QuestBlue strives to be the best support in the industry, to ensure that you never have to worry about your system on top of your business. We also want to provide the tools for you to succeed at managing your system, as well! Below are some common questions and issues with PBXs and networks, that you can reference as needed.
Have a question that's not listed here? Get in contact with us! Either submit a ticket under the "Support" category, or contact us by phone.
Securing Your PBX
When it comes to securing your PBX, QuestBlue, by default, uses a whitelist-type firewall. This method provides very strong control and security over who has access to your system, but regardless of what you use, it is important that it stays active at all times. Securing root access with a password is not enough. If you need assistance setting up your firewall, you can speak with a QuestBlue representative about setting up a time and date for a remote session so that we may assist.
Regardless of what route you go to protect a server, there are some IPs which are necessary to allow access to in order to keep your PBX functioning normally:
- Access from QuestBlue's SBC HA-NODE-IP Address: sbc.questblue.com 18.104.22.168
- Access for UDP to pass to your system for ports 10000-64000 from any IP (not a port forward, but just do not block it when your PBX requests it)
- Access from your LAN if your PBX is local in your office network or your WAN IP if your PBX is hosted in a data center or offsite in another location
- Access for any remote workers, support personnel, vendors, or any other party that will need regular access from an outside network
- Other than these, you should reject the rest. The system should be dark to all other forms of traffic.
In your Asterisk deployment you will want to secure your PBX in the file /etc/sysconfig/iptables. We've provided a sample introductory iptables file below:
Recommended minimum iptables file:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --match multiport --dports 10000:64000 -j ACCEPT
-A INPUT -s 22.214.171.124 -j ACCEPT
-A INPUT -s 126.96.36.199 -j ACCEPT
#Port 3306 - Mysql from Known Sources
-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
#Reject The Rest
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT
(Note: In the section labeled "#Remote Phones" you will want to delete the "-A INPUT -s 188.8.131.52 -j ACCEPT" and fill that section instead with any IPs that will require remote access. Do not include this explanation in your iptables file.)
If you run the command nano /etc/sysconfig/iptablesfrom the command line (or replacing nano with your preferred text editor), you will find the above file. You can make a copy of the file ahead of time just in case you want to fall back to the original before you start to edit it. The above recommended firewall settings on your Asterisk system will help prevent unwanted visitors from the internet, while allowing QuestBlue's SBC access. To others, it looks as if the system does not exist.
Once you are done editing these changes, save the file. Pressing Ctrl-X will exit the file in Nano. Hit y to save your changes, and Enter to keep the same filename. You have now overwritten the iptables file with your new changes.
Now you are ready to update your firewall. Run service iptablesrestart (or systemctl restart iptables if that doesn't work) from the command line. This will restart the iptables service, and make it apply the new rules. You should receive green OKs across the board. If you get any red Failed messages, this means your firewall is not currently running! It will not filter internet traffic until you fix whatever errors the command line notifies you of in the iptables file and you restart the firewall again.
It is important to note that if you do not fix the errors and get the firewall restarted, the firewall is off and your system is open to the internet.
Note on Port Scanning:
Port Scanning is when an external client that should not have access to a system attempts to identify open ports on that server or network. This is a popular method of breaching security, as knowing what ports your system might have open provides hackers useful knowledge about where to start when looking for access to a system, or vulnerabilities to exploit.
You can identify when port scanning is occurring on a PBX system, if you start receiving calls at all hours of the day from extensions that do not exist on your PBX (often the caller ID is just a number like 100 or 1000). These are often referred to as ghost calls or phantom calls.
In order to prevent port scanning, ensure that your router firewall has the following settings:
- Allow port 5060 access from the IP address of the PBX and sbc.questblue.com only
- Never allow ANY port 5060, UDP or TCP, from ANY/ANY
- Always allow 10000-64000 UDP from ANY/ANY
Follow these guidelines and you should lock down your network from port scanning.
Creating a New SIP Trunk Through the User Portal
QuestBlue Systems offers some of the fastest creation times on SIP Trunks in the industry. Our SIP Trunks do not have any cost associated with them. You can have as many SIP Trunks as you have PBXs to support in your account. Usage costs do apply though, please note.
Once you are a registered user, you will find that your SIP Trunk can be added and activated in a couple of simple steps.
Simply fill in the form (pictured) to create your new SIP Trunk. All it asks for is a name and IP address. The trunk name must be alphanumeric with no spaces or special characters. The IP address is the public IP/WAN IP of your PBX. Press the Create SIP Account button and your trunk is now active in real-time with no delays or approval process.
QuestBlue SIP Trunks also require no registration. We use IP authentication, which is quite simple if you follow some basic rules of networking:
- Port forward port 5060 in your router/firewall to the internal IP of your PBX. If you have an advanced router/firewall you can restrict this port forward from sbc.questblue.com
- Allow or port forward 10000-20000 UDP in your routher/firewall to the internal IP of your PBX. This should be allowed from any outside IP to be able to pass the audio of the RTP stream
- To further protect your system please create and use the firewall sample we created for you in the Secure Your PBX section above.
Disabling SIP ALG
What is SIP ALG?
SIP ALG stands for SIP Application Layer Gateway, and is often found on most commercial routers on the market today. It was initially designed to avoid problems caused by the router's firewall settings by examining VOIP packets, which control voice calls, and making changes to them if necessary. Although it was designed to help the end-user, it actually modifies VOIP traffic in an unpredictable way causing packets to be corrupt and indecipherable. More often than not SIP ALG is enabled by default, and may not always be a setting that the end-user has access to. A call to your Internet Service Provider may be required to verify the SIP ALG setting on your home or office router. Common issues with SIP ALG include:
- Phones dropping out of and back into registration
- Incoming calls failing
- One-way audio
- Inability to transfer calls
- Inability to place a call on hold or in park
- Inability to pick up a call on hold or in park
- Improper routing of calls
How to Disable SIP ALG
When disabling SIP ALG, keep in mind that the process will ultimately depend on your specific device. It is always good practice to begin by reading through the manufacturer's handbook for your device. You can also do a quick internet search for "disable SIP ALG on (my device)," supplying your model. And remember, you can always reach out to your Internet Service Provider directly. They will be the most familiar with the settings of your specific device and have the most up-to-date information.
Guide to Getting Started with iFax
Not sure how to get started now that you've signed up? We've created a guide that will help you with the process of understanding iFax.pro. You'll be using it in no time!
SIP Trunk Setup on FreePBX
Not sure how to get your FreePBX system connected to QuestBlue? Our Support Department has compiled a set of documentation to get you building a SIP Trunk on FreePBX
For FreePBX 11 users, click here:
For FreePBX 12+ users, click here: