External IP authentication behind NAT


I am using latest Asterisk/FreePBX behind a NAT router/firewall. I am unable to “ip authenticate” to my VOIP provider due to incorrect ip being sent ( Local LAN. I need the external NAT ip. Could you advise how to change from local to external in the REGISTER string…

Using Chan_PJSIP trunk. All form-fields are populated with my DDNS and external ip appears in the PBX GUI but nowhere to set the REGISTER ip.


the way IP authentication works is if you have a static IP address without username and password on the SIP trunk providers side you put in your external static IP address and it’ll always accept calls from your IP address and every time there is a call coming in it will send it to that IP address and you need to port forward SIP and RTP to to your PBX and whitelist the servers from your SIP trunk provider in freepbx firewall, the external IP address settings on freepbx is for making your system work behind NAT not for registration

Has your provider told you what exactly they use for “ip authenticating”. Generally it’s the source IP address, which would not be your LAN IP address.

IT Consultant: Yes. I have configured VOIP provider ip to my router’s public ip. It isn’t static as I am developing this system at home until finished then will upload to Google Cloud where it will have static public ip. For the moment is just getting a working system.

I have port-forwarded SIP, RTP to PBX ( Have also whitelisted the SIP Trunk Provider in firewall.

My router’s public facing ip is matched with VOIP Provider (92.5.152.x)

See below for PJSIP Skow History:
00000 1577528586 * ==> OPTIONS sip:[email protected]:52172;rinstance=8dfb4a9d73b510f6 SIP/2.0
00001 1577528586 * <== SIP/2.0 200 OK
00002 1577528609 * ==> OPTIONS sip:sip.dial9.co.uk:5060 SIP/2.0
00003 1577528609 * <== SIP/2.0 484 Address Incomplete
00004 1577528618 * <== REGISTER sip:;transport=UDP SIP/2.0
00005 1577528618 * ==> SIP/2.0 401 Unauthorized
00006 1577528619 * <== REGISTER sip:;transport=UDP SIP/2.0
00007 1577528619 * ==> SIP/2.0 200 OK
00008 1577528626 * <== INVITE sip:[email protected];transport=UDP SIP/2.0
00009 1577528626 * ==> SIP/2.0 401 Unauthorized
00010 1577528626 * <== ACK sip:[email protected];transport=UDP SIP/2.0
00011 1577528626 * <== INVITE sip:[email protected];transport=UDP SIP/2.0
00012 1577528626 * ==> SIP/2.0 100 Trying
00013 1577528626 * ==> SIP/2.0 183 Session Progress
00014 1577528630 * ==> SIP/2.0 503 Service Unavailable


Jcoip: Yes. Apparently, its the external-public ip. If from behind a firewall I understand that to be my router’s public address. (92.5.152.x)


From where? Where inside the SIP signaling (if at all)?

My provider hasn’t told me where the ip comes from. Only its the internet/public ip - which would be 92.5.x.x and not which is LAN - you can see from the PJSIP History (above).

Having read this document: https://wiki.asterisk.org/wiki/display/AST/Configuring+res_pjsip+to+work+through+NAT

Sould this be in sip.conf ( external_media_address= ip: xxx.xxx.xxx.xxx) ?


That would set that IP address in the SDP itself, but it is unlikely they are using that for matching.

So where and at which point does a NAT evironment get its public-ip to send as INVITE to VOIP provider? I notice there are no From and To in my log?


Your SIP requests most certainly have From and To, history just doesn’t show you the full packet unless you dig into a specific one. The places where it matters is the Contact header and the SDP for media. The NAT device would also alter the source IP address and port.

IP authentication doesn’t require you to send a registration string. Further more you set the External IP in FreePBX under Settings -> Asterisk SIP settings -> NAT Settings.

Hope that helps.

Yet another pjsip issue… (Sigh).

Have you considered using Chan_SIP? It works just fine.

However, I agree with Igor that if you are telling your ITPS what your IP address is via its web-page or other configuration system, then you don’t need to use the registration field at all. Registration is how you tell the remote system what your IP address is when you cannot tell it directly. It is designed for the situation where your IP address might change, though registration is often used even when your IP address doesn’t change.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.