Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

== Step 11: Troubleshooting when it doesn’t work. It’s open source, so…. ==

<span id="introduction-to-network-rules"></span>
=== Introduction to Network Rules ===

We set up two sets of rules:

# '''SIP Trunk rules''' (Ports 5060-5065)
#* Allows Unitel to talk to our PBX
#* Deals with signaling &amp; connection management
# '''Media Proxy Rules''' (Ports 10000-20000)
#* Manages the actual audio transmission
#* Handles voice data going back and forth

<span id="what-are-nat-port-forwards-vs-firewall-rules"></span>
==== What are NAT port forwards vs Firewall Rules? ====

<span id="network-address-translation-nat-port-forwards"></span>
===== Network Address Translation (NAT) Port Forwards =====

NAT is like the restaurant host who brings guests to specific tables. It allows specific machines behind your network to get traffic depending on the port that the traffic was trying to access when the traffic got to your cable modem &amp; firewall.

<span id="firewall-rules-1"></span>
===== Firewall Rules =====

The firewall acts as a bouncer. Even when NAT directs traffic to the right computer, the firewall can still block problematic connections.

<span id="order"></span>
===== Order: =====

<code>pfSense</code> will add a firewall rule AUTOMATICALLY each time you create a NAT port forward, as long as you do not change that option at the end of the NAT port forward rule creation page. I circled this to make sure you would get it right.

# Set up NAT rules first
# Configure firewall rules second

<span id="our-setup"></span>
===== Our Setup =====

FreePBX box IP address: 192.168.5.6

Internet Traffic → NAT (Traffic Direction) → Firewall (Security Check) → FreePBX virtual machine

<span id="when-things-dont-work-common-scenario"></span>
=== When Things Don’t Work (Common Scenario) ===

This is an open source firewall combined with self-managed SIP trunking. If something works on the first go, you should be very concerned – this likely means you are in a coma &amp; dreaming. Try to wake up. If you can’t, something is wrong.

<blockquote>'''IMPORTANT:''' Follow along in the video as this is best explained there as I go. This is one of the few sections where I believe the video is a must-have to understand how troubleshooting an issue here would work in real time.
</blockquote>
When initial setup doesn’t work, follow this troubleshooting sequence:

# '''Clear ARP Tables'''
#* Navigate to '''Diagnostics → ARP Table → Clear'''
# '''Reset States'''
#* Navigate to '''Diagnostics → States → Reset States'''
#* States are current connections
#* Must be reset on both routers
#* Wait 90 seconds after reset (best practice)
# '''Reload Filter Rules'''
#* Navigate to '''Status → Filter →''' then click ** Reload**

<span id="using-packet-capture-for-diagnostics"></span>
==== Using Packet Capture for Diagnostics ====

# Go to: '''Diagnostics → Packet Capture'''
# Configure capture:
#* Interface: WAN or LAN depending on test
#* Port: 5060, 5061, 5062, 5063, 5064, 5065 for SIP traffic

<span id="reading-packet-capture-results"></span>
==== Reading Packet Capture Results ====

* Example of captured traffic: 199.18.220.89 (Unitel’s IP in my case)
* You’re looking to see if the port 5060 traffic is actually being directed to your PBX. You’re also looking to see if it is even coming in at all.

<span id="stuff-we-use-to-troubleshoot"></span>
=== Stuff we use to troubleshoot: ===

When dealing with miserable issues:

<ol style="list-style-type: decimal;">
<li><p>'''Check Logs'''</p>
<p>'''Status → System Logs → Firewall → Normal View'''</p>
<ul>
<li>Sort by newest first
</li>
<li>Enable logging for allowed and blocked traffic</li></ul>
</li>
<li><p>'''Use diagnosing tools'''</p>
<ul>
<li><p>Packet capture shows where things are going</p></li>
<li><p>Firewall logs show what’s being blocked/allowed</p></li>
<li><p>Side-by-side comparison of rules vs. actual traffic</p></li></ul>
</li>
<li><p>'''Reset Everything'''</p>
<ul>
<li><p>Clear ARP tables</p></li>
<li><p>Reset state tables</p></li>
<li><p>Reload filter rules</p></li>
<li><p>None of this will work because it’s open source, SO:</p></li>
<li><p>Reboot the router</p></li>
<li><p>Look for hints &amp; clues.</p></li></ul>
</li></ol>

<span id="important-takeaway-from-this"></span>
=== Important takeaway from this ===

* In the video, I did all of the above. The router magically started passing traffic after a reboot.
* Even when everything is configured correctly, it may not work correctly – it’s open source.
* Consumer routers vs Enterprise/Open Source firewalls:
** $20 consumer router: “It just works”
** Enterprise-grade open source firewall: Requires patience and systematic troubleshooting
* It’s still better to use this than a traditional router so you don’t get hacked &amp; owned via lack of updates.

<span id="step-12-install-lenny-on-freepbx-17"></span>