The hostname is the name of the machine. If no value is specified, the default hostname used is 'mikopbx.local'.
There are two ways to configure the IP address:
DHCP (Dynamic Host Configuration Protocol) can be used for automatic IP address configuration. Enable the 'Use DHCP to obtain network settings' switch. This is recommended for most users. To not rely on DHCP server settings (to provide a specific address), you can disable the switch.
If you do not want to use settings obtained from a DHCP server, you can configure the network manually. This requires some knowledge about the network topology. To the right of the IP address, there is a field for Subnet Mask in CIDR format. You should use the alternative format: /8 corresponds to the subnet mask 255.0.0.0, /16 corresponds to 255.255.0.0, and /24 corresponds to 255.255.255.0.
'VLAN ID' - MikoPBX supports virtual network interfaces. This is relevant only for physical PCs. Sometimes a PC may have only one network interface, and it may not be possible to connect a second one physically. Using VLAN, you can create a virtual interface that works 'on top' of the physical one. One of the advantages of using VLAN is that all phone calls can be routed through it, while the network equipment can 'tag' all VLAN traffic and guarantee a stable connection.
The number of network interfaces in MikoPBX is not limited.
The 'Network interface with internet access' is the primary network interface through which access to external addresses (non-local) will be established.
If no DNS server address is specified, the default server 8.8.8.8 will be used.
Depending on your network topology, you need to perform the following steps to configure MikoPBX. The PBX can be behind a network router, which is the most common scenario, or it can have a public IP.
If the PBX is behind a router, you need to check the 'This station is located behind a NAT router' option.
If you know the external address of the station (IP or domain name) and have forwarded the ports of the PBX to the external world, it is recommended to fill in the fields 'External IP address of your router' or 'External hostname of your router'.
For all addresses that are not local to the PBX, the station will be represented by the external address:
If 'External IP address of your router' is empty and 'External hostname of your router' is filled, the PBX will be represented by the hostname (External hostname) field.
The external IP address is mandatory to fill in. If a domain name is specified, it takes priority, and the external IP address field is not used.
When enabling the option 'This station is located behind a NAT router,' it is mandatory to specify the external address or hostname of the router. Additionally, you need to perform port forwarding on the router for SIP port 5060 and RTP ports 10000-10200 to the local address of the PBX.
If your provider allows registration and you do not need to connect external subscribers, you can choose not to enable the option 'This station is located behind a NAT router,' even if the PBX is behind a NAT router.
Go to the 'System' → 'System file customization' section.
Open the file '/etc/static-routes' for editing.
Select the 'To replace all' mode and insert the rule. For example, 'route add -net 54.246.198.136 netmask 255.255.255.255 gw 172.16.32.15 dev eth0'
We specify to the operating system that the specified IP address 54.246.198.136 can be found through the network interface 'eth0' and the request should be directed to the gateway (172.16.32.15).
The netmask '255.255.255.255' indicates that the rule will only be applicable to the address 54.246.198.136. If you need to create a rule for a group of addresses, for example, the entire subnet 54.246.198.0: In fact, it is the range of addresses from 54.246.198.1 to 54.246.198.254.
Click 'Save settings'.
"In MikoPBX, all local subnets can be configured in the 'Network and Firewall' → 'Network Firewall' section. The network firewall is designed to restrict access to the station based on traffic type and subnets."
To add a new rule, you need to click on the button:
You can give the rule any custom name. To the right of the subnet address, there is a field for Subnet Mask in CIDR format.
SIP&RTP - registration of phones and voice traffic. Session Initiation Protocol is used for establishing connections between VoIP phones.
WEB - access to the administrative interface for configuring the PBX. SSH - root access to the system.
SSH (Secure Shell) allows accessing the MikoPBX console.
AMI - access to Asterisk Manager API via telnet. Asterisk Manager Interface (AMI) provides access to Asterisk via TCP/IP protocol.
AJAM - access to Asterisk Manager API via HTTP or HTTPS.
ICMP - communication check using the 'ping' command.
CTICLIENT - connection of the telephony panel 2 for 1C.
Each subnet has a flag 'Is it a VPN or a local network'. When this flag is set, MikoPBX will present itself as a local IP to all local subnets instead of external ones.
The flag 'Never block addresses from this network' should be enabled only for trusted subnets. If this flag is enabled, intrusion prevention rules will not apply to this subnet
This section is used to configure Fail2ban
Fail2ban is enabled together with the Network Firewall switch in the 'Network and Firewall' → 'Firewall' section.
Fail2ban blocks IP addresses with abnormal activity. When there is a failed authentication attempt, information about the error will be logged in the PBX. Fail2ban analyzes all failed attempts and keeps track of them. When the number of failed attempts exceeds the maximum allowed authentication attempts, the IP address is banned. Fail2ban is capable of slowing down the rate of failed authentication attempts. Please note that Fail2ban will not help with the use of simple passwords.
The Anti brute force settings can be found at the bottom of the "Network Firewall settings":
If a certain number of failed login attempts (Number of attempts for blocking) occurs within a specific period (Within (seconds)), the IP address will be blocked for a specified duration (Block for (seconds)).
The whitelist of addresses defines IP addresses that will not be blocked by Fail2ban. You can specify individual IP addresses like 93.188.40.10 or subnet like 93.188.40.10/32. The separator used is a 'space'.
Please note that if you have set the 'Never block addresses from this network' option in the 'Network Firewall' section for a subnet, that subnet is automatically added to the whitelist, and you don't need to add it manually. It is not recommended to manually populate the whitelist of IP addresses. It is preferable to specify IP addresses only in exceptional cases.
The list of blocked addresses shows which IP addresses are currently blocked.
You can also unblock an address by clicking on the corresponding icon in the table.
