PBX in a Flash + Incredible PBX makes setting up FreePBX + Asterisk easy

VoIP
Author

Vinh Nguyen

Published

November 22, 2011

Asterisk is a very powerful open source telephony platform. I've described how to install it and configure Google Voice with it in the past. Setup is quite complicated for a newbie to get started. I was never able to set it up to the point for me to connect to the Asterisk server using the SIP protocol to make calls. Luckily, there is FreePBX which makes configuring Asterisk a lot easier. Even better, there are PBX in a Flash (PIAF) and Incredible PBX (choose different PIAF versions) ISO's that make creating a PBX sandbox server quite easily. With these tools, I will be able to have my own conference call number and fax number for personal use.

Although PIAF is based on CentOS, a Linux I had zero experience with, the installation process was a breeze. I will describe my adventures based on this guide. At the time of this writing, PBX in a Flash 2 with CentOS 6 was just released, but I will stick with the version based on CentOS 5.7 as CentOS 6 requires more system resources and I am using the platform on an old P4 computer with 1 gig of ram.

Getting help

Before I outline any instructions, let note where you can get help. The best place to go is probably #freepbx on irc.freenode.com. It gets quiet sometimes, but just ask questions and be patient. Also, describe what you did to arrive at your current situation, and whatever advice they give you, just do it.

I also used the PIAF Help forum to get help, although I think more pro's are over at #freepbx. However, new users cannot post immediately (will show as banned). I had to go through the hoops and contacted the forum owners through many channels to get myself the ability to post.

On the FreePBX admin page, mouse-over different categories on a page for a description of what the options are.

Installation

First, download the 32-bit PIAF as described here. I created a bootable USB flash drive from the ISO file (pbxinaflash-FlashDrive-17571.iso) using unetbootin. After booting up the flash drive, I selected to install PIAF-purple (long term support version). CentOS will then be installed. After it reboots, scripts will automatically install Asterisk, FreePBX, additional modules, and all necessary dependencies. Note that internet access is required for the installation process as files are downloaded and installed on the fly. After PIAF is installed, log in as root and issue:

cd /root
wget http://incrediblepbx.com/incrediblepbx2.x
chmod +x incrediblepbx2.x
./incrediblepbx2.x
/root/incrediblefax.sh
shutdown -r now

All necessary modules are now installed.

Security measures + remote sip connections

It is important to keep your system as secured as possible. Ideally, it should be sitting behind a firewall (hardware) with no ports exposed to the internet. That is, users connecting to the PBX server for phone service should be on the same local network as the server. If your server is exposed to the internet, at least take these precautions:

  1. Don't allow root login for ssh. Use a different user for ssh access.
  2. Expose only the necessary ports. Don't expose ports 80, 9080 (freepbx), and 9001 (webmin).
  3. Strong passwords for everything: root (also used for webmin), user, maint (freepbx web interface), and even the asterisk extensions.

To disallow root login via for ssh and create a new user for regular access, do

vi /etc/ssh/sshd_config
## Add: PermitRootLogin no ## change from yes to no
## create non-root user to login to ssh.  As root, do
useradd -d /home/newuser -m newuser
passwd newuser ## enter in password
## give newuser the power of sudo
vi /etc/sudoers
## add: newuser    ALL=(ALL)       ALL
## log out and login as newuser
## add to ~/.bashrc of newuser
export PATH=$PATH:/usr/kerberos/sbin:/usr/kerberos/bin/:/usr/local/sbin:/usr/sbin/:/sbin/

If you are behind a NAT firewall (router), forward these ports if they are relevant (remote sip connection):

SSH: 22 TDP/UDP
IAX: 4569 UDP; to connect to server via IAX protocol remotely
SIP: 5060 UDP; to connect to server via SIP protocol remotely
RTP: 10000-20000 UDP (/etc/asterisk/rtp.conf); voice connections
Don't open 80/9080 (freepbx administration) and 9001 (webmin)

For remote sip connection, I believe you also need to go to Tools (top of page) > Asterisk SIP Settings. Then modify the NAT settings: external IP and Local network (eg: 192.168.1.0/255.255.255.0). Click "Auto Configure" to automatically do this.

I originally had my server exposed to the world thinking the server is quite secure. I still think it's pretty secure as Fail2ban and iptables work quite well; see this experience with trying to connect to a SIP extension from outside (remote connection) where the extension was restricted to only internal IP addresses. Basically, if you fail to authenticate any service (ssh, http, sip, etc.) a few times, the server will no longer respond to you (all services) until the pbx server is restarted.

My current setup: pbx behind a router with only the necessary ports opened as advised by all the experts.

One issue I encountered was that I was able to register a sip connection on the local network but not remotely across the internet, even though all my ports were forwarded. Using the following method, I realize that my connection to port 5060 never made it to the server:

asterisk -vvvvvr
sip set debug on ## debug sip registrations.  if you are trying to register a connection and you don't see any activity here, then your packets never made it to the server 

Even if I removed the firewall (router) and exposed all ports to the internet (DMZ), I was not able register a remote sip connection. I later realize it was because of iptables (Linux firewall) on the pbx server. See this for more details. After executing the following command,

iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

I was able to register a remote sip connection. To make this permanent, I added the rule via Webmin (http://local.ip:9001/). Your pbx server needs to respond to inquiries from ports 5060, 4569, and 10000-20000 UDP; I think somehow 5060 was set as TCP instead of UDP during installation, so I had to fix it manually. Restart the server to have the new rule take effect. Thank you n3glv, navaismo, adam1, and [TK]D-Fender from #freepbx for your help.

To guard against bots scanning for pbx servers, it might be wise to change the sip port for each extension from 5060 to something else.

Google Voice

Follow the instructions described here. Note: after submitting any changes, you need to click on the orange button on the top that says Apply Configuration Changes for it to take effect. Not doing this deferred my pbx installation by 2 months as I couldn't get GV to work. I thought there was an issue with my setup even though I followed the guide step by step. It turned out to be this simple Apply Configuration Changes button at the top.

I set up 3 GV accounts: 1 as a phone account, 1 as a fax account, and one as a conference call account.

To help debug asterisk, as root, execute asterisk -vvvvvr to get into the command line interface. Some helpful commands:

jabber show connections ## see if gtalk accounts are connected
reload jabber

Set up extensions

Go to the extensions page in the FreePBX admin page. Pick an extension (e.g., 701). Change secret to a more secured password. Modify the deny and permit fields to restrict the IP address of devices/softphones connecting to this extension. If connecting from outside the network, you can leave both fields blank or enter in the appropriate IP address.

Assign a GV account (trunk) to be the default outbound route for an extension

This is a little tricky. Go to the "Outbound Routes" page. For outbound routes that you want an extension to always use, drag them up the list to the right. In the "Dial Patterns that will use this Route" section, add in the CallerId option (extension number) for whatever pattern you want; this is crucial for wanting an extension to use a single trunk. For example, you can put NXXNXXXXXX for the matched pattern field and 701 for the CallerId field. Now, whenever a 10 digit phone number is entered for extension 701, it will use that specific outbound route. Additionally, you can put NXXXXXX for the matched pattern field, 701 for the CallerId field, and your three digit area code for prepend for 7 digit dialing. Remember, for this to work, no outbound route above the current outbound route (right of page) should have any unrestricted dial pattern that matches the ones defined for the current outbound route.

Assign inbound calls of a DID to an extension

On the "Inbound Routes" page, add an incoming route with DID Number to be the phone number you want assigned to fax (e.g., a google voice number). Under "Set Destination", choose Extensions and choose 701 (or another extension) to it's side.

Make sure to Apply Configuration Changes after submitting.

Fax

On the "Inbound Routes" page, add an incoming route with DID Number to be the phone number you want assigned to fax (e.g., a google voice number). Under "Set Destination", choose Custom Destinations and choose Fax (Hylafax) to it's side.

Make sure to Apply Configuration Changes after submitting.

Conference Call

On "Conferences" page, fill in the fields "Conference Number" (anything), "Conference Name" (anything), "User PIN" (pin for all users to enter conference), and "Admin PIN" (pin for owner). Then choose your Conference Options; I set it to wait for leader.

On the "Inbound Routes" page, add an incoming route with DID Number to be the phone number you want assigned to fax (e.g., a google voice number). Under "Set Destination", choose Conferences and choose the conference name you just set up previously.

Make sure to Apply Configuration Changes after submitting.

Restart

You need to restart asterisk (sudo amportal restart) or restart the computer (sudo shutdown -r now) for a lot of these settings to take effect.

Server not responding?

When you fail to connect (wrong password) to certain services (web, ssh, sip) about 3 times, Fail2Ban will kick in and not respond to you anymore. You have to restart the server for it to respond to you again.

Accessing FreePBX and Webmin web interfaces remotely

Since the web ports of the pbx server are not exposed to the internet, you can't remotely access the web configuration pages. You also need to use the web interface to send faxes. To do so, you could either ssh into the server and use firefox (yum install firefox). Another possibility is to forward the necessary ports:

ssh -f -N -L 9080:localhost:9080 username@pbx.server
ssh -f -N -L 9001:localhost:9001 username@pbx.server

Now, on your local computer, you can type http://localhost:9080 to get to the FreePBX web interface.