Phone Provisioning through dSIPRouter

[John Diffenderfer]

I am having an issue provisioning a phone in dSIPRouter with passthru to a Fusionpbx domain. If I go to fusionpbxdomain/provision/mac I get the xml config. If I use disprouter/provision/mac it does not work. I get connection refused even though the domain is synced in dsiprouter which tells me the firewall rules are correct. At least I assume this is the case. FYI I an running Fusionpbx in a logical cluster (version 5.4.2). What am I doing wrong here?

I want to use dsiprouter to proxy all traffic and handle provisioning in case I lose one of my fusionpbx servers from my cluster. 

[Mack Hendricks]

Hey John,

I haven't tested it with FusionPBX 5.4 series...I will have to test it and let you know.  Unless somebody else in the community has tested it.  

On Fri, May 16, 2025 at 4:26 PM John Diffenderfer <john...@gmail.com> wrote:

I am having an issue provisioning a phone in dSIPRouter with passthru to a Fusionpbx domain. If I go to fusionpbxdomain/provision/mac I get the xml config. If I use disprouter/provision/mac it does not work. I get connection refused even though the domain is synced in dsiprouter which tells me the firewall rules are correct. At least I assume this is the case. FYI I an running Fusionpbx in a logical cluster (version 5.4.2). What am I doing wrong here?

I want to use dsiprouter to proxy all traffic and handle provisioning in case I lose one of my fusionpbx servers from my cluster. 

--
You received this message because you are subscribed to the Google Groups "dSIPRouter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dSIPRouter+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/b4990a35-31a9-4db2-a692-6aa4cbf6c9fdn%40googlegroups.com.

[John Diffenderfer]

Thank you for the quick response Mack. Hopefully someone in the community has an answer. I will continue to play around with my lab environment and report back my solution if I find one. Obviously if you find out what I am missing please let me know. Have a great weekend!!

[Mack Hendricks]

What does the nginx error or access log say.  It’s in /var/log/nginx/ directory 

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/47ab6b7a-bece-4bf6-91f0-bb64500ccb24n%40googlegroups.com.

[John Diffenderfer]

I am not at my desk at the moment, but I will check it out a little bit later on and let you know

Sent from my iPhone

On May 16, 2025, at 5:06 PM, Mack Hendricks <ma...@goflyball.com> wrote:



[John Diffenderfer]

There is nothing in the logs at all from today

[John Diffenderfer]

Once I added these commands to the fusionpbx server:

DSIPROUTER_IP=1.1.1.1 sed -i -r "s/^#?listen_addresses[ \t]?=[ \t]?.*/listen_addresses = '*'/m" /etc/postgresql/*/main/postgresql.conf iptables -A INPUT -p tcp -s $DSIPROUTER_IP/32 --dport 5432 -j ACCEPT iptables-save >/etc/iptables/rules.v4 # Run this command if your don't want to enter a password for the FusionPBX Database(DB) Password echo -e "host all all $DSIPROUTER_IP/32 trust" >>/etc/postgresql/*/main/pg_hba.conf systemctl restart postgresql # Run this command if your using fail2ban sed -i -r "s|^#?(ignoreip = .*)|\1 $DSIPROUTER_IP/32|" /etc/fail2ban/jail.conf systemctl restart fail2ban

The domain was added to dsiprouter.

Now when I try and open the xml from a webpage I can get the xml using the fusionpbx address: https://siprouter.urbancom.net/provision/macaddress 

If I use the dsiprouter address it doesn't work. I tried both -  https://testpbx01.urbancom.net/provision/001565a1acc6 and https://testpbx01.urbancom.net:5000/provision/macaddress

I do not see anything at all in the nginx logs so I have nothing to go off of.

[John Diffenderfer]

Ttpo, it is the other way around:

Now when I try and open the xml from a webpage I can get the xml using the fusionpbx address: https://testpbx01.urbancom.net/provision/macaddress 

If I use the dsiprouter address it doesn't work. I tried both -  https://dsiprouter.urbancom.net/provision/001565a1acc6 and https://dsiprouter.urbancom.net:5000/provision/macaddress

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/a7f28e7d-e01b-4391-a122-52ec86de8879n%40googlegroups.com.

[John Diffenderfer]

Is anyone else using the latest FusionPBX 5.4.2 with Logical Replication using DSIProuter as a proxy? My carrier groups are working, my inbound routes are working and my outbound routes are working but I cannot provision a phone through dsip. I cant find anything to go on as I don't even see a log when I try to provision the phone. 

[Mack Hendricks]

Hey John,

I did some testing and I remember what changed:

- FusionPBX now requires the domain name to be in the URL.  So, if the domain is test.dsiprouter.net in FusionPBX then the provisioning URL has to be https://test.dsiprouter.net/provision/64167fc782f4

- This means that all subdomains need to point to dSIPRouter and it will route the request to the FusionPBX server 

For example, my FusionPBX server accessing the Mac address looks like this:

Changing  test.dsiprouter.net to point to the ip address of fusionpbx.dsiprouter.net it works

This was a change on the FusionPBX side.  I'm assuming to make it more secure so that you have to know the domain where the provisioning profile exists.   

I'm sure we can come up with some workaround. If you need something immediately, send a note to our support team.  Otherwise, you can put in an issue and we will prioritize it.  It's not a big fix, but takes some time to figure it out.   

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/CABtxu6Uj-8dYTEZwArvv_qA6j940qsNEyDFKDqRmPv51J44ONQ%40mail.gmail.com.

[Mack Hendricks]

Hey John,

We opened an issue on this: https://github.com/orgs/dOpensource/projects/21/views/1?pane=issue&itemId=111646495&issue=dOpensource%7Cdsiprouter%7C662

If you need something immediately, send a note to our support team at sup...@dopensource.com

[John Diffenderfer]

Thanks for looking into this Mack. Looking at what you have, I see that you using port 443.  I am thinking another issue I have as part of this, is the dsiprouter does not have port 80 or 443 open. I get into it using port 5000. Do I need to open port 443?

[Mack Hendricks]

We enable 443 on nginx when you enable the FusionPBX integration.  I don’t think we block 443 from a firewalld level either.  Unless you are running into another issue.  I did make some change to the nginx rule.  Let me post that in a few 

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/e8d63c37-e2de-4180-add0-6e5a8336e326n%40googlegroups.com.

[John Diffenderfer]

Thanks Mack

[John Diffenderfer]

I think my my only issue is 443. Here is what dsiprouter server shows as listening

root@siprouter:~# lsof -iTCP -sTCP:LISTEN -P
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd      647     root    3u  IPv4  15419      0t0  TCP *:22 (LISTEN)
sshd      647     root    4u  IPv6  15430      0t0  TCP *:22 (LISTEN)
nginx     729     root    4u  IPv4  14987      0t0  TCP *:5000 (LISTEN)
nginx     729     root    5u  IPv6  14988      0t0  TCP *:5000 (LISTEN)
mariadbd  741    mysql   45u  IPv4  15556      0t0  TCP localhost:3306 (LISTEN)
nginx    2023    nginx    4u  IPv4  14987      0t0  TCP *:5000 (LISTEN)
nginx    2023    nginx    5u  IPv6  14988      0t0  TCP *:5000 (LISTEN)
nginx    2024    nginx    4u  IPv4  14987      0t0  TCP *:5000 (LISTEN)
nginx    2024    nginx    5u  IPv6  14988      0t0  TCP *:5000 (LISTEN)
kamailio 2057 kamailio   11u  IPv4  18871      0t0  TCP localhost:5060 (LISTEN)
kamailio 2057 kamailio   12u  IPv4  18872      0t0  TCP siprouter.urbancom.net:5060 (LISTEN)
kamailio 2057 kamailio   13u  IPv4  18873      0t0  TCP localhost:5061 (LISTEN)
kamailio 2057 kamailio   14u  IPv4  18874      0t0  TCP localhost:4443 (LISTEN)
kamailio 2057 kamailio   15u  IPv4  18875      0t0  TCP siprouter.urbancom.net:4443 (LISTEN)
kamailio 2057 kamailio   16u  IPv4  18876      0t0  TCP siprouter.urbancom.net:5061 (LISTEN)

[Mack Hendricks]

This means something went wrong with nginx not being reconfigured when you enabled FusionPBX.  Check /etc/ngixnx/sites-enabled and see if 2 files are there?  One of the files activates 443.

[John Diffenderfer]

You are correct. I only have 1 file dsiprouter.conf

[Mack Hendricks]

Is the FusionPBX integration still enabled?  I ask because some people will. Turn it on, sync the domains and turn if off which will turn off the provisioning?

[John Diffenderfer]

It is still on, I just checked. When I enabled FusionPBX I ran the commands that it posts underneath on my FusionPBX server. Once I did that I was able to populate the domains in DSIP. I didn't do anything else.

[Mack Hendricks]

This is what my directory looks like:

The dsiprouter-provisioner.conf contains the logic.  That file is located here: /opt/dsiprouter/gui/modules/fusionpbx/

There's a template file (dsiprouter-provisioner.tpl) that's used to generate the dsiprouter-provisioner.conf file.  It seems like that file isn't being generated and pushed into the right location.  

What OS are you using?  I'm using Debian 12.   

[John Diffenderfer]

Debian 12 and DSIPRouter  .77

I will take a look at the directory. 

[John Diffenderfer]

I am also going to spin up another VM and go through the process again and see if I missed something. The goal is to show proof of concept so we can use this for our clients and of course setup a support package with you guys. I will report back

[Mack Hendricks]

The easiest thing is to the delete the endpoint group and just re-create it.

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/CABtxu6W%3DM0m2US%3DqrD7Dzv_Gke%3DB4225qW1EBs-fN6ivJgRzTA%40mail.gmail.com.

[John Diffenderfer]

OK, I can do that

Sent from my iPhone

On May 21, 2025, at 10:08 AM, Mack Hendricks <ma...@goflyball.com> wrote:



The easiest thing is to the delete the endpoint group and just re-create it.

On Wed, May 21, 2025 at 11:02 AM John Diffenderfer <john...@gmail.com> wrote:

I am also going to spin up another VM and go through the process again and see if I missed something. The goal is to show proof of concept so we can use this for our clients and of course setup a support package with you guys. I will report back

On Wed, May 21, 2025 at 9:49 AM John Diffenderfer <john...@gmail.com> wrote:

Debian 12 and DSIPRouter  .77

I will take a look at the directory. 

On Wed, May 21, 2025 at 9:38 AM Mack Hendricks <ma...@goflyball.com> wrote:

This is what my directory looks like:

[John Diffenderfer]

I removed the endpoint, rebooted and then added the endpoint back. 

This is my directory

Not sure why mine running the same version as yours does not work. All I can think is I didn't get a clean install.

I can go ahead and spin up another VM with:

Debian 12 minimal install and run apt-get update -y && apt-get install -y git && cd /opt && git clone https://github.com/dOpensource/dsiprouter.git && cd dsiprouter && ./dsiprouter.sh install -all

[Mack Hendricks]

Let me know how it goes...we can definitely open a ticket and assign you to a pre-sales support engineer if the goal is to purchase a support agreement at the end of a successful PoC.  That engineer would connect to your server and figure out the issue or fast track a bug fix for you.

[John Diffenderfer]

I reinstalled with Debian 12 and ran the install but same result. I can get everything working except the conf file is not created when I enable fusionpbx in endpoints. Can I just duplicate the dsiprouter.conf file, call it  dsiprouter-provisioner.conf and modify it for 443?

[Mack Hendricks]

Unfortunately no, but you can try to take the dsiprouter-provisioner.tpl file and try to manipulate this and store it as dsiprouter-provisioner.conf

[John Diffenderfer]

Sorry, I forgot you told me that earlier. Doing that now  

[John Diffenderfer]

That works! I can't tell you why I didn't start there when you specifically told me what I needed to do. Lol I guess I just like building servers. 

The solution (My notes):

1 - If  dsiprouter-provisioner.conf does not exist in /etc/nginx/sites-available then copy dsiprouter-provisioner.tpl from /opt/dsiprouter/gui/modules/fusionpbx/ to /etc/nginx/sites-available and rename as dsiprouter-provisioner.conf 

2 - At the top of you new dsiprouter-provisioner.conf  file replace ##SERVERLIST## with server testpbx.yourdomain.com:443; (replace testpbx.yourdomain.com with the name of your FusionPBX server)

3 - Run sudo ln -s /etc/nginx/sites-available/dsiprouter-provisioner.conf /etc/nginx/sites-enabled/dsiprouter-provisioner.conf to enable your  dsiprouter-provisioner.conf 

4. Test for errors by running - nginx -t

4 - systemctl reload nginx

5 - In your DNS records point your FusionPBX domains to the same ip as your DSIPRouter

6 - Start testing provisioning from a web browser ie: https://testpbx01.yourdomain.com/provision/001555a1acc6 (replacing with the domain name for the fusionpbx domain and the mac address of the phone at the end

One question, if I have a Fusionpbx cluster, I assume I put both server names in  dsiprouter-provisioner.conf, correct? Should it look like this server testpbx.yourdomain.com:443; server testpbx2.yourdomain.com:443;

[Mack Hendricks]

It will look like this:

upstream backend {
  server backend1.example.com:443;
  server backend2.example.com:443;
  server backend3.example.com:443;
}

[John Diffenderfer]

Ok last question, when enabling Fusionpbx in Endpoint group do I put both Fusionpbx servers in the server field in a cluster situation?

[John Diffenderfer]

Good morning Mack,

Just wanted to give you a followup and let you know that I did not have to point all of my fusionpbx domains to the DSIPRouter address. I was able to leave them pointed at the same address as my fusionbx server and I am able to  provision using the dsiprouter address. My issue simply was not having the  dsiprouter-provisioner.conf file created when I enabled fusionpbx in dsiprouter. Everything is working. Testing a fusionpbx cluster next. 

[Mack Hendricks]

Very cool

To view this discussion visit https://groups.google.com/d/msgid/dSIPRouter/7faf5ceb-dac0-41f3-b265-ce68e490c00bn%40googlegroups.com.