(From a bug report entered 4/17/20)
It is documented that trunks (and endpoints) which register in FreePBX are automatically whitelisted. This does not appear to be true on pjsip trunks when a CIDR is used in the Permit (Match) line of the trunk setup. Only the first registration whitelists. Subsequent invites on other IPs in the range are rejected. This specific example is Flowroute. If you want to Permit all of their new POPs, you enter the following on the Permit (Match) line in pjsip trunk setup (pjsip Trunk > pjsip Settings tab > Advanced tab):
22.214.171.124/28, 126.96.36.199/28, 188.8.131.52/28, 184.108.40.206/28, 220.127.116.11/30, 18.104.22.168/31, 22.214.171.124/30, 126.96.36.199/30, 188.8.131.52/31
However, as only the first registration whitelists all subsequent invites will reject making their global failover useless. To workaround, you need to explicitly whitelist the CIDRs in the firewall either by manually entering each of the above as Trusted under the Connectivity > Firewall > Networks tab in the GUI, or by cutting and pasting the following as root from the command line (I do individually to make errors easier to see):
fwconsole firewall add trusted 184.108.40.206/28
fwconsole firewall add trusted 220.127.116.11/28
fwconsole firewall add trusted 18.104.22.168/28
fwconsole firewall add trusted 22.214.171.124/28
fwconsole firewall add trusted 126.96.36.199/30
fwconsole firewall add trusted 188.8.131.52/31
fwconsole firewall add trusted 184.108.40.206/30
fwconsole firewall add trusted 220.127.116.11/30
fwconsole firewall add trusted 18.104.22.168/31
This solves the problem for Flowroute trunks. Other providers who use CIDR ranges for failover will require a similar solution.
It appears a fix is needed to get the firewall to pick up the explicit CIDRs listed in Permit (Match) instead of just grabbing the first IP to register on the trunk.