Icing on the Cake: Meet FS PBX — It’s FusionPBX on Steroids

In our previous article, we sang the praises of FusionPBX as the terrific GUI that was always missing from FreeSWITCH. Little did we know that a better mousetrap was hiding just behind the curtain. And today we introduce the third layer to our 3-Layer Cake, FS PBX. Some might call it a refinement of FusionPBX. We think it’s more of an enhanced feature set of the already rich offerings in FusionPBX. Technically, it’s a fork. More accurately, it’s a fork, knife, and spoon.

In addition to a refined GUI, FS PBX also introduces an awesome collection of new features including text-to-speech and speech-to-text integration throughout the interface. With voicemail, you get transcription of messages delivered to your inbox. With IVRs, ring groups, and email, you get the ability to use OpenAI to create site-specific voice prompts. And with the Dashboard, you get feature set integration that all but eliminates the requirement to hop around the GUI to touch all the components necessary to deploy a state-of-the-art PBX. The new Call Detail Records (CDRs) will leave you drooling. And, in the security department, Fusion PBX delivers two-factor authentication (2FA) for web access, a much needed enhancement from the FusionPBX version. Coupled with our security features for FS PBX, you’ll have a multi-tenant platform that is second to none. Say goodbye to hundreds of daily hack attempts on your server.

The bad news, if there is any, is that this won’t run on your bargain-basement cloud platform with one gig of RAM. You’re going to need 4 gigs of RAM just to install it. For large deployments, more RAM and more disk are obvious must have’s. Aside from that, the minimum platform requirements are much the same as FusionPBX. You’ll want at least 20GB of disk space, a Debian 12 platform on a cloud server that offers backups, and at least one fully-qualified domain name (FQDN) so that IP address web access can be disabled. For multi-tenant deployments, you’ll obviously need more RAM, more disk space, and additional domain names.

Remember the old carpenter’s rule, "Measure Twice. Cut Once." It’s equally important here. You don’t want to go through this installation process (which is admittedly tedious) and get to the finish line only to discover that your server platform has run out of memory or storage space for your target audience. Or you forgot to consider a backup solution. So do your homework and carefully consider how many tenant platforms and users you will be supporting and what uses will be employed by each of those departments and users. Trust me when we say you really need a cloud platform for this deployment. You do not want to babysit this in house with all the maintenance headaches that entails.

You’re going to need a Debian 12 cloud platform and a static IP address for FS PBX. Spend some time considering what your long-term budget for this project will be, document your requirements, and make a shopping list. And then go shopping. LowEnd-Talk and LowEnd-Spirit offer dozens of low cost options. You’ll be hard-pressed to beat the $50/year ColoCrossing deal linked above with monthly backups, but they have dozens of other options depending upon your requirements. Just read the reviews before making a decision. UPDATE: We’ve been waiting over 5 months for ColoCrossing to sort out the monthly backups we’re paying for. Still haven’t gotten the first one!

In the middle tier, Vultr, Digital Ocean, and OVH can’t be beat. If money is no object, you have the luxury of Amazon, Microsoft, and Oracle platforms to consider. If the platform you choose doesn’t provide backups, look elsewhere!

Once you have deployed your Debian 12 server, the first thing you’ll need to do is create a fully-qualified domain name (FQDN) using the public IP address of your server. If you don’t have a domain you can use, here’s a link to some free solutions. If you already have a domain, simply create an A record in your DNS settings for fspbx.yourdomain.com. Be sure to test your new FQDN using ping before proceeding with the install. Next, use SSH to log in to your new Debian 12 server as root using the FQDN you just created: ssh root@fspbx.yourdomain.com. Now issue the following commands to bring Debian 12 up to speed. Regardless of your server platform, immediately change your root password to a very secure one with upper and lower case letters, numbers, and a few special characters. This will avoid many potential catastrophes because of a data breach by your provider.

passwd
apt-get update && apt-get upgrade
apt-get install systemd
apt-get install systemd-sysv
apt-get install ca-certificates
reboot

After rebooting, log back into your server as root and issue the following command to install the base FS PBX platform. Note that the command may wrap around to the second line because of space constraints with most browsers.

 wget -O- https://raw.githubusercontent.com/nemerald-voip/fspbx/main/install/install-fspbx.sh | bash

When the installation finishes, be sure to make note of the FS PBX admin credentials required to access the FS PBX GUI with a browser! If you forget this step, you get to start over. They will look something like this:

Login URL:    https://69.82.75.231
 Username:    admin@fspbx.net
 Password:    AJetd9xWegDjabQIckL4ERa0i

Next, open your favorite browser and point it to the IP address of your new FS PBX server. Login using the credentials you wrote down above. Because of the FS PBX security design, we won’t be spending much time in the IP Address Domain of your new server.

If you just want to experiment, you can install FS PBX locally on your Proxmox server and skip the FQDN setup documented below. Begin by creating a Debian 12 Virtual Machine with at least 4GB of RAM and 20GB of disk space. Log in to your virtual machine as root and issue the FS PBX install command above. When the installation finishes, you will get the admin credentials shown above. But obviously you won’t be able to login using the public IP address shown. Issue the ip a command to decipher the LAN IP address of your virtual machine. Then switch to the FS PBX directory: cd /var/www/fspbx. Update the Environment Configuration of your FS PBX server: nano -w .env with the following entries using your server’s actual LAN IP address instead of 10.0.0.15:

APP_URL=https://10.0.0.15
SESSION_DOMAIN=10.0.0.15
SANCTUM_STATEFUL_DOMAINS=10.0.0.15

Finally, refresh the FS PBX configuration cache: php artisan config:cache. Then login to the LAN IP address with your browser using the Username and Password credentials above.

If you’re deploying FS PBX for production use, the first order of business is to create a new domain using the FQDN that you created above.

In the left column, navigate to Advanced -> Domains. Then click the Add button, enter your FQDN in the Name field, and click SAVE. This will generate the new Domain which will appear in the listing which now appears in the top right pull-down of the FS PBX Dashboard. Go ahead now and select your Domain. It then will appear as the active one in the FS PBX Dashboard. Now we need to create a new admin user account with SuperAdmin privileges. From the left column, choose Accounts -> Users -> Add and fill in the blanks leaving the unspecified fields at their default settings. Then click Save.

Username: john_doe
Password: very-secure-password-of-twelve-or-more-letters-and-numbers
 Confirm: same-password
   Email: john_doe@fspbx.yourdomain.com
Language: your-favorite
TimeZone: where-your-domain-resides
  Groups: superadmin

Now test things out by first logging out: Home -> Logout. Close the browser window and open a new one pointing to the FQDN of your server. Log in with your new email address using the password you created above. Now the fun begins so take a break if you need one.

If you’ve been following Nerd Vittles for the past couple decades, then you know that we are sticklers when it comes to security. So bear with us while we add a few extra layers of security to FS PBX. Log back into your server as root using SSH. First, we need to change the default port for future SSH access. Edit /etc/ssh/sshd_config. Uncomment the Port line and enter a new port number. A good choice might be the year you were born. Then save the file. Don’t restart the SSH service just yet, or you will lock yourself out of your server.

Next, edit /etc/iptables/rules.v4. Scroll down to the line containing –dport 22 and duplicate the line. Change the number in the duplicated line to the port number you assigned for future SSH access. Then SAVE the file and reboot your server.

Log back in: ssh -p 1234 root@fspbx.yourdomain.com where 1234 is the port you assigned for SSH access. Assuming you got back in, edit /etc/iptables/rules.v4 again and comment out or delete the –dport 22 line. Save the file and restart IPtables: systemctl restart iptables.

Now we’re ready to add a few layers of protection for the FS PBX web interface. We’ll be using two free services: VoIP Blacklist and APIban. These two services implement a VoIP blacklist of over 100,000 bad guys, and we have found the listings block virtually all attacks on FS PBX which, by design, exposes its SIP ports on the public internet.

You will need an APIkey for APIban which you can obtain here. Once you have your APIkey, issue the following commands:

cd /
apt install ipset -y
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FusionPBX/ipset-additions.tar.gz
tar zxvf ipset-additions.tar.gz
# insert your APIkey when the text editor opens below & save the file
nano -w /usr/local/sbin/apiban-init
chmod +x /etc/rc.local
echo "2 0 * * * root rm -f /var/log/*.gz >/dev/null 2>&1" >> /etc/crontab
echo "2 5 * * * root rm -f /var/log/*.1 >/dev/null 2>&1" >> /etc/crontab
echo "9 5 * * * root rm -f /var/log/freeswitch/*.1 >/dev/null 2>&1" >> /etc/crontab
echo "3 */6 * * * root /usr/local/sbin/iptables-restart >/dev/null 2>&1" >> /etc/crontab
reboot

Depending upon the amount of RAM available in your new server, IPtables may or may not restart after you reboot. You can check it by logging in as root and issuing the command: iptables -nL. If you see the following entries as the first five in your INPUT chain, all is well and you can move on to the next section:

ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     0    --  10.8.0.0/24          0.0.0.0/0           
DROP       0    --  0.0.0.0/0            0.0.0.0/0            match-set voipbl src
DROP       0    --  0.0.0.0/0            0.0.0.0/0            match-set apiban src

If you see a bunch of DROP entries in the iptables listing, then the likely culprit is that /etc/rc.local didn’t get executed when you rebooted. You can fix this with the following commands:

cd /etc/systemd/system
rm -f rc-local.service
ln -s /lib/systemd/system/rc-local.service rc-local.service
reboot

After rebooting, issue the iptables -nL command again and check for the five entries shown above. If they’re there, you’re done. If the series of DROP commands are also missing, then we need to address the memory constraints of your server. Edit /etc/rc.local and replace the existing contents with the following:

#!/bin/sh -e

/usr/local/sbin/apiban-init
#/usr/local/sbin/voipbl-init
systemctl restart iptables
systemctl restart ip6tables
systemctl restart fail2ban
/usr/sbin/iptables -I INPUT -m set --match-set apiban src -j DROP
#/usr/sbin/iptables -I INPUT -m set --match-set voipbl src -j DROP
/usr/sbin/iptables -I INPUT -s 10.8.0.0/24 -j ACCEPT
/usr/sbin/iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -I INPUT -i lo -j ACCEPT

exit 0

When you issue the iptables -nL command now, you should see only four entries at the top of the INPUT chain:

ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     0    --  10.8.0.0/24          0.0.0.0/0           
DROP       0    --  0.0.0.0/0            0.0.0.0/0            match-set apiban src

The VoIP Blacklist IPset will be run as a cron job during the day to add the necessary protection for FS PBX.

By default, SIP phones register on ports UDP 5060 and 5061. These are perhaps the two most dangerous ports to leave exposed to the public internet. Here’s how to change them:

The next most vulnerable ports on your server are those providing web access: TCP 80 and TCP 443. Once you have verified that you can login with a browser using the FQDN of your server, here’s how to completely disable access to your server using its IP address.

To begin, create a Let’s Encrypt SSL Certificate for your server by following this tutorial.

Future web logins will only be allowed using https://fspbx.yourdomain.com (with your actual domain or subdomain creation) when you complete this setup. Logins using the IP address of your server will be blocked.

1. From the Linux CLI, log into your server as root
2. Edit /etc/nginx/sites-available/fspbx.conf
3. In the listen 80 section, comment out: server_name *.us.domain.com;
4. Insert just below it: server_name fspbx.yourdomain.com;
5. In the listen 443 ssl section, comment out: server_name *.us.domain.com;
6. Insert just below it: server_name fspbx.yourdomain.com;
7. Make a copy of the 6 lines in the ssl section of the listen 443 ssl section
8. Scroll to the bottom of the file and insert the following code:

# Default discard
server {
    listen 80 default_server; # Catches all requests to port 80 not matched
    listen 443 ssl default_server; # Catches unmatched requests to port 443
    server_name _; # This is a common convention for a catch-all server_name

    # You must have SSL certs for 443 even for the default_server
    # Use a dummy self-signed cert or one for a non-public domain

9. Just below this code, insert the 6 lines of ssl code from step #7
10. Finally, insert the following code just below your SSL code:

    return 444; # Nginx specific: drops the connection without a response
    # Or, to return a 403 Forbidden:
    # return 403;
    # Or, to redirect to the FQDN:
    # return 301 https://yourdomain.com$request_uri;
}

11. Don’t forget the closing brace }.
12. SAVE the file and restart nginx: systemctl restart nginx

We are big fans of the OpenVPN virtual private network which makes it super easy to manage clients and servers worldwide in a secure, private network. The 10.8.0.0 subnet is used for this purpose as the whitelist entry above shows. If you would like to add an OpenVPN client to FS PBX, here are the steps assuming you already have an OpenVPN Server running. First, generate a new OpenVPN client for FS PBX on your OpenVPN server. Download the client to the /etc directory on FS PBX and name it fusionpbx.ovpn. Issue these commands to deploy OpenVPN:

apt install openvpn
cd /etc/systemd/system
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FusionPBX/openvpn.service
chmod +x openvpn.service
cd /etc
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FusionPBX/openvpn-start
chmod +x openvpn-start
reboot

If you want a totally secure platform with minimal SIP exposure, an alternative is to create and use your OpenVPN client address in lieu of an FQDN. The two drawbacks are that every desktop phone must have OpenVPN access and push notifications are not supported. If you want to review the deployment steps, follow this link. We personally no longer use this approach and instead follow the recommendations of the developer, Dexter Allen.

The real good news in deploying an OpenVPN client is that you always can gain access to your server even if your public IP address got poisoned in one of the VoIP blacklists. For web access, simply point your browser to FS PBX’s OpenVPN client IP address and then log in as admin@fspbx.yourdomain.com with your FQDN’s admin password. Serenity now!

It’s always nice to have a snapshot of all the critical components running (or not) on your server. Here’s how to install our pbxstatus application:

apt install dialog -y
cd /usr/local/sbin
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FS%20PBX/pbxstatus-FSpbx
mv pbxstatus-FSpbx pbxstatus
chmod +x pbxstatus
echo "pbxstatus -p" >> /root/.profile

We’ve found the easiest way to assure that outbound email gets delivered reliably is to implement a Gmail SmartHost for Postfix. To deploy this, you will need a Gmail account and a Gmail App Password, not your standard Gmail password. You can obtain a Gmail App Password for your account here. Once you have your Gmail account name and app password in hand, issue the following commands:

cd /root
# accept the defaults during Postfix install
apt install postfix
mkdir /etc/pbx
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FusionPBX/enable-gmail-smarthost-with-postfix
chmod +x enable*
./enable*
# insert your gmail account name and APP password when prompted
wget https://filedn.com/lBgbGypMOdDm8PWOoOiBR7j/FusionPBX/mailtest
chmod +x mailtest
nano -w mailtest
# insert a destination email address for testing and save mailtest
./mailtest

Once you have verified that email can be sent from your server, an important security addition will be deployment of two-factor authentication for web logins. This means a 2FA code will be emailed to you whenever you attempt to login to your server. You then will be prompted for the code before web access is authorized. Begin by editing /var/www/fspbx/.env and entering your Gmail credentials with your app password:

MAIL_MAILER=smtp
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_USERNAME=yourname@gmail.com
MAIL_PASSWORD=your-gmail-app-password
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=yourname@gmail.com
MAIL_FROM_NAME="${APP_NAME}"
MAIL_REPLY_TO_ADDRESS=yourname@gmail.com
MAIL_REPLY_TO_NAME="${APP_NAME}"

Next, edit /var/www/fspbx/config/fortify.php and uncomment line 157:

'email-challenge',

Finally, refresh the FS PBX configuration cache:

php /var/www/fspbx/artisan config:cache

Another important addition that FS PBX brings to FusionPBX is support for text-to-speech (TTS) and speech-to-text (STT) through the GUI. It lets you dictate and create AI-generated voice prompts using the new IVR interface as well as generating ring group announcements and voicemail greetings for your extensions. And it also lets you transcribe voicemails and deliver the results via email to owners of extensions. To begin, you’ll need to create an API Key in OpenAI:

1. Navigate to https://platform.openai.com and Sign Up
2. Set up an OpenAI account using your Google account
3. Click on the Settings tool in Upper Right beside your acct photo
3. Add a few bucks in Billing
4. Navigate to API keys and create an API key to use with FS PBX.
5. Be sure to write it down. You can't view it after initial creation.

After logging into FS PBX with your browser, navigate to Advanced -> Default Settings. Enable and enter the following settings for each of the specified sections below:

Speech

api_key: your-API-key-from-OpenAI
api_url: https://api.openai.com/v1/audio/speech
enabled: True
engine: openai

Transcribe

api_key: your-API-key-from-OpenAI
api_url: https://api.openai.com/v1/audio/transcriptions
enabled: True
engine: openai

Voicemail

openai_transcription_model: whisper-1
transcribe_enabled: True
transcribe_provider: openai
transcription_enabled_default: False
voicemail_file: attach

Email

smtp_auth: True
smtp_from: your-name@gmail.com
smtp_from_name: FS PBX
smtp_host: smtp.gmail.com
smtp_password: your-gmail-APP-password
smtp_port: 587
smtp_secure: tls
smtp_username: your-name@gmail.com
smtp_validate_certificate: True

Finally, under Status -> SIP Status, click on the following buttons:

Flush Cache
Reload ACL

If you’re coming over from the Asterisk® and FreePBX® world to FS PBX and FreeSwitch, then the initial setup drill should be familiar. You need a SIP provider (a.k.a. Trunk in FreePBX or Gateway in FS PBX), you need some extensions and a ring group, and you need outbound and inbound routes to direct calls out and into your FS PBX platform. We’ll add a few bells and whistles along the way. Let me hasten to add that debugging with FS PBX can be tedious which may be because of my inexperience on the platform. The good news is our design below works. Your "improvements" may or may not work. And your best source for a solution may be the FusionPBX Forum.

Let’s start with the SIP provider. The Gateway we’ve chosen is VoIP.ms. You can read all about them here. We also tried BulkVS for several days and had nothing but problems. My best advice comes from my dad’s favorite expression: "Be Reasonable. Do It My Way." The first steps are to create a VoIP.ms account using our signup link. That keeps the lights burning brightly here. Then order a DID in your favorite city. Make sure to set the Dialing Mode to NANPA. Next, create a SubAccount as a PBX with a Username and Password. Specify the DID you ordered as the CallerID number for the SubAccount. Specify G.711U and G.722 as the Codecs. Set DTMF Mode to Auto. Enable the IP Restriction and specify the IP address of your server. Leave the remaining defaults and click Update Account. Next, navigate to Manage DIDs and Route calls to the SubAccount you just created. Choose a POP location near your server, e.g. atlanta2.voip.ms. Leave the remaining defaults and click Apply Changes. That’s all the setup required on the VoIP.ms side.

On the FS PBX side, using your SSH connection, ping the VoIP.ms POP server you chose above to get its IP address.

Using a browser while logged into your FQDN domain, navigate to Advanced -> Access Controls -> providers. In the Nodes field, enter an Allow entry with the IP address of the VoIP.ms POP you’ve chosen. Enter VoIP.ms as the Description. Then click SAVE.

Next, choose Accounts -> Gateways -> Add. Enter the following. Then click SAVE.

 Gateway: voip.ms
Username: subaccount-name
Password: subaccount-password
FromUser: subaccount-name
FromDomain: atlanta2.voip.ms (or whatever you chose above)
   Proxy: same-as-from-domain
   Realm: same-as-from-domain
 Expires: 60
Register: True
   Retry: 30
 Context: public
 Profile: external
Register: Enabled

Navigate to Accounts -> Gateways again and make sure your gateway shows as REGED after a minute or so.

FusionPBX’s slickest feature is its multiple extension setup procedure. Navigate to https://fspbx.yourdomain.com/app/extensions/extensions.php replacing fspbx.yourdomain.com with your actual FQDN. Then click the +Add button. In Extension, specify the starting extension number. Then in Range, specify the number of extension numbers to create. For example, if you specified 411 as the starting Extension with a Range of 9, FS PBX will create extensions 411 through 419 with unique default passwords. If you want to specify a User for the extensions, choose it from the pull-down list. Otherwise, leave it blank. Specify a default voicemail password for the extensions. You can leave all of the CallerID fields blank because we’ve already specified the CallerID number on the VoIP.ms side. The other options are self-explanatory so just follow your nose and then click Save.

We’ve always found it wise to specify the IP addresses as Allow entries in Advanced -> Access Controls -> rfc1918 although this may not be necessary for extensions registered to your FS PBX FQDN. What will be necessary if you’re using an application such as Groundwire on a smartphone or tablet is to review Status -> Event Guard after attempting to register a device that supports Push Notifications. You probably will see the SIPIS push server access got blocked, and you’ll need to toggle this to Unblocked and also register the SIPIS IP address as Allowed in Advanced -> Access Controls -> rfc1918 before Push Notifications will work.

TIP: Any device or service that connects to FS PBX by IP address needs to be whitelisted in either the rfc1918 or providers section of Advanced -> Access Controls. If a connection or service is failing, the first place to check is Status -> Event Guard. From the command line interface, also check for IPtables blocks with iptables -nL. This is the price we pay for having SIP access exposed. But it’s manageable once you get the hang of it.

Gotcha #1. A word of caution before we set up your Outbound Route. Unless you’re outside the North American Dialing Plan, be consistent in always specifying North America as your Dialplan Expression. The reason is because if you choose 10-digit dialing in your Outbound Route and one of your SIP phones is configured to always add a 1 prefix, the outbound calls from that phone will fail. Choosing North America as your Outbound Route’s Dialplan Expression will allow outbound calls from 1NXXNXXXXXX and +1NXXNXXXXXX and NXXNXXXXXX. Ask us how we know. 🙂

To create an Outbound Route for your VoIP.ms Gateway, choose Dialplan -> Outbound Routes -> Add from the FS PBX Dashboard. Fill in the form as shown below and click SAVE.

Gateway: VoIP.ms
Dialplan Expression Shortcut: North America
Prefix: 1
Limit: Number-of-Simultaneous-Outbound-Calls-Allowed
Acct Code: Your-FQDN
Description: VoIP.ms

It’s anything but intuitive, but you don’t create an Inbound Route in FS PBX by choosing Dialplan -> Inbound Routes. Instead, you choose Dialplan -> Destinations -> Add. You only need a few of the fields filled in to complete the setup. Then click SAVE.

Type: Inbound
Country Code: 1
Destination: Your-10-Digit-VoIP.ms-DID
Context: public
Actions: Choose-One-Of-Your-Extensions-From=The-List
User: admin
Usage: Voice
Domain: Your-FQDN
Order: 100
Enabled: True

We’re going to modify this setup a bit in the following sections, but this will get you started so that calls from your DID will be delivered to one of your extensions for testing purposes.

So that we can test things out, we need to enable a softphone on either an iPhone, iPad, Android phone, or Android tablet. To keep things simple, follow our tutorial for Groundwire to load the app onto your device. This will get you a softphone with Push notifications to experiment with FS PBX. Down the road, FS PBX provides an incredible assortment of Device Profiles that will preconfigure dozens of SIP phones for you. But, for now, let’s stick with Groundwire.

On the FS PBX side, you’ll need to edit one of your extensions and copy down the extension password. Then startup Groundwire on your mobile device and choose Settings -> Accounts. Click the + icon in the bottom left of the display to get started. Choose New SIP Account. Click CheckMark when finished.

Title: FS PBX
Username: Your-Chosen-Extension-Number
Password: Your-Extension-Passwor
Domain: Your-FQDN

Now click Advanced Settings and continue:

Incoming Calls: Use Global Setting
NAT Traversal: STUN 
  Send Media Back: True
  STUN Server: stun.acrobits.cz
  Force Private IP: True  
Enable Video Calls: True
Codecs WiFi: G.711U, G.722, OPUS
  Honor Remote Codecs: True
Codecs Mobile: same-settings-as-WiFi
Video Codecs: H.264 and VP8
Outgoing Calls Need Registration: True
Call Waiting: True
Transport Protocol: TCP
Push Options: Simulate NAT and Block Registration During Call
DTMF Mode: RFC2833
Secure Calls: Disabled

Your FS PBX account should now show as registered by displaying in Green. In the Settings tab, click on Push Notifications Test to see if push notifications are working. When the test completes successfully, it is an excellent time to switch over to Event Guard on your FS PBX Dashboard to see if the SIPIS Push Server has been blocked. If so, unblock it and also Allow its IP address in Advanced -> Access Controls -> rfc1918. Now push notifications should continue to work reliably.

TIP: If you have lots of smartphones to deploy, Groundwire has a slick feature that will save you a bunch of time. First, build Groundwire with an extension you don’t plan to use. For example, use extension 888 with its password and a domain of xyz.com. Save your settings with all of the configuration options documented above. Then choose Settings -> Preferences -> Backup Configuration. Enable Application configurations only and make up a password for your backup. Then click Backup and Send By Email. You then can restore this file to each additional phone and simply change the extension, password, and domain without having to wade through the remaining settings on each phone. This works on both Android and iOS devices running Groundwire.

We have a tried-and-true solutions to blocking the scammers and politicians. It forces callers to press a number before being routed to your phones.

Here’s how to deploy our Press7 inbound call option. First, download the press7.mp3 file onto your desktop. Then choose Applications -> Recordings -> Upload and choose the MP3 file you downloaded to your desktop. Save the file and then play it once to be sure it works.

Next, we want to create a simple IVR with an option7 that points to your extension and a timeout option that hangs up the call. Navigate to Applications -> IVR Menus -> Add. Fill in the form as shown below and then click SAVE.

Name: Press7
Extension: 777
Greet Long: press7.mp3
Options:
  Option: 7
  Destination: your-extension-number
  Enabled: True 
TimeoutL 6000
Exit Action: Hangup
Context: Your-FQDN
Enabled: True

Finally, edit the Inbound Route created above: Dialplan -> Destinations -> Inbound. In the Action pull-down menu, choose the 777 IVR option. Then SAVE your changes. Now try out a test call to your DID.

1. Go to Home -> Dashboard -> Virtual Receptionists
2. Create a New IVR using any of the existing Voice Prompts
3. Edit the IVR and Navigate to Prompt section.
4. Click on + to create a new voice prompt.
5. Choose text-to-speech
6. Type a Custom Greeting, pick a Voice, and click Generate
7. Play it back to verify that your TTS API key is working.

1. Edit Home -> Dashboard -> Voicemail Settings for an extension
2. Enter an Email Address for the voicemails
3. Enable Voicemail Transcription
4. Enable Attach File to Voicemails
5. Choose whether to delete voicemail after email delivery
6. Save your updates
7. Send a voicemail to that extension and check your email box

If you’re coming from the Asterisk world, you know how important the Asterisk CLI interface was. With FreeSWITCH, there’s a similar command line application: fs_cli. We’re also still a little fuzzy when a synchronization with FS PBX is necessary so we’ve learned to issue the following two commands after making SIP modifications in the dialplan:

sofia profile internal restart
sofia profile external restart

There are a few other FS PBX commands worth learning. By navigating to Status -> SIP Status, you can Reload ACL, Reload XML, and Flush Cache. If you modify call routing, add new IVRs, or change any logic in the dialplan, reload_xml is typically needed for those changes to take effect. More importantly, reload_acl reloads the Access Control Lists (ACLs) in FreeSWITCH. ACLs are used to define which IP addresses or networks are allowed or denied access to various FreeSWITCH services (e.g., SIP registrations, gateways). It also performs a reload_xml implicitly before reloading the ACLs. Flush Cache typically is used if you update sound files or other key components in FS PBX to assure that the updated version is used rather than an earlier copy that still may be cached. When all else fails, it may be time to restart FreeSwitch from SSH: systemctl restart freeswitch.

We trust we’ve given you enough tips and tricks to get FS PBX deployed and functioning. Now is probably a good time to read through the FusionPBX Getting Started Tutorial which covers some additional topics. Deploy at your own risk.

If you would like to deploy BulkVS with FS PBX, we now have documented the process here. Enjoy!

Originally published: Monday, July 28, 2025

Help with Asterisk or FS PBX? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.