Fusion Newbie - Initial Thoughts/Questions

Status
Not open for further replies.
B

Billy

New Member
Oct 1, 2018
18
2
3
Hi All,

I was given some advice to take a look at Fusion. (Currently using 3CX). After some initial testing and mistakes I have some questions....

1. Using a cloud based setup Vultr/OVH etc. Do you still need Internal Interface if using just WAN IPv4 address. Is it better to also have internal network also on server? (something I don't normally bother with)

2. How do remote phones at the office for example work with NAT ports and routing back to phones if they are also behind local router. With 3cx we have to use a SBC which routes via one port.

3. Do you guys change the default ports for security and what impactions does this have on the system.

4. Security concerns and steps to take as a minimum.

5. Changing the 'Cluecon' password seems to break things (socket errors) Ie can't load SIP status for example.

6. Provisioning seems hit and miss. Yealink which are normally very easy would not work on UDP and had to change to Tcp for some reason.

I know its a long list, but thanks to anybody who takes the time to respond! Its great to hear from real experience in these matters...

Thanks
 
  • Like
Reactions: Derick
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
I think you are misunderstanding some things but here goes:

1. You do not need an internal interface but I think you are referring to profiles, the default installer will install everything correctly for remote servers, it doesn't need tinkering with at all.

2. Remote phones will work just fine, in general, you just need to enable rport on them where available. Freeswitch is very good at fixing up NAT out of the box.

3. Security through obscurity doesn't work IMHO, I leave the ports exactly as they are.

4. FusionPBX is quite secure out of the box, there are a couple of things that can be done further to discourage hackers but we already have a good set of default firewall rules and fail2ban that protects the PBX already.

5. Due not change the Cluecon password. For a single server there is no need, the event socket will only listen on 127.0.0.1 anyway.

6. Provisioning is absolutely not hit and miss so you must have something else wrong. All the provisioning itself will be done by TCP anyway eg http/https. The provisioning files will also by default set the SIP transport to TCP, this is much more reliably for NAT. If you have somehow managed to find them using UDP then you must have already changed something in the provisioning for this to happen.
 
B

Billy

New Member
Oct 1, 2018
18
2
3
Daz, Thanks very much for the response.

1. Yes I meant SIP profiles. Ok I'll leave alone part from disabled ipv6 which I'm sure are not needed.

2. rport - could you clarify?

3. This I'm not sure I agree with but accept your view. Ive seen with 3cx getting absolute hammered on standard ports and continually getting blacklisted IP address which it show in the dashboard. Our setup gets zero after changing to other ports. I also see this with RDP on servers and continual failed login attempts. Change it from 3389 and they stop almost completely. Thats my experience.

4. I'll take your advice on that.

5. Ok no problem. I saw posts saying to change but it broke stuff, so I'll leave it.

6. Yealink T46S was udp after a factory reset?

Thanks again for the advice and time taken to respond! I'm now trying to work out why incoming calls are not working....

Oh sorry one more question: On install stable or master? & Any reason not to go with v7 for php?
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
If you are using the recommended debian install you will get php7

There are rules you can use to protect the box that means changing ports is not necessary.

At its simplest for example, block all teaffic to 5080 except from carrier IPs then enable the freeswitch IP filter that I have mentioned today in another post.

For your inbound calls, are you sending to port 5080 from the carrier? If not you will need to add an ACL rule to allow the carriers to send to port 5060, unless of course you are using registration.
 
  • Like
Reactions: Billy
B

Billy

New Member
Oct 1, 2018
18
2
3
They say they can see the trunk connected on 5080 so I guess the connection is ok. When you call its goes straight to their voicemail, after a few seconds of dead space.

I'll try and find the post then and see how to do IP filter etc.
 
B

Billy

New Member
Oct 1, 2018
18
2
3
This is strange. External calls are not even in the logs... There were yesterday when I phoned the supplier! We could see him calling via log viewer. It now only shows internal calls in the log?!?
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
You sure the carrier somehow hasn't become banned by fail2ban or something?
 
Andrew Pickett

Andrew Pickett

Member
May 16, 2017
103
7
18
38
This is a great command to run from prompt to show you the jails

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a)}' | grep "Status\|IP list"

See if they are in one!
 
  • Like
Reactions: Billy
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a)}' | grep "Status\|IP list"
awk: cmd. line:1: (FILENAME=- FNR=1) fatal: attempt to use array `a' in a scalar context
 
Andrew Pickett

Andrew Pickett

Member
May 16, 2017
103
7
18
38
Hmm not sure why its failing from copy and paste from the site. Even if i manually alter this forum keeps dropping after the a array please use screenshot to see where to add it in.

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a ADD IN HERE)}' | grep "Status\|IP list"
1538485846169.png
 
Last edited:
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
Code: 
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"
 
B

Billy

New Member
Oct 1, 2018
18
2
3
Status for the jail: freeswitch-ip
| `- IP list:
Status for the jail: fusionpbx
| `- IP list:
Status for the jail: nginx-dos
| `- IP list:
Status for the jail: sip-auth-challenge
| `- IP list:
Status for the jail: nginx-404
| `- IP list:
Status for the jail: ssh
| `- IP list:
Status for the jail: freeswitch
| `- IP list:
Status for the jail: fusionpbx-mac
| `- IP list:
Status for the jail: sip-auth-failure
| `- IP list:
Status for the jail: fusionpbx-404
| `- IP list:


I guess nothing to report..
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
You should definitely see these calls hitting the box from the carrier.
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
You need to go within them and get the details but regardless, if its a call you are looking for INVITE
 
B

Billy

New Member
Oct 1, 2018
18
2
3
They say this this is not right:

Contact: <sip:gw+fa9278c1-0fc6-44d5-b12e-0643302bf35f@95.179.200.64 :5080;transport=udp;gw=fa9278c1-0fc6-44d5-b12e-0643302bf35f>.

The "Contact" field should be 30177421*203@95.179.200.64:5080, instead fusion is sending gw+fa9278c1-0fc6-44d5-b12e-0643302bf35f
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
576
113
There is a way to change that, I'll dig it out but you should tell them, "The whole idea of the contact is that they send it where you tell it to be sent, not where they specify"
 
B

Billy

New Member
Oct 1, 2018
18
2
3
Im doing a server restore and see if the logs then show calls. This was showing so Im going back and see if that works.....
 
B

Billy

New Member
Oct 1, 2018
18
2
3
Ive also worked out that this was changed yesterday:

ext-rtp-ip
ext-sip-ip

changed to external address on both profiles
 
Status
Not open for further replies.
Top Bottom