We have “Allow Anonymous Inbound SIP Calls = No” set on our system and it works ok with providers that send calls from one IP address. However we have one supplier who uses more than 25 IPs and backup ranges. How would we set this up? We can’t possibly create a trunk for every IP? Can we?
According to a previous post I found
Host = xxx.xxx.xxx.xxx can only contain one IP address
Thanks for the suggestion but that won’t work for me. I have multiple users connecting from ATAs with dynamic IPs. What about allowing multiple host IPs in Asterisk?
You will have to do that in your firewall, try empirically
whois IP_ADDRESS
and allow each (network)/16 for good measure (or whatever the base network shows up) for each of your external users, ISP’s will only award IP’s within their network and /16 is usually generous enough without allowing Chinese “students” or Eastern European or Palestinian hosts.
I can’t do it in the firewall. If I could I would as I agree it’s the best way to protect the system.
My users could connect the ATA anywhere or use softphones and the call should still go through. The firewall would block all these calls and setting “Allow Anonymous Inbound SIP Calls = No” still seems like the best bet for this scenario.
Because when my user connects from his laptop in a hotel room I can not possibly know the IP address beforehand so calls will fail. Same thing for users with ATA who could install the adapter anywhere or move it without telling us that they change IP location. The firewall is a great option for an office PBX with offsite locations where you have total control but not in our case.
No. They won’t. I have to take into account the softphone users who will make calls from their laptop in germany, Japan, the U.K. etc…
I can’t possibly know and/or allow all those IPs in the firewall. In my case “Allow anonymous SIP requests=No” is the way to go and I only have one single provider with 25 IPs. So it’s 25 trunks or some way to enter all 25 into one single trunk e.g. Host=222.98.45.0 0.0.0.255
returns .
.
.
.
[ Network Information ]
IPv4 Address : 222.96.0.0 - 222.122.255.255 (/12+/13+/15+/16)
Service Name : KORNET
Organization Name : Korea Telecom
Organization ID : ORG1600
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Registration Date : 20031110
.
.
.
Maybe allow 222.96.0.0/12 (their network) in your firewall, either have them change 5060 to something else or yourself have your clients use something other than 5060?
You should still be authenticating your customers before Asterisk, I mean you are a service provider. At best in this scenario FreePBX is a feature server. If you have a SIP proxy in front of Asterisk you can load balance and do all sorts of cool stuff. Anyway, let the hackers bang on the proxy while your users sit all comfy behind the proxy.
Now in regards to an Asterisk based solution simply setup your provider trunk with an IP of dynamic, you are only terminating calls. Just find the right combination of sip username, password, fromdomain etc.
I am interested in if the second part works as I have never tried to use dynamic in quite that way. If you think about it a peer is a peer so it should work fine.