{"id":24,"date":"2025-12-13T22:07:40","date_gmt":"2025-12-13T22:07:40","guid":{"rendered":"https:\/\/nsputnik.com\/blog\/?p=24"},"modified":"2026-04-28T04:32:10","modified_gmt":"2026-04-28T04:32:10","slug":"phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones","status":"publish","type":"post","link":"https:\/\/nsputnik.com\/blog\/2025\/12\/13\/phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones\/","title":{"rendered":"Phreephoning: A Free, Private, Encrypted Phone System with Raspberry Pi and Analog Phones"},"content":{"rendered":"<style><span data-mce-type=\"bookmark\" style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" class=\"mce_SELRES_start\">\ufeff<\/span><span data-mce-type=\"bookmark\" style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" class=\"mce_SELRES_start\">\ufeff<\/span><br \/>.code-box {<br \/>    background-color: #f4f4f4 !important;<br \/>    border: 1px solid #ddd !important;<br \/>    border-radius: 4px !important;<br \/>    padding: 12px !important;<br \/>    margin: 10px 0 30px 0 !important;<br \/>    overflow-x: auto !important;<br \/>    position: relative !important;<br \/>    display: block !important;<br \/>}<br \/>.code-box pre {<br \/>    margin: 0;<br \/>    padding: 0;<br \/>    border: none;<br \/>    background: transparent;<br \/>}<br \/>.code-box code {<br \/>    white-space: pre;<br \/>    display: block;<br \/>    background-color: transparent;<br \/>    padding: 0;<br \/>    font-size: 14px;<br \/>}<br \/>.note {<br \/>    background-color: #fff3cd;<br \/>    border-left: 4px solid #ffc107;<br \/>    padding: 10px 15px;<br \/>    margin: 10px 0;<br \/>}<br \/>.important {<br \/>    background-color: #f8d7da;<br \/>    border-left: 4px solid #dc3545;<br \/>    padding: 10px 15px;<br \/>    margin: 10px 0;<br \/>}<br \/>table {<br \/>    border-collapse: collapse;<br \/>    margin: 10px 0;<br \/>}<br \/>th, td {<br \/>    border: 1px solid #ddd;<br \/>    padding: 8px;<br \/>    text-align: left;<br \/>}<br \/>th {<br \/>    background-color: #f4f4f4;<br \/>}<br \/><\/style>\n<p>What if you could pick up an old-school telephone in your house, call a friend&#8217;s house across town, the country or world, and have that call travel over your existing internet connection, fully encrypted, with no monthly bill from a phone company? That&#8217;s the basic idea behind this project. Phreephoneing is a free, private phone system built from a Raspberry Pis, Analog Telephone Adapters (ATAs), subnet routers, and a main router that creates an encrypted mesh between locations.<\/p>\n<p><a href=\"https:\/\/github.com\/nsputnik\/phreephoning\/blob\/main\/phreephoning-setup-guide.md\" target=\"_blank\" rel=\"noopener\">Github<\/a><br \/>\n<a href=\"https:\/\/docs.google.com\/presentation\/d\/19Re2Ca_tQteEhlfqD-B7velJAX4z6orv\/edit?usp=sharing&#038;ouid=105490797376323213165&#038;rtpof=true&#038;sd=true\" target=\"_blank\" rel=\"noopener\">Google Slides<\/a><\/p>\n<h2>WRT Powered Subnet Router \/ Tailscale Setup Guide for VoIP ATAs<\/h2>\n<p>This guide covers setting up a GL.iNet Brume 2\/Beryl AX router with Tailscale to connect remote ATAs to a central PBX for a free, private and encrypted phone system. It is not connected to the larger phone system. You can only call the users you set up with the system. You don&#8217;t have to pay a phone company monthly, just your ISP. Wireguard encrypts the traffic between subnet routers, just like the major data centers do.<\/p>\n<h2>Overview<\/h2>\n<p><a href=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-51\" src=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-300x273.jpg\" alt=\"\" width=\"300\" height=\"273\" srcset=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-300x273.jpg 300w, https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-768x698.jpg 768w, https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram.jpg 960w\" sizes=\"auto, (max-width: 300px) 85vw, 300px\" \/><\/a><\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>A broadband internet connection at the main site and each remote site (no telephone line needed\u2014this system is completely independent from the telecom network)<\/li>\n<li>An existing wireless router with internet access at the main site and at each remote site (the Brume 2\/Beryl AX connects to these routers)<\/li>\n<li><a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt2500\/\">GL.iNet Brume 2 (GL-MT2500)<\/a> router, one for each remote line and one for the main site that will be on the same local network as the PBX, or <a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt3000\/\">GL.iNet Beryl AX (GL-MT3000)<\/a> which is the wireless version, great to use when one of your remote line users does not want to place the phone next to the router, but to another location without having to run ethernet cables. When we mention the remote Brume 2 and Tailscale, the Beryl AX can be substituted here, but we&#8217;ll go into the wireless details in a separate section near the end.<\/li>\n<li><a href=\"https:\/\/tailscale.com\/\">Tailscale account<\/a> (free tier is adequate)<\/li>\n<li>Tailscale client installed on your admin computer &#8211; download from <a href=\"https:\/\/tailscale.com\/download\">https:\/\/tailscale.com\/download<\/a> and sign in with the same Tailscale account. This allows you to SSH into any Brume via its Tailscale IP and also into each ATA admin. You will be on the same Tailnet.<\/li>\n<li>A Raspberry Pi 3, 4, or 5 (not Zero) with FreePBX\/Asterisk installed. The original RasPBX project (raspbx.org) appears to be offline as of April 2026 \u2014 the domain no longer resolves and archive.org has the page but not the actual disk-image download. Practical alternatives:\n<ul>\n<li>Install Raspberry Pi OS Lite, then run a community FreePBX install script \u2014 e.g., <a href=\"https:\/\/github.com\/playfultechnology\/RasPBX\">playfultechnology\/RasPBX<\/a> or <a href=\"https:\/\/github.com\/MatejKovacic\/RasPBX-install\">MatejKovacic\/RasPBX-install<\/a><\/li>\n<li>Or use any other Asterisk-based PBX distribution that gives you a working FreePBX web UI on port 80<\/li>\n<\/ul>\n<p>The rest of this guide assumes Asterisk 16+ with FreePBX 15+ and the default <code>\/var\/lib\/asterisk\/<\/code> paths, which all common installations provide.<\/li>\n<li>An <a href=\"https:\/\/www.ebay.com\/sch\/i.html?_nkw=analog+telephone+adapter\">ATA device<\/a> for each line (Cisco SPA, Linksys PAP2T, Grandstream HT802, etc.)<\/li>\n<li>An old touch tone analog telephone at each location you want to call or you want to call you.<\/li>\n<\/ul>\n<h2>Steps<\/h2>\n<p><strong>Main Site Setup (do these first):<\/strong><\/p>\n<ul>\n<li><a href=\"#step1\">Step 1: Main Site Brume 2 Setup<\/a><\/li>\n<li><a href=\"#step2\">Step 2: Main Site Firewall Configuration<\/a><\/li>\n<li><a href=\"#step3\">Step 3: Reserve PBX and Brume IP Addresses<\/a><\/li>\n<li><a href=\"#step4\">Step 4: Create Extensions in FreePBX<\/a><\/li>\n<li><a href=\"#step5\">Step 5: Configure Main Site ATA<\/a><\/li>\n<li><a href=\"#step6\">Step 6: Verify Main Site SIP Registration<\/a><\/li>\n<li><a href=\"#step7\">Step 7: Configure and Test Remote ATA Locally<\/a><\/li>\n<\/ul>\n<p><strong>Remote Site Setup (repeat for each remote location):<\/strong><\/p>\n<ul>\n<li><a href=\"#step8\">Step 8: Remote Site Brume 2 Setup<\/a><\/li>\n<li><a href=\"#step9\">Step 9: Remote Site Firewall Configuration<\/a><\/li>\n<li><a href=\"#step10\">Step 10: Verify Tailscale Routing<\/a><\/li>\n<li><a href=\"#step11\">Step 11: Reconfigure Remote ATA for Deployment<\/a><\/li>\n<li><a href=\"#step12\">Step 12: Verify Remote SIP Registration<\/a><\/li>\n<li><a href=\"#step13\">Step 13: Deploy to Remote Site<\/a><\/li>\n<\/ul>\n<p><strong>Final Steps:<\/strong><\/p>\n<ul>\n<li><a href=\"#step14\">Step 14: Reboot Test<\/a><\/li>\n<li><a href=\"#step15\">Step 15: Make a Test Call<\/a><\/li>\n<li><a href=\"#step16\">Step 16: Export Backups<\/a><\/li>\n<li><a href=\"#optional-wireless\">Optional: Wireless Setup with Beryl AX (Remote Sites)<\/a><\/li>\n<\/ul>\n<h2>Main Site Setup<\/h2>\n<p>Complete all main site steps before setting up any remote sites.<\/p>\n<p><a name=\"step1\"><\/a><\/p>\n<h2>Step 1: Main Site Brume 2 Setup<\/h2>\n<p>The main site Brume 2 sits on the same local network as the PBX and acts as the Tailscale gateway for remote sites. It stays in <strong>Router mode<\/strong> (the default) but connects differently than remote Brumes.<\/p>\n<div class=\"important\"><strong>Set up the main Brume first!<\/strong> The main Brume must be configured and advertising its subnet before remote Brumes can connect to the PBX.<\/div>\n<h3>Initial Setup<\/h3>\n<ol>\n<li>At your local site where the PBX will live, connect Brume 2 <strong>WAN port<\/strong> to your router (gets internet and local network via DHCP)<\/li>\n<li>The PBX and local ATA connect to the <strong>same network as the Brume&#8217;s WAN<\/strong> (not the LAN port), so just connect them to your router<\/li>\n<li>Access Brume web UI (default: http:\/\/192.168.8.1)<\/li>\n<li>Set admin password<\/li>\n<li>Leave Network Mode as <strong>Router<\/strong> (the default)<\/li>\n<li>Note the Brume&#8217;s WAN IP (check your router&#8217;s DHCP client list)<\/li>\n<\/ol>\n<h3>Enable Tailscale and Join Tailnet<\/h3>\n<ol start=\"7\">\n<li>In Brume web UI: <strong>Applications \u2192 Tailscale<\/strong><\/li>\n<li>Click <strong>Enable Tailscale<\/strong><\/li>\n<li>Click the authentication link and log into your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong><\/li>\n<li>Enable <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>Note the Tailscale IP assigned (100.x.x.x) &#8211; visible in Tailscale admin console<\/li>\n<\/ol>\n<h3>Approve Route and Name Device<\/h3>\n<ol start=\"13\">\n<li>Go to <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">https:\/\/login.tailscale.com\/admin\/machines<\/a><\/li>\n<li>Find the main Brume and <strong>approve the subnet route<\/strong> (192.168.1.0\/24)<\/li>\n<li><strong>Rename the device<\/strong> &#8211; click the three-dot menu \u2192 &#8220;Edit machine name&#8221; \u2192 name it something like &#8220;gl-mt2500-main&#8221; or &#8220;gl-mt2500-pbx-site&#8221; to identify it easily<\/li>\n<\/ol>\n<div class=\"note\"><strong>Key difference from remote Brumes:<\/strong> The main Brume&#8217;s PBX is on its WAN side (e.g., 192.168.1.0\/24), not LAN side. This means the firewall rules use <code>eth0<\/code> instead of <code>br-lan<\/code>.<\/div>\n<p><a name=\"step2\"><\/a><\/p>\n<h2>Step 2: Main Site Firewall Configuration<\/h2>\n<p>SSH to the main Brume to configure the firewall rules. These are specific to the <strong>main site<\/strong> because the PBX is on the WAN side.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.8.1<\/code><\/pre>\n<\/div>\n<p>(Password is the same as the web UI admin password you created)<\/p>\n<h3>Make Filesystem Writable<\/h3>\n<p>GL.iNet routers use a read-only overlay filesystem by default. Run this command first to ensure your changes persist across reboots:<\/p>\n<div class=\"code-box\">\n<pre><code>. \/lib\/functions\/gl_util.sh && remount_ubifs<\/code><\/pre>\n<\/div>\n<h3>2a. Create UCI Firewall Zone<\/h3>\n<p>Run these commands to create a Tailscale firewall zone:<\/p>\n<div class=\"code-box\">\n<pre><code># Create Tailscale zone\nuci add firewall zone\nuci set firewall.@zone[-1].name='ts'\nuci set firewall.@zone[-1].input='ACCEPT'\nuci set firewall.@zone[-1].output='ACCEPT'\nuci set firewall.@zone[-1].forward='ACCEPT'\nuci set firewall.@zone[-1].device='tailscale0'\n\n# Add forwarding ts -&gt; lan\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src='ts'\nuci set firewall.@forwarding[-1].dest='lan'\n\n# Add forwarding lan -&gt; ts\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src='lan'\nuci set firewall.@forwarding[-1].dest='ts'\n\n# Save changes\nuci commit firewall<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>uci show firewall | grep -E \"zone.*ts|forwarding\"<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2b. Configure \/etc\/rc.local (Main Site)<\/h3>\n<p>This ensures Tailscale settings persist after reboot.<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> When typing these commands, the closing <code>ENDFILE<\/code> must have <strong>no spaces before it<\/strong>. If your terminal adds leading spaces when you paste, use the arrow keys and backspace to remove them before pressing Enter.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt; \/etc\/rc.local &lt;&lt; 'ENDFILE'\n# Put your custom commands here that should be executed once\n# the system init finished. By default this file does nothing.\n\n. \/lib\/functions\/gl_util.sh\nremount_ubifs\n\n# Wait for Tailscale to be ready\nsleep 10\n\n# Apply Tailscale settings - advertise the PBX subnet\ntailscale up --advertise-routes=192.168.1.0\/24 --accept-routes --reset\n\nexit 0\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/rc.local<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2c. Configure \/etc\/firewall.user (Main Site)<\/h3>\n<p>The main site uses <code>eth0<\/code> (WAN interface) because the PBX is on the WAN side.<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> Same as above &#8211; the closing <code>ENDFILE<\/code> must have <strong>no leading spaces<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt;&gt; \/etc\/firewall.user &lt;&lt; 'ENDFILE'\n\n# MASQUERADE traffic from WAN subnet to Tailscale\niptables -t nat -I POSTROUTING -o tailscale0 -s 192.168.1.0\/24 -j MASQUERADE\n\n# FORWARD rules for eth0 &lt;-&gt; tailscale0 (WAN to Tailscale)\niptables -I FORWARD -i tailscale0 -o eth0 -j ACCEPT\niptables -I FORWARD -i eth0 -o tailscale0 -j ACCEPT\n\n# Restart Tailscale to restore its rules\n\/etc\/init.d\/tailscale restart\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/firewall.user<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2d. Apply Settings<\/h3>\n<div class=\"code-box\">\n<pre><code>tailscale up --advertise-routes=192.168.1.0\/24 --accept-routes --reset\n\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<p><a name=\"step3\"><\/a><\/p>\n<h2>Step 3: Reserve PBX and Brume IP Addresses<\/h2>\n<p>Log into your main site router and create DHCP reservations (also called &#8220;static leases&#8221; or &#8220;address reservations&#8221;) for two devices:<\/p>\n<ol>\n<li><strong>The PBX (Raspberry Pi)<\/strong> at its current IP (e.g., 192.168.1.100). Without this, the router may assign a different IP after a power outage or reboot, and every ATA&#8217;s SIP Proxy setting would need updating.<\/li>\n<li><strong>The Brume 2<\/strong> at its current WAN IP. Tailscale routing won&#8217;t break if this changes \u2014 the Tailscale IP is independent \u2014 but reserving it preserves your <strong>local-subnet fallback access<\/strong>: SSH or web admin to a known IP on the LAN if Tailscale itself ever fails. This is your only out-of-band recovery path for the Brume.<\/li>\n<\/ol>\n<p>Look for DHCP reservation, static lease, or address reservation in your router&#8217;s settings. You&#8217;ll need each device&#8217;s MAC address and current IP.<\/p>\n<p><a name=\"step4\"><\/a><\/p>\n<h2>Step 4: Create Extensions in FreePBX<\/h2>\n<p>Create SIP extensions for <strong>all<\/strong> phones in your system &#8211; both the main site ATA and all remote ATAs. Do this now while you&#8217;re at the main site.<\/p>\n<ol>\n<li>Log into FreePBX web interface on your local network (check your router for the PBX IP). The default username is admin, password is admin.<\/li>\n<li>Go to <strong>Applications \u2192 Extensions<\/strong><\/li>\n<li>Click <strong>Add Extension<\/strong> \u2192 <strong>Add New PJSIP Extension<\/strong> (or SIP if using chan_sip)<\/li>\n<li>Enter:\n<ul>\n<li><strong>User Extension<\/strong>: Extension number (e.g., 100 for main site, 101-109 for remote sites)<\/li>\n<li><strong>Display Name<\/strong>: Description (e.g., &#8220;Main House&#8221;, &#8220;Mom and Dad&#8221;, &#8220;Uncle Bob&#8221;)<\/li>\n<li><strong>Secret<\/strong>: Copy the auto-generated password or set your own<\/li>\n<\/ul>\n<\/li>\n<li>Click <strong>Submit<\/strong><\/li>\n<li>Click the <strong>red &#8220;Apply Config&#8221; button<\/strong> at the top<\/li>\n<li>Copy the <strong>Secret<\/strong> (password) &#8211; you&#8217;ll need it for the ATA<\/li>\n<li>Repeat steps 2 through 7 for each phone in your system (main site + all remote sites)<\/li>\n<\/ol>\n<div class=\"note\"><strong>Tip:<\/strong> Create all extensions now so you have the passwords ready when configuring each ATA.<\/div>\n<p><a name=\"step5\"><\/a><\/p>\n<h2>Step 5: Configure Main Site ATA<\/h2>\n<p>The main site ATA connects directly to your router (same network as the PBX), so configuration is simpler than remote ATAs.<\/p>\n<p>Access the ATA&#8217;s web interface and configure:<\/p>\n<h3>Network Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>Connection Type<\/td>\n<td><strong>DHCP<\/strong> or <strong>Static IP<\/strong><\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>(If static: 192.168.1.101 or similar)<\/td>\n<\/tr>\n<tr>\n<td>Subnet Mask<\/td>\n<td>255.255.255.0<\/td>\n<\/tr>\n<tr>\n<td>Default Gateway<\/td>\n<td>Your router&#8217;s IP (e.g., 192.168.1.1)<\/td>\n<\/tr>\n<tr>\n<td>Primary DNS<\/td>\n<td>8.8.8.8 or your router&#8217;s IP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>SIP\/Line Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>SIP Proxy<\/td>\n<td>192.168.1.100 (PBX IP)<\/td>\n<\/tr>\n<tr>\n<td>SIP Port<\/td>\n<td>5060<\/td>\n<\/tr>\n<tr>\n<td>Register<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>User ID<\/td>\n<td>Extension number (e.g., 100)<\/td>\n<\/tr>\n<tr>\n<td>Auth ID<\/td>\n<td>Same as User ID<\/td>\n<\/tr>\n<tr>\n<td>Password<\/td>\n<td>SIP secret from FreePBX<\/td>\n<\/tr>\n<tr>\n<td>NAT Mapping Enable<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>NAT Keep Alive Enable<\/td>\n<td>Yes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>If you will use both lines on a 2 line ATA the 2nd line should use SIP port 5061, and it might set this automatically, but verify it.<\/p>\n<div class=\"note\"><strong>Why NAT Mapping \/ NAT Keep Alive matter:<\/strong> even at the main site the ATA usually sits behind your home router&#8217;s NAT. With these enabled, the ATA periodically refreshes its NAT binding so the PBX can reach it for inbound calls. With them disabled, registration may appear to succeed but the path silently breaks after the NAT entry ages out, and inbound calls fail.<\/div>\n<p><strong>Click &#8220;Submit All Changes&#8221;<\/strong> to save and trigger registration.<\/p>\n<p><a name=\"step6\"><\/a><\/p>\n<h2>Step 6: Verify Main Site SIP Registration<\/h2>\n<h3>Check the ATA<\/h3>\n<ol>\n<li>Access the ATA&#8217;s web admin (e.g., http:\/\/192.168.1.101)<\/li>\n<li>Look for registration status &#8211; usually on the main status page or under Line\/SIP settings<\/li>\n<li>Should show <strong>&#8220;Registered&#8221;<\/strong> or <strong>&#8220;Online&#8221;<\/strong><\/li>\n<\/ol>\n<h3>Verify on the PBX<\/h3>\n<p>SSH into the PBX (Raspberry Pi). The username: root, password: raspberry.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.1.100<\/code><\/pre>\n<\/div>\n<p>Check registration:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep 100\n# or for chan_sip:\nasterisk -rx \"sip show peers\" | grep 100<\/code><\/pre>\n<\/div>\n<p>Should show the extension with status &#8220;OK&#8221; or &#8220;Avail&#8221;.<\/p>\n<h3>Test Dial Tone<\/h3>\n<p>Pick up the phone connected to the main site ATA. You should hear a dial tone.<\/p>\n<div class=\"note\"><strong>Heads up \u2014 dial tone alone doesn&#8217;t always mean registered.<\/strong> On Linksys and Cisco SPA-style ATAs (including the Cisco ATA 191\/192), dial tone is gated on registration: no dial tone means not registered. <strong>Grandstream ATAs (HT801\/802\/812\/813\/818) give a dial tone whether they&#8217;re registered or not<\/strong> \u2014 the dial tone is generated locally by the ATA, not by the PBX. Always confirm registration via the ATA&#8217;s web admin Status page or <code>pjsip show endpoints<\/code> on the PBX rather than relying on dial tone.<\/div>\n<p><a name=\"step7\"><\/a><\/p>\n<h2>Step 7: Configure and Test Remote ATA Locally<\/h2>\n<p>Before setting up the remote Brume 2, test the remote ATA locally on your main network. This confirms the extension works before adding the complexity of the Tailscale tunnel.<\/p>\n<h3>Temporary Local Setup<\/h3>\n<p>Connect the remote ATA directly to your main router (the same network as the PBX), <strong>not<\/strong> to the Brume 2 yet. Leave the ATA&#8217;s network settings on <strong>DHCP\/Dynamic<\/strong> &#8211; no network configuration is needed for this test.<\/p>\n<h3>SIP\/Line Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>SIP Proxy<\/td>\n<td>192.168.1.100 (PBX IP)<\/td>\n<\/tr>\n<tr>\n<td>SIP Port<\/td>\n<td>5060<\/td>\n<\/tr>\n<tr>\n<td>Register<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>User ID<\/td>\n<td>Extension number (e.g., 101)<\/td>\n<\/tr>\n<tr>\n<td>Auth ID<\/td>\n<td>Same as User ID<\/td>\n<\/tr>\n<tr>\n<td>Password<\/td>\n<td>SIP secret from FreePBX (created in <a href=\"#step4\">Step 4<\/a>)<\/td>\n<\/tr>\n<tr>\n<td>NAT Mapping Enable<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>NAT Keep Alive Enable<\/td>\n<td>Yes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"note\"><strong>Don&#8217;t skip the NAT settings.<\/strong> Once this ATA is deployed behind a remote Brume 2, it lives behind two layers of NAT (Brume LAN \u2192 remote site&#8217;s WAN). Without <code>NAT Mapping Enable<\/code> and <code>NAT Keep Alive Enable<\/code> set to Yes, the ATA stops refreshing its NAT binding, the PBX loses the path, and registration silently dies \u2014 usually 30\u201360 seconds after a successful first registration. Set these now while you&#8217;re testing locally so you don&#8217;t have to revisit them after deployment.<\/div>\n<p><strong>Click &#8220;Submit All Changes&#8221;<\/strong> to save and trigger registration.<\/p>\n<h3>Test Local Call<\/h3>\n<ol>\n<li>Verify the ATA shows <strong>&#8220;Registered&#8221;<\/strong> in its web interface<\/li>\n<li>Pick up the phone connected to this ATA &#8211; you should hear dial tone<\/li>\n<li>Dial the main site extension (e.g., 100)<\/li>\n<li>The main site phone should ring &#8211; answer and verify two-way audio works<\/li>\n<li>Hang up, then test the other direction: pick up the main site phone and dial this extension (e.g., 101)<\/li>\n<li>Answer and verify two-way audio works in both directions<\/li>\n<\/ol>\n<p>Once calls succeed in both directions, you&#8217;ve confirmed the extension is configured correctly. You&#8217;ll reconfigure this ATA for the remote subnet after setting up the remote Brume 2.<\/p>\n<h2>Remote Site Setup<\/h2>\n<p>Repeat these steps for each remote location. Complete the main site setup first!<\/p>\n<p><a name=\"step8\"><\/a><\/p>\n<h2>Step 8: Remote Site Brume 2 Setup<\/h2>\n<p>Each remote site needs its own Brume 2 in <strong>router mode<\/strong> (the default) with a unique subnet.<\/p>\n<div class=\"important\"><strong>IMPORTANT: Configure before deployment!<\/strong> Set up and join each remote Brume to your Tailnet <strong>before<\/strong> shipping or bringing it to the remote location. This allows you to SSH into the remote Brume 2 via Tailscale for troubleshooting after deployment.<\/div>\n<h3>Pre-deployment Setup (do this at your location)<\/h3>\n<p>To avoid IP conflicts, configure each remote Brume while:<\/p>\n<ul>\n<li>The main Brume is <strong>powered off<\/strong>, OR<\/li>\n<li>On a <strong>different network<\/strong> from the main Brume (since both default to 192.168.8.1)<\/li>\n<\/ul>\n<ol>\n<li>Connect Brume 2 <strong>WAN port<\/strong> to your router (needs internet for Tailscale auth)<\/li>\n<li>Access Brume web UI (default: http:\/\/192.168.8.1)<\/li>\n<li>Set admin password<\/li>\n<li>Go to <strong>Network \u2192 LAN<\/strong><\/li>\n<li>Change the <strong>LAN IP<\/strong> to use a unique subnet:\n<ul>\n<li>Change the third octet (the &#8220;8&#8221; in 192.168.<strong>8<\/strong>.1) to a unique number<\/li>\n<li>Example: change <code>192.168.8.1<\/code> to <code>192.168.10.1<\/code> for the first remote site<\/li>\n<li>Use sequential numbers: 192.168.9.1, 192.168.10.1, 192.168.11.1, etc.<\/li>\n<li>The subnet mask stays <code>255.255.255.0<\/code><\/li>\n<li>Click <strong>Apply<\/strong> &#8211; you&#8217;ll be disconnected briefly as the IP changes<\/li>\n<\/ul>\n<\/li>\n<li>Reconnect to the Brume at its new IP (e.g., http:\/\/192.168.10.1)<\/li>\n<li>Note this new LAN IP &#8211; it becomes the ATA&#8217;s gateway<\/li>\n<\/ol>\n<h3>Enable Tailscale<\/h3>\n<ol start=\"8\">\n<li>In Brume web UI: <strong>Applications \u2192 Tailscale<\/strong><\/li>\n<li>Click <strong>Enable Tailscale<\/strong><\/li>\n<li>Click the authentication link and log into your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong><\/li>\n<li>Enable <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>Note the Tailscale IP assigned (100.x.x.x) &#8211; visible in Tailscale admin console<\/li>\n<\/ol>\n<h3>Approve Route and Name Device<\/h3>\n<ol start=\"14\">\n<li>Go to <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">https:\/\/login.tailscale.com\/admin\/machines<\/a><\/li>\n<li>Find the new Brume and <strong>approve the subnet route<\/strong><\/li>\n<li><strong>Rename the device<\/strong> &#8211; use the name or initials of the friend\/family member where it will be deployed (e.g., &#8220;gl-mt2500-uncle-bob&#8221;, &#8220;gl-mt2500-mom-dad&#8221;).\u00a0 This is done by clicking the 3 dost on the right and selecting Edit Rout Settings.\u00a0 Then you will see the route or routes to approve.<\/li>\n<\/ol>\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-73\" src=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/tailsacle-admin-2.jpg\" alt=\"Tailscale device admin\" width=\"960\" height=\"435\"><\/h3>\n<h3>Choosing a Subnet<\/h3>\n<p>Use a unique \/24 subnet for each site:<\/p>\n<table>\n<tbody>\n<tr>\n<th>Site<\/th>\n<th>Subnet<\/th>\n<th>Brume LAN IP<\/th>\n<\/tr>\n<tr>\n<td>Main (PBX)<\/td>\n<td>192.168.1.0\/24<\/td>\n<td>(WAN side, no change needed)<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 1<\/td>\n<td>192.168.9.0\/24<\/td>\n<td>192.168.9.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 2<\/td>\n<td>192.168.10.0\/24<\/td>\n<td>192.168.10.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 3<\/td>\n<td>192.168.11.0\/24<\/td>\n<td>192.168.11.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 4<\/td>\n<td>192.168.12.0\/24<\/td>\n<td>192.168.12.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"note\"><strong>Why start above 8?<\/strong> The Brume defaults to 192.168.8.x. Using 9, 10, 11&#8230; makes it easy to remember which site is which and avoids conflicts with the default.<\/div>\n<div class=\"note\"><strong>Two subnets to think about \u2014 yours, and theirs.<\/strong> Pick a unique third octet for <em>your<\/em> Brume&#8217;s LAN. But also be aware that the <strong>remote site&#8217;s upstream router<\/strong> (the one the Brume&#8217;s WAN plugs into) often hands out <code>192.168.0.0\/24<\/code> or <code>192.168.1.0\/24<\/code> \u2014 these are common ISP\/router defaults you don&#8217;t control. When the remote site&#8217;s WAN happens to be on the same subnet as the PBX (<code>192.168.1.0\/24<\/code>), the Brume&#8217;s kernel sees the PBX&#8217;s <code>\/24<\/code> as directly-connected on its WAN port and tries to route PBX traffic out the WAN instead of over Tailscale. Step 9b&#8217;s rc.local installs a per-host <code>\/32<\/code> route to handle this case automatically, so you don&#8217;t have to renumber the upstream router. Just be aware this is why that line is there.<\/div>\n<p><a name=\"step9\"><\/a><\/p>\n<h2>Step 9: Remote Site Firewall Configuration<\/h2>\n<p>SSH to the remote Brume to configure the firewall rules. These are specific to <strong>remote sites<\/strong> because the ATA is on the LAN side.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.X.1<\/code><\/pre>\n<\/div>\n<p>(Replace X with your subnet number, e.g., 192.168.10.1. Password is the same as the web UI admin password you created)<\/p>\n<h3>Make Filesystem Writable<\/h3>\n<p>GL.iNet routers use a read-only overlay filesystem by default. Run this command first to ensure your changes persist across reboots:<\/p>\n<div class=\"code-box\">\n<pre><code>. \/lib\/functions\/gl_util.sh && remount_ubifs<\/code><\/pre>\n<\/div>\n<h3>9a. Create UCI Firewall Zone<\/h3>\n<p>Run these commands to create a Tailscale firewall zone (same as main site):<\/p>\n<div class=\"code-box\">\n<pre><code># Create Tailscale zone\nuci add firewall zone\nuci set firewall.@zone[-1].name='ts'\nuci set firewall.@zone[-1].input='ACCEPT'\nuci set firewall.@zone[-1].output='ACCEPT'\nuci set firewall.@zone[-1].forward='ACCEPT'\nuci set firewall.@zone[-1].device='tailscale0'\n\n# Add forwarding ts -&gt; lan\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src='ts'\nuci set firewall.@forwarding[-1].dest='lan'\n\n# Add forwarding lan -&gt; ts\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src='lan'\nuci set firewall.@forwarding[-1].dest='ts'\n\n# Save changes\nuci commit firewall<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>uci show firewall | grep -E \"zone.*ts|forwarding\"<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9b. Configure \/etc\/rc.local (Remote Site)<\/h3>\n<p>Copy the code below to a text editor, replace <code>192.168.X.0\/24<\/code> with your actual subnet (e.g., 192.168.10.0\/24), then paste into the terminal:<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> The closing <code>ENDFILE<\/code> must have <strong>no spaces before it<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt; \/etc\/rc.local &lt;&lt; 'ENDFILE'\n# Put your custom commands here that should be executed once\n# the system init finished. By default this file does nothing.\n\n. \/lib\/functions\/gl_util.sh\nremount_ubifs\n\n# Apply Tailscale settings - CHANGE SUBNET BELOW\ntailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset\n\n# Force PBX traffic over Tailscale, even if the remote site's WAN is\n# also on 192.168.1.0\/24 (common ISP default). A per-host \/32 wins by\n# longest-prefix-match over the connected \/24 on the WAN interface.\n# CHANGE THE PBX IP BELOW IF YOURS IS DIFFERENT.\n( for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do\n    ip link show tailscale0 &gt;\/dev\/null 2&gt;&amp;1 &amp;&amp; break\n    sleep 2\n  done\n  ip route replace 192.168.1.100\/32 dev tailscale0 ) &amp;\n\nexit 0\nENDFILE<\/code><\/pre>\n<\/div>\n<div class=\"note\"><strong>Why the wait loop and <code>ip route replace<\/code>?<\/strong> <code>tailscale0<\/code> doesn&#8217;t exist until tailscaled has started, which on these GL.iNet builds is <em>after<\/em> <code>rc.local<\/code> runs. The loop polls until the interface appears (up to 30 seconds), then installs the route. <code>ip route replace<\/code> is idempotent \u2014 it works whether the route already exists from a prior boot or not \u2014 so this never fails silently the way <code>ip route add ... 2&gt;\/dev\/null || true<\/code> would.<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/rc.local<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9c. Configure \/etc\/firewall.user (Remote Site)<\/h3>\n<p>Remote sites use <code>br-lan<\/code> (LAN interface) because the ATA is on the LAN side.<\/p>\n<p>Copy the code below to a text editor, replace <code>192.168.X.0\/24<\/code> with your actual subnet, then paste into the terminal:<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> The closing <code>ENDFILE<\/code> must have <strong>no leading spaces<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt;&gt; \/etc\/firewall.user &lt;&lt; 'ENDFILE'\n\n# allow LAN &lt;-&gt; Tailscale\niptables -I FORWARD -i tailscale0 -o br-lan -j ACCEPT\niptables -I FORWARD -i br-lan -o tailscale0 -j ACCEPT\n\n# MASQUERADE traffic from LAN to Tailscale - CHANGE SUBNET BELOW\niptables -t nat -I POSTROUTING -o tailscale0 -s 192.168.X.0\/24 -j MASQUERADE\n\n# Restart Tailscale to restore its rules\n\/etc\/init.d\/tailscale restart\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/firewall.user<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9d. Apply Settings<\/h3>\n<div class=\"code-box\">\n<pre><code>tailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset\n\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<p><a name=\"step10\"><\/a><\/p>\n<h2>Step 10: Verify Tailscale Routing<\/h2>\n<p>On the remote Brume, test connectivity to the PBX:<\/p>\n<div class=\"code-box\">\n<pre><code># Should show route is advertised\ntailscale debug prefs | grep -A3 AdvertiseRoutes\n\n# Should return \"pong from &lt;main-brume-name&gt;\"\ntailscale ping 192.168.1.100\n\n# Should succeed with ~20-50ms latency\nping -c 3 192.168.1.100<\/code><\/pre>\n<\/div>\n<h3>If <code>tailscale ping<\/code> says &#8220;no matching peer&#8221;:<\/h3>\n<ol>\n<li>Check that the main site subnet (e.g., 192.168.1.0\/24) route is approved for the <strong>main Brume<\/strong> in Tailscale admin<\/li>\n<li>Run <code>tailscale up --accept-routes --reset<\/code> again on the remote Brume<\/li>\n<li>Wait 30 seconds and retry<\/li>\n<\/ol>\n<h3>If <code>tailscale ping<\/code> works but plain <code>ping<\/code> to the PBX fails:<\/h3>\n<p>This is the <strong>WAN\/PBX subnet collision<\/strong> described in Step 8 \u2014 the remote site&#8217;s upstream router is also using <code>192.168.1.0\/24<\/code>, so the Brume&#8217;s kernel routes PBX traffic out the WAN interface instead of through Tailscale. Verify the <code>\/32<\/code> route from <code>\/etc\/rc.local<\/code> actually fired:<\/p>\n<div class=\"code-box\">\n<pre><code>ip route get 192.168.1.100\n# Good:  192.168.1.100 dev tailscale0 ...\n# Bad:   192.168.1.100 via 192.168.1.1 dev eth0 ...<\/code><\/pre>\n<\/div>\n<p>If you see <code>dev eth0<\/code>, run the route command by hand to fix it immediately:<\/p>\n<div class=\"code-box\">\n<pre><code>ip route replace 192.168.1.100\/32 dev tailscale0\nping -c 3 192.168.1.100<\/code><\/pre>\n<\/div>\n<p>If that works, the rc.local pattern from Step 9b will reapply it on every boot. If <code>tailscale0<\/code> was missing entirely, check <code>tailscale status<\/code> \u2014 Tailscale itself may not have come up.<br \/>\n<a name=\"step11\"><\/a><\/p>\n<h2>Step 11: Reconfigure Remote ATA for Deployment<\/h2>\n<p>Connect the ATA you tested in Step 7 to the remote Brume&#8217;s LAN port.<\/p>\n<h3>Network Settings<\/h3>\n<p>No changes needed &#8211; leave the ATA on <strong>DHCP<\/strong>. The Brume will assign it an IP address in the correct subnet automatically.<\/p>\n<p>To find the ATA&#8217;s IP address, log into the Brume 2 web admin and check the <strong>Clients<\/strong> list.<\/p>\n<h3>SIP\/Line Settings<\/h3>\n<p>No changes needed &#8211; the SIP settings from Step 7 remain the same. The ATA will reach the PBX at 192.168.1.100 through the Tailscale tunnel.<\/p>\n<p><a name=\"step12\"><\/a><\/p>\n<h2>Step 12: Verify Remote SIP Registration<\/h2>\n<h3>Check the ATA<\/h3>\n<ol>\n<li>Access the ATA&#8217;s web admin (e.g., http:\/\/192.168.10.100). If you are unsure of the ATA&#8217;s IP you can see it under Clients in the Brume 2\/Beryl AX web admin.<\/li>\n<li>Look for registration status &#8211; usually on the main status page or under Line\/SIP settings<\/li>\n<li>Should show <strong>&#8220;Registered&#8221;<\/strong> or <strong>&#8220;Online&#8221;<\/strong><\/li>\n<li>If it shows &#8220;Registering&#8230;&#8221;, &#8220;Failed&#8221;, or &#8220;Offline&#8221;, there&#8217;s a connectivity issue &#8211; check the Brume&#8217;s Tailscale connection first (<a href=\"#step10\">Step 10<\/a>)<\/li>\n<\/ol>\n<h3>Verify on the PBX<\/h3>\n<p>SSH into the PBX and check registration:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep 101\n# or for chan_sip:\nasterisk -rx \"sip show peers\" | grep 101<\/code><\/pre>\n<\/div>\n<p>Replace 101 with your extension number. Should show status &#8220;OK&#8221; or &#8220;Avail&#8221;.<\/p>\n<p>If not registered, wait 1-2 minutes or reboot the ATA.<\/p>\n<p><a name=\"step13\"><\/a><\/p>\n<h2>Step 13: Deploy to Remote Site<\/h2>\n<p>Once pre-configured and tested locally, deployment is simple:<\/p>\n<ol>\n<li>Ship or carry the Brume 2, ATA, phone, and all the cables to the remote location<\/li>\n<li>Connect Brume <strong>WAN port<\/strong> to the remote site&#8217;s router (gets internet via DHCP)<\/li>\n<li>Connect Brume <strong>LAN port<\/strong> to ATA (or a switch with ATA connected)<\/li>\n<li>Connect an analog phone to the ATA<\/li>\n<li>Power on &#8211; the Brume will automatically connect to Tailscale<\/li>\n<li>Test by calling between the remote phone and main site phone<\/li>\n<\/ol>\n<h3>Reserve the Brume&#8217;s IP at the remote site (if you can)<\/h3>\n<p>If you have access to the remote site&#8217;s home router admin, create a DHCP reservation for the Brume&#8217;s WAN IP, the same way you did at the main site in <a href=\"#step3\">Step 3<\/a>. This isn&#8217;t required for Tailscale to work \u2014 the Tailscale IP is stable regardless \u2014 but it preserves local-network access to the Brume if Tailscale ever fails. Without it, after a power outage the Brume may come back on a different WAN IP and the only way to find it locally is asking the homeowner to look at their router&#8217;s client list.<\/p>\n<p>If you don&#8217;t have admin access to the remote site&#8217;s router, skip this step. All your remote administration will go over Tailscale anyway.<\/p>\n<h3>Remote Administration<\/h3>\n<p>If anything goes wrong, you can access the Brume remotely via its Tailscale IP:<\/p>\n<ol>\n<li>Visit the <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">Tailscale admin console<\/a><\/li>\n<li>Find the Brume 2 you need to access<\/li>\n<li>Click the dropdown arrow next to the Tailscale IP address and click the copy icon<\/li>\n<li>Make sure the Tailscale client app is running and logged in on your computer<\/li>\n<li>Paste that IP address into a new browser tab &#8211; you&#8217;re now logged into the Brume 2 web admin remotely<\/li>\n<li>To access the ATA, go to the <strong>Clients<\/strong> tab in the Brume 2 admin to find the ATA&#8217;s IP address<\/li>\n<li>Copy that IP and paste it into a new browser tab to access the ATA&#8217;s web admin<\/li>\n<\/ol>\n<h2>Final Steps<\/h2>\n<p><a name=\"step14\"><\/a><\/p>\n<h2>Step 14: Reboot Test<\/h2>\n<p>Verify everything survives a power cycle:<\/p>\n<ol>\n<li><strong>Power off<\/strong> the Brume (unplug power)<\/li>\n<li>Wait 30 seconds<\/li>\n<li><strong>Power on<\/strong><\/li>\n<li>Wait 3-5 minutes for full boot and Tailscale connection<\/li>\n<li>Check ATA registration on PBX:\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep &lt;extension&gt;<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n<p>If registration fails after reboot, check:<\/p>\n<ul>\n<li><code>\/etc\/rc.local<\/code> has the tailscale up command<\/li>\n<li><code>\/etc\/firewall.user<\/code> has the MASQUERADE rule<\/li>\n<li>Subnet route is still approved in Tailscale admin<\/li>\n<\/ul>\n<p><a name=\"step15\"><\/a><\/p>\n<h2>Step 15: Make a Test Call<\/h2>\n<p>The ultimate test &#8211; pick up the phone and make a call!<\/p>\n<ol>\n<li>Pick up the analog phone connected to the ATA<\/li>\n<li>Listen for dial tone. <strong>On Linksys and Cisco SPA-style ATAs<\/strong>, dial tone confirms the ATA is registered \u2014 no dial tone means registration failed and you need more route troubleshooting. <strong>On Grandstream ATAs<\/strong>, you&#8217;ll hear dial tone whether the ATA is registered or not, so verify registration via the ATA&#8217;s web admin Status page or <code>pjsip show endpoints<\/code> on the PBX before assuming things are working. Try dialing an extension \u2014 fast busy or silence at that point indicates registration actually failed.<\/li>\n<li>Dial another extension on the system<\/li>\n<li>Verify two-way audio works (you can hear them, they can hear you)<\/li>\n<\/ol>\n<p>If you don&#8217;t hear dial tone:<\/p>\n<ul>\n<li>Check ATA registration (<a href=\"#step6\">Step 6<\/a> for main site, <a href=\"#step12\">Step 12<\/a> for remote)<\/li>\n<li>Verify the phone is plugged into the correct ATA port (usually &#8220;Phone 1&#8221;)<\/li>\n<li>Check the ATA&#8217;s line settings match the FreePBX extension<\/li>\n<\/ul>\n<p>If you hear dial tone but get a fast busy signal when calling the remote extension:<\/p>\n<ul>\n<li>The remote extension is likely not registered with the PBX<\/li>\n<li>Check the remote ATA&#8217;s registration status in its web admin<\/li>\n<li>Verify Tailscale routing (<a href=\"#step10\">Step 10<\/a>) and firewall configuration (<a href=\"#step9\">Step 9<\/a>)<\/li>\n<\/ul>\n<p>If you hear dial tone but calls don&#8217;t connect:<\/p>\n<ul>\n<li>Verify the dial plan on the ATA allows the numbers you&#8217;re dialing<\/li>\n<\/ul>\n<p><a name=\"step16\"><\/a><\/p>\n<h2>Step 16: Export Backups<\/h2>\n<p>Save a backup of each Brume configuration:<\/p>\n<ol>\n<li>Access Advanced Settings by logging in to the Brume 2&#8217;s administration panel through your browser (use the Tailscale IP address for that location) and navigate to More Settings -&gt; Advanced.<\/li>\n<li>Click log into LuCi. You will be prompted to log in to the LuCi interface using your root username and password.<\/li>\n<li>Hover over the System menu at the top nav In the LuCi interface anc click Backup\/Flash Firmware.<\/li>\n<li>Click Generate archive. This will download a .tar.gz file. This is a snapshot for all settings in the this Brume 2. Make sure to prepend the file name with the name of the location or friend\/family member that this Brume 2 lives at, Example: `main-backup-GL-MT2500-2025-12-15.tar.gz`, `uncle-bob-backup-GL-MT2500-2025-12-15.tar.gz`<\/li>\n<li>Restore Settings (if and when needed) on the same page in LuCi you can click Upload archive under the restore settings if you had to reset the Brume 2 for some reason or misconfigured it in some way.<\/li>\n<\/ol>\n<p><a name=\"optional-wireless\"><\/a><\/p>\n<h2>Optional: Wireless Setup with Beryl AX (Remote Sites)<\/h2>\n<p>For remote sites where you don&#8217;t want to place the phone right next to the router or need to avoid running cables, you can use a wireless subnet router instead: the <a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt3000\/\">GL.iNet Beryl AX (GL-MT3000)<\/a>.<\/p>\n<p>The Beryl AX connects wirelessly to the remote site&#8217;s existing WiFi router, then provides a wired ethernet port for the ATA. This lets you place the phone anywhere with a power outlet and WiFi coverage.<\/p>\n<h3>Setting Up Beryl AX in Repeater Mode<\/h3>\n<ol>\n<li>Power on the Beryl AX and connect your computer to it via ethernet or its default WiFi network (check the label on the device for the default SSID and password)<\/li>\n<li>Access the web UI at http:\/\/192.168.8.1<\/li>\n<li>Complete initial setup (set admin password, timezone, etc.)<\/li>\n<li>Go to <strong>Network \u2192 LAN<\/strong> and change the LAN IP to a unique subnet (e.g., 192.168.10.1) just like with the Brume 2 &#8211; this avoids conflicts<\/li>\n<li>Click <strong>Apply<\/strong> and reconnect to the new IP (e.g., http:\/\/192.168.10.1)<\/li>\n<li>Go to <strong>Internet \u2192 Repeater<\/strong><\/li>\n<li>If you have a spare router give that router the same name and password as the one it will be connected to at your friend&#8217;s or family member&#8217;s home and then set up the Beryl AX to log into it, so once it is on site, it will connect directly. Confirm, if you can, if your friend or family member&#8217;s existing router is 5gHz or 2.5gHz.<\/li>\n<li>Click <strong>Scan<\/strong> to find available WiFi networks<\/li>\n<li>Select the remote site&#8217;s WiFi network and enter the password<\/li>\n<li>Click <strong>Join<\/strong> &#8211; the Beryl will connect wirelessly to the wireless network once it is on site. For setup, just use Ethernet.<\/li>\n<li>Reconnect and verify the connection shows as active in the Repeater section<\/li>\n<\/ol>\n<h3>Configure Tailscale and Firewall<\/h3>\n<p>Once connected to WiFi or Ethernet, configure Tailscale on the Beryl AX the same way as the Brume 2 in <a href=\"#step8\">Step 8<\/a>, then configure the firewall as in <a href=\"#step9\">Step 9<\/a> (Remote Site version):<\/p>\n<ol start=\"12\">\n<li>Go to <strong>Applications \u2192 Tailscale<\/strong> and enable it<\/li>\n<li>Authenticate with your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong> and <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>SSH to the Beryl: <code>ssh root@192.168.X.1<\/code><\/li>\n<li>Configure the UCI firewall zone (Step 8a)<\/li>\n<li>Configure <code>\/etc\/rc.local<\/code> (Step 8b &#8211; Remote Site version)<\/li>\n<li>Configure <code>\/etc\/firewall.user<\/code> (Step 8c &#8211; Remote Site version)<\/li>\n<li>Run: <code>tailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset<\/code><\/li>\n<li>Restart firewall: <code>\/etc\/init.d\/firewall restart<\/code><\/li>\n<li>Approve the subnet route in Tailscale admin and rename the device<\/li>\n<li>Export a backup<\/li>\n<\/ol>\n<h3>Deployment<\/h3>\n<ol>\n<li>Ship or bring the pre-configured Beryl AX, ATA and phone to the remote location<\/li>\n<li>Power it on anywhere with WiFi coverage &#8211; it will automatically connect to the WiFi network you configured<\/li>\n<li>Connect the ATA to the Beryl&#8217;s LAN port via ethernet<\/li>\n<li>Connect an analog phone to the ATA<\/li>\n<li>The Beryl connects to WiFi \u2192 Tailscale \u2192 PBX automatically<\/li>\n<\/ol>\n<div class=\"note\"><strong>Note:<\/strong> The Beryl AX remembers the WiFi network credentials. If the remote site&#8217;s WiFi password changes, you&#8217;ll need to SSH in via Tailscale and update the Repeater settings, or have someone on-site temporarily connect to the Beryl&#8217;s LAN to access the web UI.<\/div>\n<p><a name=\"quick-reference\"><\/a><\/p>\n<h2>Quick Reference<\/h2>\n<h3>Key Files on Brume<\/h3>\n<table>\n<tbody>\n<tr>\n<th>File<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<tr>\n<td><code>\/etc\/rc.local<\/code><\/td>\n<td>Tailscale up command at boot<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/firewall.user<\/code><\/td>\n<td>MASQUERADE and FORWARD rules<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/config\/firewall<\/code><\/td>\n<td>UCI firewall zones (persistent)<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/config\/tailscale<\/code><\/td>\n<td>GL.iNet Tailscale settings<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/tailscale\/tailscaled.state<\/code><\/td>\n<td>Tailscale auth state<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Essential Commands (Brume 2\/Beryl AX)<\/h3>\n<p>Check Tailscale status:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale status<\/code><\/pre>\n<\/div>\n<p>Check advertised routes:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale debug prefs | grep -A3 AdvertiseRoutes<\/code><\/pre>\n<\/div>\n<p>Test Tailscale routing to an IP:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale ping &lt;ip-address&gt;<\/code><\/pre>\n<\/div>\n<p>Check firewall rules:<\/p>\n<div class=\"code-box\">\n<pre><code>iptables -L FORWARD -n -v | head -10\niptables -t nat -L POSTROUTING -n -v | grep MASQ<\/code><\/pre>\n<\/div>\n<p>Restart Tailscale:<\/p>\n<div class=\"code-box\">\n<pre><code>\/etc\/init.d\/tailscale restart<\/code><\/pre>\n<\/div>\n<p>Restart firewall (also runs firewall.user):<\/p>\n<div class=\"code-box\">\n<pre><code>\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<h3>Essential Commands (RasPBX)<\/h3>\n<p>Check registered extensions:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\"<\/code><\/pre>\n<\/div>\n<p>Or for chan_sip:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"sip show peers\"<\/code><\/pre>\n<\/div>\n<p>Monitor SIP activity in real-time (Control+C to exit):<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip set logger on\"<\/code><\/pre>\n<\/div>\n<p>Live console with verbosity &#8211; more v&#8217;s = more detail (type &#8220;quit&#8221; to exit):<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rvvvv<\/code><\/pre>\n<\/div>\n<p>Check active calls:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"core show calls\"<\/code><\/pre>\n<\/div>\n<p>View recent call history:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"core show channels verbose\"<\/code><\/pre>\n<\/div>\n<p>Restart Asterisk (if needed):<\/p>\n<div class=\"code-box\">\n<pre><code>systemctl restart asterisk<\/code><\/pre>\n<\/div>\n<h3>Firewall Configuration Differences<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Main Site<\/th>\n<th>Remote Site<\/th>\n<\/tr>\n<tr>\n<td>Interface<\/td>\n<td><code>eth0<\/code> (WAN)<\/td>\n<td><code>br-lan<\/code> (LAN)<\/td>\n<\/tr>\n<tr>\n<td>Reason<\/td>\n<td>PBX is on WAN side<\/td>\n<td>ATA is on LAN side<\/td>\n<\/tr>\n<tr>\n<td>rc.local route<\/td>\n<td>Not needed<\/td>\n<td>Adds route to PBX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Example Network Layout<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Device<\/th>\n<th>Tailscale IP<\/th>\n<th>LAN Subnet<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<tr>\n<td>Main Brume<\/td>\n<td>100.x.x.1<\/td>\n<td>192.168.1.0\/24<\/td>\n<td>PBX site gateway<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 1<\/td>\n<td>100.x.x.2<\/td>\n<td>192.168.10.0\/24<\/td>\n<td>Remote house 1<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 2<\/td>\n<td>100.x.x.3<\/td>\n<td>192.168.11.0\/24<\/td>\n<td>Remote house 2<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 3<\/td>\n<td>100.x.x.4<\/td>\n<td>192.168.12.0\/24<\/td>\n<td>Remote house 3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>What if you could pick up an old-school telephone in your house, call a friend&#8217;s house across town, the country or world, and have that call travel over your existing internet connection, fully encrypted, with no monthly bill from a phone company? That&#8217;s the basic idea behind this project. Phreephoneing is a free, private phone &hellip; <a href=\"https:\/\/nsputnik.com\/blog\/2025\/12\/13\/phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Phreephoning: A Free, Private, Encrypted Phone System with Raspberry Pi and Analog Phones&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":52,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":173,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions\/173"}],"wp:attachment":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}