have these 2 rules in place for outside access + I have Faill2Ban configured on freepbx to protect against
authentication attacks.
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: freepbx / asterisk firewall and nat rules

Tue Sep 15, 2015 11:30 am

I only have these 2 rules in place for outside access + I have Faill2Ban configured on freepbx to protect against authentication attacks.
Fail2Ban won't catch everything. Be careful
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
dawidku
just joined
Topic Author
Posts: 7
Joined: Fri Sep 11, 2015 3:51 pm

Re: freepbx / asterisk firewall and nat rules

Tue Sep 15, 2015 11:41 am

I only have these 2 rules in place for outside access + I have Faill2Ban configured on freepbx to protect against authentication attacks.
Fail2Ban won't catch everything. Be careful
marrold

I had it like that for over 2 years without issue but you right one can't be too careful.
Is there anything else on a MikroTik you would recommend to make this more secure?

Thank you
dawidku
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1772
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: freepbx / asterisk firewall and nat rules

Wed Sep 30, 2015 5:11 am

personally i only allow external access to voip server using vpns to lower the risk
 
soyelpulpo
newbie
Posts: 39
Joined: Mon Nov 10, 2014 1:22 am
Location: Lima - Peru

Re: freepbx / asterisk firewall and nat rules

Wed Sep 30, 2015 7:18 am

personally i only allow external access to voip server using vpns to lower the risk
I learned that lesson the hard way. My pbx got abused and I got a huge bill. VPN is the only way to go.

Sent from my Nexus 4 using Tapatalk
 
troffasky
Member
Member
Posts: 407
Joined: Wed Mar 26, 2014 4:37 pm

Re: freepbx / asterisk firewall and nat rules

Sun Oct 04, 2015 12:54 am

Is there anything else on a MikroTik you would recommend to make this more secure?
Use ACLs to restrict SIP access to only the IP addresses that need access. Use VPN for anything that doesn't have a static IP address [Snom handsets - for example - support OpenVPN, although I suppose you don't really want to run voice over TCP - forward the OpenVPN port to the Asterisk server and terminate it there :-p].

If you can't do the above, then some sort of proper authentication [eg certificates] should be used.

Who is online

Users browsing this forum: No registered users and 7 guests