Best Practise with FusionPBX for home environment incl. DMZ

[witom]

Hello, I need some help to integrate a FusionPBX into my home environment.
Maybe someone have ideas or "best practices" to share...

Due to the fact of No DNS Lookup before sending Register or Problem with German Telekom SIP Trunk and the fact that I'm using the All-IP solution from my german ISP Telekom with dynamic IP, instead of using the SIP Trunk from the ISP as gateway directly in FusionPBX I want do use the existing Internet-Gateway/Router (FritzBox) also as my SIP Gateway.

Additionally my LAN Infrastructure already contains:

• pfSense Firewall behind the FritzBox Gateway
• several VLANs behind the pfSense Firewall - but relevant for my plan:
  • DMZ
  • LAN
• pfSense have an interface in every VLAN and routes the traffic between the VLANs and over the FritzBox to the internet

My plan is to install the FusionPBX in the DMZ VLAN/subnet (maybe for later use for external registrations of clients) and to install the clients (ATA / Phones / Doorphone, etc.) in the LAN VLAN/subnet

Internet <--> (WAN: dynamic IP) FritzBox (LAN: 172.16.1.250) <--> (WAN: 172.16.1.249) pfSense (DMZ: 172.21.90.1) <--> (DMZ: 172.21.90.12) FusionPBX
                                                                                      pfSense (LAN: 10.0.2.1) <--> (LAN: 10.0.2.3) ATA <--> analog Phone
                                                                                      pfSense (LAN: 10.0.2.1) <--> (LAN: 10.0.2.40) VOIP-/Soft-Phone

What do you think about my plan? Better Ideas?

 

[markjcrane]

You asked for best practices.
- FritzBox Gateway should only be a modem with no NAT or it should be bridged and skip NAT
- NAT isn't friendly with SIP and RTP so double NAT is not your friend.
- Double NAT will make it more difficult to get it working.

 

[witom]

@markjcrane Thanks for your feedback.
I'm absolutely with you about NAT. NAT ist really a big problem with RTP. I think most of all my Problems are NAT-based. But as mentioned in the topic thread I'm searching for best practices in a home environment which includes DMZ. In my opinion all services available from outside of my internal network should be in DMZ and all internal services should be inside a local LAN. In this situation I think NAT is unavoidable. So I'm searching for a solution with NAT.

 

[Dast]

@witom Your LAN is somewhat similar to one of my sites.
I am using OPNSense instead of pfSense, and don't have the FritzBox.

I have a VLAN for the PBX server, a few different VLAN's for phones of different tenants, plus VLAN's for other stuff.
I also have it setup for external voip clients, and provisioning, using TLS offloading and Basic Auth done by OPNSense. (Though you still need to copy the TLS certs to the PBX if you use TLS for SIP transport).
While I am using NAT, the PBX and voip clients are not aware of that fact.

Since you plan to have external voip clients, my advice would be to have all voip clients access the PBX using it's full dns address - don't have the internal voip clients try to access the PBX using some internal address.
You will probably have to enable NAT reflection on the pfSense forwarding rules.

 

[witom]

@Dast Thank you for your feedback.
I'm happy that I'm not the only one with a setup like mine. For the moment I don't plan to include also external voip clients but I wanted to be sure to not having a setup which have problems to include later time. The PBX have a internal FQDN and all internal clients are connected using the FQDN as Registrar - maybe I have to replace this when using also external clients. Thanks for this hint. But then maybe I will choose SplitDNS instead of NAT reflection.

The only thing I don't be able to avoid at the moment is the need of the FritzBox because of the mentioned problems of FusionPBX (Freeswitch/Sophia Implementation) in combination with German Telekom All-IP. If someone have a better idea to avoid this please let me know...