Here's what I do:
- I Don't forward ANY ports from your NAT router to your PBX.
- I set-up IPTables to restrict access from anyone on my network to only the ports that they need to access, i.e.
UDP ports 5060 and 10000-20000 for IP addresses belonging to phones
TCP ports 22 and 80 for an administrator at a single IP address
Additional ports for specific IPs if I want to allow users to access the web-interfaces or use WebRTC.
- Remote access via OpenVPN, and not PPTP.