FreePBX with VoIP Innovations, NAT and firewall *or* block WAN registrations

I’m getting a lot of attempts to register because I have 5060 forwarded in WAN>PBX. This is normal, but in the interest to tightening it down a bit I’d like to block registrations from WAN.

A) Is there a setting to only listen for registrations on a specific network or otherwise block registrations from off-net?

B) VoIP Innovations does IP based auth. I must have 5060,10000-20000 NAT’d in. Can I drop 5060 from all but VoIP innovations and NAT all 10000-20000 in? I’m looking for someone who has done this with VoIP Innovations because though the short answer should be yes, I haven’t had success in just allowing est/rel and 5060 from their IPs, I get one-way audio. They do a re-invite on their side so their peers RTP comes from a different address so that’s the problem. This is a production system so I don’t want to experiment.


Are you running distro 13? If so, and if you are expecting outside registrations to only come from your VoIP provider and nobody else, you can use iptables to only allow connections on port 5060 from the IPs of your VoIP provider and nothing else.

I use Voip Innovations. These pointers will work for any version of FreePBX that has an integrated firewall.

Step 1 - set up a trunk for each of the inbound IP address.
Step 2 - set up a trunk for each of the outbound IP address. If you are feeling tricky, you can combine the couple that are used for both into the same trunk.
Step 3 - set up each of the INBOUND IP addresses as “Local/Trusted” addresses in the Integrated Firewall.
Step 4 - (if you need outside connectivity for other providers or phones) - add each of these IP addresses as local/trusted addresses in your same firewall.
Step 5 - Go to your border router and port forward from VI’s specific address for your Inbound calling to port 5060.
Step 6 - (if you need outside connectivity) add each of your other provider’s/phone’s IP address to this list.
Step 7 - do these 6 steps for your other inbound SIP port (5060/5160/5062/5162) depending on which ports are being used to send you calls. Don’t get too froggy, though. I only use Chan-SIP for VI - the “no user required” thing might work with PJ-SIP, but when I tried it, it didn’t, so I just recommend to everyone that they use Chan-SIP on port 5060 (not 5160, which is where the default is).

At this point, port 5060 is only going to be seeing traffic from VI and from the other providers that will be sending you calls. DO NOT open traffic on port 5060 to anyone that isn’t sending you calls. Everything else will happen because the outbound sets up it’s own environment.

Step 8 - port forward UDP ports 10000-20000 to your PBX. NOT TCP - JUST UDP.

If you have phones that connect to the server from outside the LAN, you can use the Adaptive Firewall to receive and allow/deny calls from outside the network. Note that this is only true iof yo don’t know what the IP addresses are going to be - if you know the IP address of everything that is establishing a connect TO your phone server, you can use the standard Integrated Firewall and skip the Adaptive Firewall altogether.

The important parts with VI are that they will send you traffic from literally any of the half dozen sources they tell you they are using. Also, double check the addresses, a couple of them are deceptively similar.

Note that I run a NetBSD server as my firewall in front of my phone systems - I allow anything from VI’s half dozen specific IP addresses on any port, and port forward a few pertinent ports through the NAT firewall to the PBX.

1 Like

Would you mind sharing you in and outbound trunk config? This took me some expelrimenting so i wouldnt mind double checking.

Ive only got trunks for 2 VI ip addresses, where would i find others?

There are a bunch, and you need them all.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.