3 sip trunks, 3 lan, one sip per lan

(Tom) #1

Hello everyone,
I have a very strange situation in my hands. This problem is for big brains around here!
I have 3 sip trunks from my provider, with 3 modems. Each sip trunk must pass through the correct modem, or else the provider denies the connection. I have 3 lan ports, but how do I correlate the sip trunk with each lan port?
I really don’t know where to start with this one…


You can probably set this up with multiple pjsip transports, but there are a lot of subtleties. Some details, please:

What IP address does the client have? (10.x.x.x or 192.168.x.x from the modem, 100.64-127.x.x from the ISP, public address from the ISP?)

If from the modem, is there a UI that allows you to change the LAN address of the modem?

Does the modem act as a DHCP server? If so, can you disable that? If not, are you required to use it, or can the client address be assigned statically?

Do incoming calls use registration, or are they sent to a fixed address? If the latter, how is that set?

What address do you send calls to (or registrations, if applicable)? (An address on the modem, a private address at the ISP, a public address?) Is the same address used for media?

Do one or more of these modems also provide internet service, or are they for voice only?

(Tom) #3

The carrier supports only SIP (not pjsip).
Modem acts as a dhcp server, but I have access to the modem and I can enter whatever ip/domain I want (I can change the LAN address).
Incoming calls use registration.
I just create a sip trunk for each connection and each sip trunk must connect through a specific modem(WAN).
Also, freepbx is a VM inside a proxmox server and behind an opnsense firewall (which is also a VM inside proxmox).


Do you mean that there is a bug (or feature lacking) in pjsip that prevents it from working with this service? If so, please be more specific.

Or, do you mean that the provider or another user has published chan_sip settings for the service? If so, please post a working example (mask details such as usernames, passwords and phone numbers, but make it clear what each one is).

What do you register to? (The modem’s LAN address, a public IP address, or a private IP at the ISP)?

Are you using one or more of these modems for regular internet service, or are they just for VoIP?


You can use static routes so each route use a specific ethernet port.

(Tom) #6

I think there is a feature lacking, but I am not sure. As you said, the provider in the specs necessary for the sip trunk, says that sip is needed and other users have posted chan_sip settings.
I register to a domain name provided by the sip provider (a public domain which resolves to public ip).

Working chan_sip example:

PEER Details:

USER Details

Register String:

I think it’s feasible to create the trunk in pjsip, if the necessary register string is produced.

(Tom) #7

If I understand static routes correctly, it won’t help, because I use the same domain for each sip trunk. Maybe I’m wrong?

(Tom) #8

I think that something went wrong with my previous reply, because for some reason I got my text quoted instead of yours…


That’s unfortunately true. Possibly, if the domain name resolves to three or more addresses, you could set up the trunks to register to different addresses. However, that wouldn’t be a robust solution; if any of the provider’s servers went down, the corresponding trunk wouldn’t work.

I am hoping that we can set up a different transport for each trunk, each transport binding to a different NIC. All three NICs would have routes to the server(s) (or default routes) and the system would be smart enough to send outbound packets through the NIC associated with the transport (and trunk). Inbound traffic shouldn’t be a problem; if needed we could use different listen ports for each.

But even if we got the above working, I am concerned that RTP wouldn’t be handled correctly and outbound media packets could exit the wrong NIC. (Possibly, the ITSP would accept them anyway). Do you know how many server addresses there are, and whether media uses the same address as the servers?

If this can’t be made to work, it may be possible to route the streams properly with iptables ‘mangling’ rules, opnsense rules, or (if all else fails) SIP proxy software such as kamailio, running in a separate VM.

Do you know whether a REGISTER request from the ‘wrong’ modem will be rejected? If so, it should be pretty simple to set up the minimal configuration to register one trunk, confirm that works, then add a second trunk and (if needed) debug that.


Two other thoughts:

Although it takes considerable work to set it up, you could have two auxiliary Asterisk VMs, one for each extra trunk. You’d set up a trunk from the main PBX to each auxiliary, which would simply relay the calls. The main advantage is that there is no ‘mystery’ here – it’s reasonably well understood how to make it work.

Also, is this setup really worth it? What do the three trunks cost? It may not be any more expensive to get one trunk from another provider that properly supports multiple DIDs.

(Tom) #11

I already thought about using multiple installations, but before I entertain the idea I want to exhaust all other options first. I think pjsip is out of the question unless there is a VERY good idea about creating the custom registration string


The process is very simple. You configure a working device (Asterisk using chan_sip, softphone, etc.) and look at the REGISTER packet sent out, including the Authorization header when REGISTER is resent after the authentication challenge. You then set up your pjsip trunk to do the same thing.

However, your (redacted) chan_sip configuration looks very strange. Based on the Register String given, I would expect the REGISTER to contain:
From: phonenumber@ims.xxxx.com
Authorization: Digest username="phonenumber@ims.xxxx.com", ...

But in the PEER Details, you have username=xxxx (is that an account number different from phonenumber?, something including the domain name?, something else?) and you don’t have an authuser parameter, so Asterisk would use that value in the Authorization header’s username tag.
And you have fromuser=+123456789, which I assume is an E.164 phone number. Is your ‘phonenumber’ parameter the same, or must it be different, e.g. in national format or without the + ? And, you mention ims.xxx.com, ims.xxxx.com and ims.xxxxxx.com. Are there really different domains in the config?

Please get and post a SIP trace for a successful REGISTER request. When you redact it, make it clear what each changed item is. If the same string appears multiple times, please use the same substitution.

(Tom) #14

Yes, actually the username and the from user is the same (the phone number), my mistake. Everything else though are correct. No, ims.xxx.com 3 times is the same,the provider for some reason needs it repeated in the register string.


Sure, that is common. But what’s not common is (because there is no authuser parameter in the PEER settings), a REGISTER request would have the domain name in the username tag of the Authorization header, while an INVITE request for an outgoing call would not.

The best way to solve this is to post a SIP trace for a successful REGISTER and a successful INVITE; that data will tell us how to set up the pjsip trunk.

(Tom) #16

Do I find the sip trace in the logs, or somewhere else?


At the Asterisk command prompt, type
sip set debug on
for chan_sip or
pjsip set logger on
for pjsip.
SIP traces will then appear in the Asterisk log, along with the regular entries. Reloading Asterisk usually turns SIP logging off, so you will have to wait for reregistration to capture it, rather than reloading to force registration.

(Tom) #18

REGISTER 12 headers, 0 lines
Reliably Transmitting (no NAT) to XXX.XXX.XXX:5060:
REGISTER sip:ims.XXXX.gr SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK4df8c6b9
Max-Forwards: 70
From: sip:+3123456789@ims.XXXXXX.com;tag=as40ed4ac3
To: sip:+3123456789@ims.XXXXXX.com
Call-ID: 3b690f1c7afc1c1f4ba2819c56cec8fb@
Supported: replaces, timer
User-Agent: FPBX-
Authorization: Digest username="+3123456789@ims.XXXXXX.com", realm=“ims.XXXXXX.com”, algorithm=MD5, uri=“sip:ims.XXXXXX.com”, nonce=“aaUCRBSgEEf9ljdu7EaoWg==”, response=“2a01c21c137b7817f26e31d2a5c01661”
Expires: 120
Contact: sip:+3123456789@
Content-Length: 0

(Tom) #19

Can we change somehow the Via: SIP/2.0/UDP to another local ip (per trunk)? If this could be done, I would solve the problem.