FreePBX | Register | Issues | Wiki | Portal | Support

HOW TO - Flowroute Trunk with Proper Use of IP Auth and new PoPs


(Matthew Jensen) #1

This is how I’ve done it. I’m not sure it is completely proper in all of its intricacies. It is a work in progress. Please correct me if I’m doing something incorrectly. But this setup does seem to work. I have actually reached out to Flowroute and asked them to go over the guide to see if there was anything I should add, and their comments are at the bottom. I’ve also modified the guide slightly because of their response.

Note: This tutorial assumes you have a static IP for your server. If this is not the case, then don’t setup IP Authentication for your Trunk.

1. Set your preferred PoP within Flowroute.
A. Go to Flowroute.com and Log In.
B. Go to Interconnection -> Registration. Set your preffered PoP.

2. Create a PJSIP trunk in FreePBX:
A. Set general settings


(Obviously, replace the “Outbound CallerID” with your DID Number.)

B. Get your “Tech Prefix” from the Flowroute Dashboard:

C. And put the Tech Prefix followed by an * in the “Outbound Dial Prefix” setting:

D. Optionally set Authentication and Registration to none. And the “Sip Server” to whatever your preferred PoP is set to:

E. Change DTMF Mode to RFC 4733, set the From Domain to your Preferred PoP, set “support path” to “Yes”, and add the following to the Match (Permit) Line: 147.75.60.160/28,34.210.91.112/28,147.75.65.192/28,34.226.36.32/28

F. Save all of this so far.

3. Sip Settings
A. Then go to Asterisk Sip Settings -> PJSIP. And make note of the port you are listening on. This will be used when you route calls from Flowroute to your PBX:
Sip%20Settings%20-%20PJSIP

B. Go back to the general tab under Asterisk Sip Settings, make sure “Allow Anonymous Inbound IP Calls” and “Allow Sip Guests” are set to “No”, and take note of your IP:

4. Flowroute Settings

A. Within Flowroute, go to Preferences -> Fraud Control -> Outbound SIP Credentials

B. Click “Disable Credentials”. It should now appear like:

C. Now go to Interconnection -> IP Authentication and add your server IP without a port (which you noted on the “Asterisk Sip Settings” general tab):
Outbound%20IPs%20-%20Flowroute

D. Go to Interconnection -> Inbound Routes and add a route to your server. This time, include the port which you are listening on for PJSIP (Default is 5060)

E. Now, go to DIDs -> Manage. And set the route for your DID to the one you just created:

Note:
If you’re looking through Flowroute page, you will see some firewall settings that they ask you to implement. As long as you’re using the built-in FreePBX firewall, then you don’t have to worry about these. The firewall automatically allows traffic from your trunks on only the port of the protocol they use.

Let me know if I’ve made any mistakes. It’s a little hard to make sure I got everything down here.

Edit: Formatting.

Edit 2: I reached out to Flowroute to see if they could confirm this guide, and this was their response:

Thanks for creating this doc, we are presently adding or revising the articles at Flowroute Support. Below are some suggestions and don’t necessarily represent requirements.

  1. On Trunk | PJSIP Settings | General, setting Authentication and Registration to none is optional.
  2. Under Asterisk SIP Settings | Chan PJSIP Settings, setting 0.0.0.0 (udp) > Domain the transport comes from is optional

Everything else looks solid, please let me know if you have any additional questions.

So I’ve edited the guide to reflect their responses.

Edit 3: I noticed someone else on another question had Flowroute tell them to set “support path” under the advanced PJSIP trunk settings to yes. I contacted Flowroute and they said that yes, this settings should be set to yes. So I updated this guide to include that.

Edit 4: I’ve removed setting of the “Domain the Transport comes from” within Sip Setting -> PJSIP. It was unnecessary.

Edit 5: I removed the firewall settings section, as that was unnecessary as well. The FreePBX built-in firewall handles this automatically.


FreePBX Flowroute config
Cannot make PJSIP IP aurthentication trunk work for inbound calls with Flowroute's new servers
Flowroute New POPs & Firewall
(Lucas Ryan) #2

Awesome write-up. I have been using this on a demo server for a couple of weeks with no issues. I have a PBX with ChanSIP extensions. I know it is possible to have a PJSIP trunk and ChanSIP extensions, but do you know if there are negative implications with this? (mixing ChanSIP extensions with a PJSIP Trunk)


(Matthew Jensen) #3

Not that I know of. However, PJSIP with extensions tends to work pretty well now and is considered best practice, so I would recommend using it for both. If people do recommend against using PJSIP, it’s usually about trunks, as some sip providers don’t have great support for it. One of the side effects of using both Chan-sip and PJSIP is that you then have to have 2 ports open, probably 5060 and 5160. I like to keep ChanSIP blocked and my PJSIP port set to 5160, as that alone eliminates most of the port scanners.


(Lucas Ryan) #4

I need to convert some extensions to PJSIP and see if I run into any issues. I was wondering if there was any negative side effects like increased load on the server. Would the server have to do any conversions between the 2 drivers while on a call?


(Matthew Jensen) #5

I don’t believe so. This is really just handling the sip packets, so there isn’t a lot of load there anyway. If you’re using 2 different codecs for the trunk and the phones, then yes, there will be a higher load while it transcodes. But codecs can be set the same for the different drivers (and I think they are by default).


(Lucas Ryan) #6

That’s great to know. Time to do some testing!


(John Jarrett) #7

If one does not want to use the FlowRoute IP Authentication, (dynamic Internet IP), since step D is optional, “Optionally set Authentication…” what would you set those fields to? Not certain about some of the PJSIP settings yet.

Of course one would not do anything on FlowRoute to enable the authentication, but just need proper settings at the FreePBX level.

Thank-you!


(Matthew Jensen) #8

So, since I actually don’t have any non-static IP servers, I haven’t tested this. But without IP auth, it makes things quite a bit more simple. This guide isn’t segmented very well to explain what is necessary only for IP auth, and what is necessary for everything else. I may try to fix that in the near future. In the meantime, you would want to set Authentication and Registration to “outbound” and “send,” respectively. You don’t need to prefix your number with the tech prefix in the trunk settings. You also wouldn’t want to disable sip credentials in Flowroute. And you would simply route to “Sip Registration” instead of your PBX IP within Flowroute.


(Floyd) #9

I am on a private ip address behind a dsl modem/router. Will SIP Registration work without doing anything on the router like port forwarding?


(Tom Ray) #10

This is wrong. This would be the domain used when something like an OPTIONs or a NOTIFY would use when sending a request from the PBX. The transport settings are for the PBX’s transports. They should never have some random providers domains in there. They have nothing to do with the PBX sending requests on its transports.

So unless you want to use a FQDN for the transport instead of the PBX IP, you can leave it blank.


(Tom Ray) #11

You set the “Authenticate” to Outbound and the Register to Send then put in your username and secret. That’s pretty much it.


(Matthew Jensen) #12

Ok, thanks. I’ll remove that from the guide completely.


(Tom Ray) #13

Might as well remove this too. From the Firewall wiki page

  • Do I need to configure each Trunk or Peer in the firewall?
    No! The firewall automatically interrogates the FreePBX installation, discovers all known peers or trunks, and accepts traffic from that peer on their defined protocol. This means that if you have a trunk to an IAX peer, and that peer is compromised, that peer can not send chan_sip or pjsip signalling through. It can only send IAX traffic to the server, because it is only registered for IAX.

(Matthew Jensen) #14

Okay, thanks. I see now that that would actually be more secure to allow the FreePBX fireall to handle that on its own. However, if people aren’t using the FreePBX firewall, they would still have to set those rules in their firewalls, correct?


(Tom Ray) #15

Correct but that’s in Flowroutes guide and has nothing to do with FreePBX at that point.


(Matthew Jensen) #16

You’re right. This isn’t a catch-all guide. Thanks for the tips.


(John Jarrett) #17

Thanks for the “How-To” and the changes needed when using a dynamic Public IP.Not using IP auth; just SIP registration. I KNOW I have missed something simple as I can receive incoming calls on FlowRoute’s new Oregon POPS but get the good ol’ “All Circuits Are Busy Now” message. Looking at my asterisk log it is clear that I am not authorized.

[2018-11-13 22:10:55] WARNING[24264] res_pjsip_outbound_authenticator_digest.c: Endpoint: ‘TucsonFlowrouteOregonPOPS’: Unable to create request with auth. No auth credentials for realm(s) ‘sip.flowroute.com’ in challenge.

My username, (TechPrefix), is set and password is set. I have double checked those but a real PITA is that you cannot peek at the password once entered to ensure it is correct… but having copied and pasted and manually typed it in, I am pretty certain it is correct. (I guess I could check the files directly in sip.conf or whatever…)

Not sure if there is anything else on flowroute.com I need to set, or mess with.

Thought I’d check with you guys first but will also email flowroute support.

Thanks again!


(Tom Ray) #18

SSH into the box. Look at the pjsip conf files. This is all written out in plain text in the conf files. This is only “hidden” because it’s an HTML form using a “password” field type which masks the output.


(John Jarrett) #19

I KNEW it was going to be something simple! I feel like such a blooming IDIOT!!

I had no 1+ Dial Manipulation Rule and was dialing just the ten (10) digits without the 1… Thus, your call cannot be completed as dialed.

That still doesn’t explain the no auth error that started my involvement… but it is working.

Just call me a dunce!

John


(John Jarrett) #20

Deleted