Allow Anonymous Inbound SIP Calls = No

We have “Allow Anonymous Inbound SIP Calls = No” set on our system and it works ok with providers that send calls from one IP address. However we have one supplier who uses more than 25 IPs and backup ranges. How would we set this up? We can’t possibly create a trunk for every IP? Can we?

According to a previous post I found
Host = can only contain one IP address

Any comments?

No, turn anonymous SIP on and then use a firewall to only let those IP’s in.

APF is free and works brilliantly.

Thanks for the suggestion but that won’t work for me. I have multiple users connecting from ATAs with dynamic IPs. What about allowing multiple host IPs in Asterisk?

You will have to do that in your firewall, try empirically


and allow each (network)/16 for good measure (or whatever the base network shows up) for each of your external users, ISP’s will only award IP’s within their network and /16 is usually generous enough without allowing Chinese “students” or Eastern European or Palestinian hosts.

I can’t do it in the firewall. If I could I would as I agree it’s the best way to protect the system.

My users could connect the ATA anywhere or use softphones and the call should still go through. The firewall would block all these calls and setting “Allow Anonymous Inbound SIP Calls = No” still seems like the best bet for this scenario.

Why can’t you do it?

you certainly can in iptables which is your firewall behind your firewall.

Because when my user connects from his laptop in a hotel room I can not possibly know the IP address beforehand so calls will fail. Same thing for users with ATA who could install the adapter anywhere or move it without telling us that they change IP location. The firewall is a great option for an office PBX with offsite locations where you have total control but not in our case.

You miss the point, your vsp might use many IP’s but they will likely all be in the same network.

No. They won’t. I have to take into account the softphone users who will make calls from their laptop in germany, Japan, the U.K. etc…

I can’t possibly know and/or allow all those IPs in the firewall. In my case “Allow anonymous SIP requests=No” is the way to go and I only have one single provider with 25 IPs. So it’s 25 trunks or some way to enter all 25 into one single trunk e.g. Host=


returns .
[ Network Information ]
IPv4 Address : - (/12+/13+/15+/16)
Service Name : KORNET
Organization Name : Korea Telecom
Organization ID : ORG1600
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Registration Date : 20031110

Maybe allow (their network) in your firewall, either have them change 5060 to something else or yourself have your clients use something other than 5060?

The IP is just an example! I don’t post actual IPs in a public forum.

Anyways I do not want to go the firewall way. Thanks for your comments though.

Any other suggestions please?

My post was also an example!

If you don’t want to use a firewall, then buy a rabbit’s foot, you might need it :slight_smile:

You should still be authenticating your customers before Asterisk, I mean you are a service provider. At best in this scenario FreePBX is a feature server. If you have a SIP proxy in front of Asterisk you can load balance and do all sorts of cool stuff. Anyway, let the hackers bang on the proxy while your users sit all comfy behind the proxy.

Now in regards to an Asterisk based solution simply setup your provider trunk with an IP of dynamic, you are only terminating calls. Just find the right combination of sip username, password, fromdomain etc.


Did my dynamic help or do I need a rabbit’s foot?

Yes. Your comments helped.
You make me think so even if I don’t implement your suggestion
getting the feedback opens up new doors in my mind.

Cool, that’s all I can do.

I am interested in if the second part works as I have never tried to use dynamic in quite that way. If you think about it a peer is a peer so it should work fine.