====== Build a FreePBX Distro Virtual Machine ======

See also **[[https://www.sonoracomm.com/wiki/doku.php?do=search&id=freepbx&highlight=no|Other FreePBX pages in this wiki]]**

See also **[[voice:pbx:freepbx:freepbx_branding|FreePBX Branding]]**

See also **[[virtualization:linux:prep_vm_template|Prepare a Linux VM as a Template]]**

**Documentation**: http://wiki.freepbx.org/display/FD/Converting+Stock+Centos+to+a+FreePBX+Distro

**Downloads**: https://www.freepbx.org/downloads/

===== Warnings =====

:!: CAUTION!  **This document assumes your PBX is behind a firewall** and not exposed directly to the Internet.

:!: **Be VERY careful exposing your PBX to the outside world**.  Otherwise, YOU WILL BE HACKED and it can be VERY expensive!  Evildoers are constantly looking for loose security settings on PBXs (and anything else).

:!: **NEVER use trivial passwords for anything**!  Even internally.  Otherwise, YOU WILL BE HACKED and it can be VERY expensive!

===== Updating =====

See also **[[voice:pbx:freepbx:freepbx_upgrade|FreePBX Upgrade]]**

===== XenServer =====

==== Create the PBX VM ====

Create a new **PVHVM** using the **Other Install Media** template and the 64-bit FreePBX Distro ''.iso'' file.

:!: The FreePBX Distro supports PVOPS and will install para-virtualized drivers automatically.

:!: Most PBXs need even less disk space than is listed here.

The following are estimates only.  Sizing is easy to adjust later on virtualization platforms.

^PBX Size   ^RAM     ^vCPUs  ^Disk Size  ^Anticipated Simultaneous Calls ^Notes                      ^
|Small      |768MB   |1      |15GB       |3-7                            |Perfect for small offices  |
|Medium     |1024MB  |2      |25GB       |5-10                           |Minimum for iSymphony      |
|Large      |1536MB  |4      |40GB       |8-20+                          |More than most small offices need|

==== Install XenServer Tools ====

After creating the PBX VM and installing the FreePBX Distro SNG7:

  - In XenCenter, choose **VM -> Install XenServer Tools**
  - Install the tools at the VM CLI:

<file>
mkdir -p /mnt/tmp && mount /dev/sr0 /mnt/tmp
yum localinstall /mnt/tmp/Linux/xe-guest-utilities-*.x86_64.rpm
yum localinstall /mnt/tmp/Linux/xe-guest-utilities-xenstore-*.x86_64.rpm
reboot
</file>

===== Install FreePBX Distro =====

:!: The 32-bit version uses fewer resources than the 64-bit version.

After creating the VM with the **Other Install Media** template, boot your new VM to the FreePBX Distro .iso file.

Choose **Full Install - No RAID**.

Choose DHCP for networking if you are building a template.

:!: If you don't need IPv6, you can disable it during install.

===== Networking =====

:!: You may need to do this before updating.

Set the networking to DHCP mode so new VMs don't step on others once instantiated:

<file>
sed -i '/^\(HWADDR\|UUID\|BOOTPROTO\|IPADDR\|NETMASK\|NM_CONTROLLED\|ONBOOT\)=/d' /etc/sysconfig/network-scripts/ifcfg-eth[012]
echo -e "BOOTPROTO=dhcp\nNM_CONTROLLED=no\nONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-eth0

service network restart
</file>

==== DHCP Server ====

:!: This step is optional.  Skip this unless you know you need a DHCP server on your PBX.  Modify to suit your needs.

:!: We genearlly install the package and a sample configuration file, but we don't start the services.

Install and configure the DHCP server:

<file>
yum install dhcp

vim /etc/dhcp/dhcpd.conf
</file>

<file>
option domain-name "yourdomain.local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
option vlan-id code 132 = text;
default-lease-time 14400;
max-lease-time 28800;
ddns-update-style interim;
ignore client-updates;
log-facility local7;
authoritative;

subnet 192.168.56.0 netmask 255.255.255.0 {
     range dynamic-bootp         192.168.56.65 192.168.56.199;
     option subnet-mask          255.255.255.0;
     option routers              192.168.56.1;
     option domain-name          "yourdomain.local";
     option domain-name-servers	 192.168.56.30, 8.8.8.8;
     option time-offset          -25200;	# Mountain Standard Time
     option ntp-servers	         192.168.56.1;
     option tftp-server-name     "192.168.56.30";
     if substring(hardware, 1, 3) = 00:0B:82 {           # for Grandstream phones
         option vlan-id           "201";
     } else if substring(hardware, 1, 3) = 00:08:5D {    # for Aastra phones
         option vlan-id           "201";
     } else if substring(hardware, 1, 3) = 00:0E:08 {    # for Linksys phones
         option vlan-id           "201";
     } else if substring(hardware, 1, 3) = 00:15:65 {    # yealink
         option vlan-id           "201";
     } else if substring(hardware, 1, 3) = 00:04:f2 {    # polycom
         option vlan-id           "201";
     }
}
</file>

Start the services:

<file>
service dhcpd start
tail -30 /var/log/messages
chkconfig dhcpd on
</file>

===== Firewall =====

See **[[voice:pbx:pbx_security|PBX Security]]**

:!: The FreePBX Distro is wide open at installation and has Fail2Ban installed.  If your FreePBX is behind a hardware firewall, this is acceptable.  But it's like leaving your front door unlocked and locking your front gate at home.

==== External Firewall ====

:!: Only open the firewall or forward the ports that are absolutely necessary.

:!: If you don't have any remote extensions, don't open the SIP ports (UDP) 5060-5061.

:!: If you are using SIP trunks, and you sometimes get one-way audio, you may have to open or forward RTP ports (UDP) 10000-20000.

:!: If using IAX for trunks or extensions, you may have to open or forward (UDP) port 4569.

Assuming your PBX is behind a NAT firewall of some sort, forward some ports in to the PBX (Mikrotik example shown):

<file>
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward UDP ports to PBX" \
dst-port=5060-5061,10000-20000,4569 in-interface=ether1 protocol=udp to-addresses=<PBX_IP>
</file>

==== PBX Internal Firewall ====

:!: This is not intended to show the perfect firewall.  Adjust to your needs.

This command shows what ports your PBX is using:

<file>
netstat -tuapn
</file>

Create or modify the built-in ''iptables'' firewall:

<file>
vi /etc/sysconfig/iptables
</file>

Make it look something like this (add lines between ACCEPT and REJECT lines):

<file>
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 58080 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5060:5061 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 10000:20000 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4569 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 67:69 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</file>

:!: You can limit access by source address by adding ''-s xxx.xxx.xxx.xxx/nn'' to an accept rule.  This is advised for SIP on ports 5060 and 5061.

===== Sending E-Mail =====

See **[[networking:linux:postfix_smarthost|Postfix Authenticated Smarthost]]**

===== Configuration First Steps =====

http://wiki.freepbx.org/display/FPG/First+Steps+After+Installation

**FreePBX → Settings → Advanced Settings → Asterisk Manager → Asterisk Manager Password**

<file>
chkconfig iSymphonyServerV3 off
chkconfig apcupsd off
chkconfig --list
</file>

===== Prosody IM (XMPP) Server =====

:!: The Prosody IM server is installed by default but requires manual configuration or the purchase of the XMPP Pro commercial module.

http://schmoozecom.com/freepbx/xmpp.php

http://wiki.freepbx.org/display/FCM/XMPP+Chat+Management

http://prosody.im/doc/configure