Network Setup Help – Dual Ethernet Ports with SIP Trunk

Help for FreePBX
1

Hi all,

I’m new here and setting up a FreePBX v17 server and could use some guidance on configuring a dual Ethernet port setup, particularly around networking and firewall rules.

Here’s the setup:

eth0:

  • Connected to the main network and assigned the IP address 10.0.0.254.
  • Has a public IP address mapped through the firewall – this is used for the Gamma SIP trunk, which relies on IP-based authentication.
  • I need inbound and outbound SIP calls to route correctly through this interface to the FreePBX server.
  • I also want to access the FreePBX Web UI and SSH via this port.
  • Since this port is connected to the internet, I want to lock it down and ensure only the necessary services and ports (e.g., SIP, RTP, Web UI, SSH) are exposed.

eth1:

  • Connected to an isolated PoE switch that hosts all the IP phones.
  • This network runs on the 192.168.0.x subnet, with the server using 192.168.0.1 on this port.
  • All endpoint phones will have static IPs.

What I need help with:

  1. Network configuration: How to correctly configure the two interfaces so that SIP calls can route between the SIP trunk on eth0 and the phones on eth1.
  2. Firewall rules: What kind of rules should I implement to:
  • Allow SIP trunk traffic in/out via eth0
  • Allow internal phone registration and media traffic on eth1
  • Restrict all unnecessary ports on eth0 to improve security
  1. Any tips or best practices for a setup like this, especially in terms of securing the system and ensuring reliable call routing.

Any help or examples would be greatly appreciated!

Thanks in advance!

2

Why not use VLAN since you are using 2 different subnets

3

Are you using sysadmin to setup the networks?

4

No, i’m planning to just do a new fresh installation of Debian 12 and then install freepbx 17 on it. And then configure the network interfaces as mentioned above. from what I understand, freepbx has it’s own firewall but this isn’t enabled by default and debian too has it’s own iptable or some sort of firewall which i am not sure if that’s enabled by default or not. Not sure if i should be enabling the freepbx firewall or lockdown the debian one further. Need help :slight_smile:

5

I asked Chatgpt and this is the detailed guide it provided me. Does this sound right? is there anything specific I should do with firewall to protect eth0 from unwanted traffic since eth0 is public firewall facing as I only want eth0 to provide sip trunk for incoming and outgoing calls, ssh, web ui

Step 1: System Prep and Interface Configuration

A. Assign Static IPs

Edit /etc/network/interfaces (or /etc/netplan/*.yaml on newer Debian versions — use ip a to check interface names):

For Debian 12+, likely using Netplan. Example /etc/netplan/01-netcfg.yaml:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses:
        - 10.0.0.254/24
      gateway4: 10.0.0.1
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]
    eth1:
      dhcp4: no
      addresses:
        - 192.168.0.1/24

Then run:

sudo netplan apply

:white_check_mark: eth0 = External (Internet + SIP trunk)
:white_check_mark: eth1 = Internal (Phones)

Step 2: Enable and Configure the FreePBX Firewall

FreePBX has its own intelligent firewall which understands VoIP-specific traffic better than plain iptables/UFW.

A. Enable the FreePBX Firewall

From the FreePBX web GUI:

  1. Go to Admin > System Admin > Firewall
  2. Click Enable Firewall

B. Define Zones:

  • eth0Internet zone
  • eth1Trusted/Internal zone

To do this:

  1. Go to Connectivity > Firewall > Interfaces
  2. Assign:
  • eth0Internet
  • eth1Trusted

C. Services

Go to Connectivity > Firewall > Services:

Allow only these on Internet:

  • SIP (chan_pjsip or chan_sip) — depending on what you’re using
  • RTP Ports (usually UDP 10000–20000)
  • HTTPS (for Web UI, or HTTP if not using SSL)
  • SSH

Do NOT allow:

  • WebRTC
  • TFTP
  • NTP
  • Rest APIs
  • UCP
  • Admin (unless you really need it remotely)

Step 3: RTP and SIP Port Configuration in FreePBX

SIP Settings

  1. Go to Settings > Asterisk SIP Settings
  2. Under General SIP Settings:
  • External Address: your public IP (or FQDN)
  • Local Networks:
    • 10.0.0.0/24
    • 192.168.0.0/24

RTP Ports

Still in SIP Settings:

  • RTP Port Range: leave default 10000–20000 unless restricted
  • Ensure router/firewall has these UDP ports forwarded to 10.0.0.254 (eth0)

Step 4: Configure iptables/UFW (optional)

While FreePBX’s firewall is solid, you may want to harden Debian’s native firewall too. If you use UFW (simpler than iptables), here’s a base config.

A. Install and Configure UFW:

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

Then allow only essential ports:

# SIP (change ports if needed)
sudo ufw allow from any to 10.0.0.254 port 5060 proto udp
sudo ufw allow from any to 10.0.0.254 port 5061 proto udp

# RTP
sudo ufw allow from any to 10.0.0.254 port 10000:20000 proto udp

# Web UI
sudo ufw allow from your_admin_ip to any port 443 proto tcp

# SSH
sudo ufw allow from your_admin_ip to any port 22 proto tcp

Then enable it:

sudo ufw enable

:stop_sign: Note: If using FreePBX firewall, ensure UFW doesn’t block it. It’s usually safest to let FreePBX manage traffic if you’re not very experienced with iptables.

Step 5: Test Your Routing and SIP Path

A. Phones (Internal) ➝ FreePBX ➝ SIP Trunk

  • Register a few phones to FreePBX from the 192.168.0.x network
  • Test internal calls
  • Test outbound SIP calls

B. External ➝ SIP ➝ FreePBX ➝ Phones

  • Make an inbound call to your public number (via Gamma SIP)
  • Verify call lands on a local phone

Step 6: Best Practices

:white_check_mark: Disable unused FreePBX modules and admin interfaces
:white_check_mark: Enforce strong FreePBX passwords (Admin + Extensions)
:white_check_mark: Regularly apply Debian and FreePBX updates
:white_check_mark: Set up intrusion detection (Fail2Ban is included in FreePBX firewall)
:white_check_mark: Optional: Disable SIP guest access (no anonymous calls)

6

Isn’t the system behind a firewall already? How are you reaching the PBX over the Internet to begin with?

7

Yes it’s already behind a hardware firewall which has a 1:1 Nat to give the server a static ip for siptrunk ip authentication.

8

So why wouldn’t you just apply the rules there for the wan side?