That’s a keen observation on extensions and NAT, Tom.
Let me share a brief background. We are making a wireless UC product that uses Asterisk/FreePBX for telephony. In order to popularize IP based telephony amongst small businesses, we have tried to simplify the telecom tech and made it plug-and-play for most common uses. Idea is to not require users to do complex configuration, irrespective of local or remote users. Hence, treating all users behind NAT by default, unless the network warrants a change due to layout or other use-case requirements. This config is working in over 25 locations but in this one location, I am noticing the morphed IP for remote users.
Like I mentioned, the system and calls are originating/terminating perfectly - just that this is causing brute-force protection to go kaput. I have manually compared all asterisk config files under /etc/asterisk between this system and other system where the IPs are recorded accurately as expected - and see no differences other than the environmental differences.
One key difference that is unique to this location is that it uses a private SIP trunk - hence, has two WAN eth ports active - with two isolated networks - one for internet and one for SIP trunk.
On turning on logs, I noticed that local address is reflecting as remote address too, just with a different port number.
I am enclosing the Asterisk sip settings screen below for your reference - but essentially, nat is set to route (so using rport and comedia) and there are four networks marked as local. Let me know if any other settings/log would be useful. Thanks.
Asterisk SIP Settings