FreePBX 101 v14 Part 3 – Initial Setup

Welcome to cross stock solutions, my name is Chris, and this is free. Pbx, 101 version 14. This is video 3 we’re going to go through the initial steps that I always do when I first get to the dashboard. So I’ve installed the system, I’m past the wizard and now I’m at the dashboard. What do you do?

First, to sort of set the foundation of the whole system? That’S going to be set up, the firewall, your NAT settings, the SIP port settings, intrusion, detection and, but to start off everything we’re going to set a static IP address on this server, so to do a static IP address right now, I’m at 10.17 dot. 44.1.

12. That was assigned to my server with DHCP, I’m gon na come up here to admin and we’re gon na choose system admin and then on the right-hand side. You should see network settings, and here we can see. Eath 0 is currently set to DHCP. So we’re just going to change that to static and we’re gon na give ourselves a static IP address of 40 4.

0. Now, in my case, the Gateway you want to just double-check, the netmask and the Gateway are correct. Both of these are correct in my case, so I’m just gon na say, save interface and save and apply now when you change the IP address you are going to have to reconnect on the new IP address. So let’s go ahead and do that now: I’m gon na pop dot 30 up into my browser and I’m now reconnected to the system, and I need to log back in with my admin credentials that I set up in the wizard in the last video. Ok.

So now I’m back at the dashboard I’ve connected on my new IP address, and one thing that bugs me is: I see this here avoid the server alright. So that’s the default name of the system. Let’S go ahead and change that first, that’s found under advanced settings. So we’re gon na say, settings advanced settings and then you want to scroll almost all the way down towards the bottom of this page and you see system identity. You can also just do a ctrl F in your browser and search for system, identity or identity and we’re gon na change, this to say free PBX, 101, the 14 and we’re gon na click Submit.

Now I got the apply config in the upper right hand corner. If you remember from the last video you don’t have to press apply config every time you make a change, so I’m just gon na leave that up there for now and we’ll press it at some point in the future. The next thing that I want to do is make sure that my NAT settings are set up correctly, so we’re going to go to settings and asterisk sip settings now. Why is that important to free PBX? And that is important because it determines on which IP address packets are being sent out as okay.

So, basically, if you’re on the local network – and I have an internal IP address of 10.17 – that 44:30, all of my internal land networks or even some networks that are connected over VPN – should have that return address as their setting right. So we’re not going to the external IP address from an internal land. That’S why it’s important to set up all of our local network so that NAT happens properly. Now for anything, that’s not a local network or a trusted internal network.

Then we want to have the network packets that go out, have the return address of our external IP right. So if we’re talking to SIP trunks or something like that, that’s perfectly fine. So here we we have the external address. That should be your Wan. Ip address.

Verify that that is correct in my case it is correct and we have one local network of my 10, not 17, that 44
0 / 24, I’m gon na, add another local network for the network that I’m connecting from right now from this computer, which is 180 168 200

0. 4. We also have a CRM system here at crosstalk solutions that allows us to securely connect to all of our clients and I’m also going to add our VPN network as well, which is one a 216 128 dot. 0 /, 21. Ok, so now I’ve entered all of my local networks, we’re gon na click Submit while we’re in asterisk sift settings.

There are two other tabs up here: Chan’s hip and Chan PJ sip. Now these are two different implementations of the SIP protocol. Chance, if is an older legacy implementation PJ SIPP, is a newer implementation. The default sip port of UDP 5060 is assigned to the newer PJ sip by default. However, PJ sip isn’t fully compatible with all the SIP trunk vendors out there, so as crosstalk solutions as a free, PBS consultant.

I still prefer chance if to be running on UDP port 5060, and then I put PJ sip on 5160 right. That way, I can connect some phones and stuff that I know work fine with PJ sip on 5160, but the default sip port of UDP 5060 is still being used for the legacy chance. If, which is you know, much more compatible with a lot of a wider range of services out there that you might be connecting to okay? So if we come to this page and we scroll down to the bottom, we can see that the bind port for chance. If is 50 160, which we want to change to 5060, but you can’t have the bind port for both chance, sip and PJ sip the same port at the same time, so first we have to bump this off of fifty one sixty I’ll make it fifty to Sixty we’re gon na click Submit and then we want to click on the Chan, PJ sip settings tab and once again we’re gon na scroll down and we will change the bind port for PJ sip to fifty one.

Sixty and click Submit and click. Ok because it says hey, you got to restart asterisk after you do this, and now we can go back to the chance if tab and we can scroll down again and we can change chance if to fifty sixty and then click Submit, and we are done at This point I’m going to go ahead and click apply: config, okay, so now we’re back at the free PBX dashboard. We can see that our name of the server is now free, PBX, 101 version 14, and the next thing that I want to do is set up intrusion, detection so to get to intrusion, detection, I’m going to go to admin and then we’re gon na click on System admin and then we’re gon na click on intrusion, detection from the right hand, menu now, there’s two important things that intrusion detection does number one. Of course it blocks out intruders. It only allows a certain number of attempts to authenticate before it says: hey wait!

A minute you’ve failed too many times we’re gon na block you out. Okay, the second thing that it does is it allows you to whitelist your networks that you know are secure. For instance, if you had a network that you knew was secure and there’s a phone behind that network that has a bad password, it’s configured in the phone, you don’t want to lock out your own whitelisted networks or you don’t want to lock out your own trusted Network you want to whitelist them, so that’s what we’re gon na do here. So what intrusion detection is doing here is it says we have a band time of 1800, which is a half an hour. We have a max retry of eight.

That’S how many times a device can try to authenticate before we block it out, and then we have the fine time which is set to 600 or ten minutes. Now, what that means is if any device tries to authenticate more than eight times tries and fails to authenticate more than eight times within ten minutes, we’re going to block the IP address of that device for half an hour to me. These settings are a little bit loose, so we’re gon na change them. If someone tries to authenticate and fails three times within 300 seconds or five minutes, I’m going to block them for 3600 seconds or one hour. In addition to that, we’re going to whitelist our trusted network, so we have 10.

7 dot, 44.0 slash 24. We have 192 168 200.000 and we have my VPN network of 170, 216, 128 dot 0 / 21, and we can see right now. We don’t have any banned IP addresses because no one’s trying to connect to this server, yet okay, now we’re gon na say, submit and we’re all done with our intrusion detection.

The next thing I want to do is finally dial in and set up the free, PBX firewall, so we’re going to go to connectivity and we’re gon na click on firewall. First, let’s click on interfaces. We can see that right now, zero, so any traffic coming in and out of easy row is currently set to trust it. Okay, so meaning we’re not firewalling anything on our main network interface, so we’re gon na change that we don’t want it to be trusted. We want to scrutinize the traffic that’s coming in from e0, but first we want a whitelist, our trusted network, so we have networks.

Now two of these IP addresses in here were set up by the initial setup wizard when it asked us hey. Do you trust this client and you trust this clients network, that’s 118, 168, 200 for my computer and then 102 168 200 at my computers, land or the mainland that I have here in my office. So that’s a little redundant to have both a single host and the whole network, the whole Class C subnet whitelisted. So I’m gon na check my host and we’re gon na say delete selected. Now we can add in the additional networks we need to whitelist.

So I’m gon na say 10
17 dot 44.0 slash 24 and we’re gon na set that to trusted we’re gon na add one more network. This is our VPN network of 172, 16, 128 dot 0 / 21. We’Re also gon na set that to trust it, and I highly recommend using the descriptions here. So I can say: VPN network, you know free PBX Network and then we’ll call this one main land now, there’s other things that you can whitelist in this firewall that we’ll get to throughout the series, such as LAN IP addresses of remote sites that might be connecting In or remote clients that might be connecting in, but you also might want to whitelist the LAN IP addresses of your sip provider so that they can get through the firewall as well.

Using the description field means that in the future, if you ever have to make a change to your sip providers, IP address or make a change to one of your clients, IP addresses you’ll know which old IP addresses to delete. Okay. So that’s very important if you know if I’ve got Joe Bob connecting in on a certain IP address and then jo Bob’s IP address changes. I want to update the firewall of his new IP address and I also want to delete jo Bob’s old IP address out of the firewall just to keep everything nice and Cure, and the description really comes in handy. If you put in the extra effort to enter that in okay, so I’m happy with this setup, I’m gon na go ahead and click Save the next thing.

We’Re gon na do is actually click on our firewall, so I’m gon na click on interfaces, and here we have eath 0, which is trusted. I’M gon na flip that over to Internet default, firewall okay. So this is now going to close the gates. Okay, we’re gon na close the gates, except for the actual IP addresses and lands and subnets that we have explicitly whitelisted and said hey. These are okay to pass through before I hit this button.

Okay, make sure, double and triple check that you are white listed, because if you lock yourself out of the free PBX you’re locked out of the free PBX, however, there is one way that you can get back in to make changes. If you do lock yourself out of free PBX and believe me, I’ve done it myself multiple times, if you reboot the free PBX two times within five minutes, you are given a five-minute window with which you can go in and make changes to the firewall. Okay. So basically, if you reboot twice within five minutes, that’s signaling to the free PBX services that hey, let’s hold off on starting the firewall for five minutes after the second reboot, so that you can go in and make changes and potentially whitelist any networks that you might Have locked yourself out from okay? I think we’re okay.

In our case, though, so I’m just gon na say, update interfaces, and now our firewall has been turned on a couple. Other things that you might want in the firewall is the responsive, firewall. So right now we can see that I have the responsive, firewall disabled for all of my protocols. That’S p.j sip legacy sip or can sip as well as the ia X protocol.

The reason being is that I am specifically trusting networks and clients to connect through ok. I don’t have any dynamic IP addresses that might change that need to connect into this system. If I did, I would probably try to set them up with VPN first, and I would only ever use the responsive firewall as a last-ditch measure. This is the only way that I can authenticate these clients into the free PBX, so I’m gon na leave responsive firewall disabled for the time being, but know that you can enable it in this tab. The other thing that you need to know about the free PBX firewall is that all of the services that free PBX needs all of the ports and services are enabled by default through the internet zone.

So, for instance, the user control panel is a good example. Ssh is only allowed locally, but if I wanted to allow SSH through the firewall, I could check this box and allow it through the internet zone as well same thing with the HTTP web management. I could allow or disallow that, through the firewall in our case, we’re just gon na leave everything default. But again, if you have these services that you want to allow, through the firewall any of the extra services that are listed or any custom services, so, for instance, if you installed the flash operator panel, which runs on a different port, that’s not supported by three PBX By default, you would have to add this ad, that port or that service into the custom services tab. Okay, so we’re gon na save the firewall settings.

Hopefully, you didn’t lock yourself out we’re gon na go back to the dashboard, and we can now see that our firewall configuration has this green checkmark next to it, which means everything is all good okay, so that’s it for free, PBX, 101 version. 14. Video number three for the initial setup in our next video we’re going to start to add in some of our extensions and actually start getting some phones connected up to this server. Okay, I hope you enjoyed this video and we will see you in the next one. [ Music, ]

You May Also Like