Provider with multiple IP addresses for incoming calls

General Help
1

All,

I have a provider whose calls may come from any of 3 different IP addresses. I have configured my system 2 different ways:

1.) One trunk with multiple ip addresses in the host argument (host=ip1&ip2&ip3)

2.) Each IP address as a separate trunk with the outgoing settings identical to each other since all my outbound traffic is to be sent to the same IP address.

Incoming user details are:
type=peer
context=from-trunk
port=5060
dtmfmode=auto
canreinvite=no
allow=all
insecure=port,invite
host=ip of host (or ip1&ip2&ip3)

regardless of which way I configure the trunk(s), I canā€™t ever get the system to accept calls from all 3 IPs. I have to configure the trunk with one IP only, but when the provider switches IPs, I end up having to replace the IP in the trunk with the new one and then it works.

Iā€™ve looked in the forum for a solution to this, but donā€™t see a solution in the posts that Iā€™ve found. I know that I could enable anonymous sip calls if I have to and control this via the firewall, and I may have to resort to that, but I really want to learn how to make this work without resorting to the firewall fix.

System Details:
FREEPBS Distro 6.12.65-22
Service Pack: 1.0.0.0

Appreciate your help/insights on this.

Uri

2

Youā€™re closeā€¦Configure one trunk with a single IP for inbound and outbound - I assume the trunk registers, so the register line on the first trunk only. On trunks 2 and 3, only fill in the Incoming section and make sure you have the username and secret in it so it can identify the traffic properly.

We used to have to do this all the time with Windstream - works fine.

3

First thing is DONā€™T do the anonymous.

Your wording is a little confusing but I think I can make sense of it.
Iā€™m assuming you have the same IPā€™s for both INBOUND & OUTBOUND.
If thats the case, you simply create 3 trunks, each with the different IP numbers.
Your system will then register to the 3.
Inbound will simply work no matter what IP it comes in on.
For outbound, make sure you have all 3 trunks configured in your outbound route and then you should be good.

4

You could create a trunk for each individual IP. If youā€™re behind a NAT firewall, youā€™ll need to add a registration string and qualify=yes to keep the ports open, or open them manually.

Thereā€™s nothing wrong with allow anonymous. In fact, itā€™s probably safer. See this link for the explanation as to why:

http://pbxinaflash.com/community/index.php?threads/sip-uris.4895/#post-30086

As explained there by (my hero) Joe Roper:

"With Allow Anonymous Inbound SIP Calls set to no, the call comes in, is answered, Sorry not in service played, play congestion tones for 5 seconds then hangup.

When set to yes, the call is controlled by inbound routes. If the DID or CLI matches, the call is sent to the destination you select.

I would argue that is more secure to have a catchall or default route with ā€œHangupā€ selected for the destination and anon set to yes, and all your DID listed with proper destinations, than to have ā€œanonā€ set to no.

The reason for this is that when someone calls you with anon set to no, a message is played. With the method described above, people can only call you if they know your number or they are a person you recognise on the basis of the caller ID.

Using SIPP, a person could bring PBX to its knees in fairly short order simply by sending 5000 calls a second to any SIP URI formed with your hostname or IP, and ā€œSorry Not In Service messageā€ plays 5000 times concurrently. If you simply hangup the call, that is far less load on the system, and the DOS attack is going to have to work harder to stop your PBX working."

Thatā€™s why, in the wiki, I always recommend setting up a catchall inbound route that does just thatā€¦

http://wiki.freepbx.org/display/F2/Inboud+Routes+Examples

ā€œDeadRestricted
Without this route, Asterisk will answer any incoming calls that do not match another incoming route and play a disconnect recording. Some people view this as a security risk, especially when combined with the ā€œAllow Anonymous Inbound SIP Callsā€ option, because a hacker would be able to determine that he is dealing with an Asterisk system. By adding this Inbound Route, incoming calls that donā€™t match another route will simply be rejected.
Description: DeadRestricted
Set Destination: Teminate Call: Hangup.
Leave all other fields blank.ā€

1 Like
5

Hi Greg,

Thank you for your feedback. There is no registration string with this provider, they just give me the IP addresses to point to. No username or secret either. Would this still work?

Uri

6

VoIPTek,

Inbound IPs are IP1, IP2, IP3. Only one outbound IP, IP4. Provider does not use registrations strings or user name/secret. They just provide the IP addresses and the outbound CID to use.

Iā€™ve tried as you suggested, but only one of the trunks registers. Is there a trick to it other than just specifying the different hosts?

7

Can you use a DNS name for the host? Also, I agree with AdHominem on the ā€˜catchallā€™ route which will hangup on the calls; I have used this many times myself as an extra layer of protection.