Direct IP calls coming through NATed address

This is an odd one, and is not directly related to FreePBX, I don’t think.

I have a Grandstream phone with a local internal IP Address that is receiving SIP phone calls from various external IP Addresses.

How is this possible? There is no forwarding set up for any ports or IP Addresses.

Can anyone school me on this?


So, without forwarding set on your firewall, can we can assume that you have only hardware trunks, If so you should disconnect your internet connection for security as you don’t use it :slight_smile:

I apologize for being unclear.

There is no specific port forwarding enabled, nor is there any 1 to 1 NAT enabled.
I have an ISP who provides an internet IP address. My router does NAT translation between the internet IP Address provided by my ISP and a block of internal IP addresses which are assigned using DHCP. This is a very common way to access residential internet.

I don’t see a way a person could enter one of my internal 192.168.x.x IP Addresses, from Spain in this case, and have it route to directly to the device. There is a way, as it is happening, I just don’t know how it is done. Maybe something with their routing tables? This is just a blind spot in my knowledge.

Any assistance would be appreciated.


If you use sip at all, then for it to work, by default udp port 5060 will has to be forwarded to your PBX. Hopefully you have disallowed anonymous and guest access, and set alwaysauthreject=yes. So unless you have another compromised machine on your internal network, then only your PBX can give access to other internal endpoints.

You need a firewall rule that only allows udp/5060 in from your service provider and if you can have, them change the port to something else, the same with any external extensions you may have.

There are many scripts out there that you can use to test your firewall from the outside, it often amazes the newbies how insecure their systems really are.

There are many sites out there tht will help you better secure your system, being just one that google spits out.

Thanks for the direction.

From an outside server using nmap, I received
All 1000 scanned ports on my address are filtered.

I have now only allow the proxy to send calls to me, as you suggested. I am still confused how they are getting to the phone in the first place. Especially if the ports are filtered.


Nmap will show what you expose, even filtered ports can be penetrated, attack your server with SipVicious or one of the newer variations, generally you will no longer be confused, the attack vectors are not getting to your phone directly, they are getting to your PBX server, and your server needs to be properly protected from our friends in Chinese Universities, Palestine and the old Soviet Block.

A fuller suite of protections might include a well configured firewall, either on the machine itself, perhaps csf, or other hardware at your gateway, an IDS like fail2ban but be careful because you need to match the regex’es with your version of Asterisk, many setups are just plain wrong and give a false sense of security. a rootkit detector because you would be surprised by how many holes are in a standard FreePBX system with a few “extras” added. Some would say that all http(s) should be denied, but some reasonable “portals” like ARI and Faxing would then be unavailable without extraordinary steps, just expend the same energy in denying access in the same way that you need to do with SIP. Also don’t forget to change your ssh port and deny password based logins. Always set aside sometime to explore ALL your logs for suspicious activities, you never know when a new vulnerability will pop up.

The only reason I believed it was a direct call was that an IP address came across instead of the normal caller ID I receive from my FreePBX.

I have looked over the logs pretty closely and have been running fail2ban since the beginning. This is a fairly recent version of the FreePBX distro. The web service is now locked with additional security as you suggested.

Also, I am no longer receiving calls since I turned on “enable calls from proxy only.” on the phone.