Intermittent call failure for inbound calling

cloudpbxfuzz · September 19, 2018, 11:11am

I can not reply to this thread anymore, but I am having the same issue described in this thread.

I have whitelisted all new POP IP ranges in the Firewall (put them into the trusted zone) as well as whitelisting them in Fail2Ban. IPs from this website (https://support.flowroute.com/SIP_Trunking_and_Voice/Networking_Guides/Set_Firewall_Policies_for_Flowroute’s_SIP_Signaling_and_RTP_Media#RTP_media_(call_audio))

Incoming calls will intermittently fail. I turned on SIP debugging, and every call is coming into the PBX, but the calls that fail, are sending a 401 rejected back to Flowroute. The signaling traffic is coming from one of the IPs in the whitelisted ranges.

Do I need to setup a trunk for each and every Flowroute IP? I would not think (hope) I would need to do that since there are about 64 IPs that the signaling traffic could come from.

Has anyone set this up properly?

cynjut · September 19, 2018, 2:17pm

It depends. From what I understand, I PJ-SIP will allow you to set a range of IPs for your signaling source. I’ve never used it for that, so that’s second-hand. If you can use PJ-SIP for that, you might be able to get that working.

With Chan-SIP, however, you have to specify an inbound trunk for every IP address you are expecting traffic from.

The “workaround:” is to allow anonymous calling, which (unless you have a very tightly managed firewall) is almost always an invitation for people to steal toll services from you and is generally considered to be outside the scope of “best practice”.

So, like I said, it depends.

Scion · September 19, 2018, 3:38pm

Hello,

I have it working. The trunk config is very simple:

pjsip settings tab:

pjsip advanced tab

The only thing I had to change in the advanced tab was the DTMF and the “From Domain” to the preferred pop server.

Whitelist all of the POP IP’s:

127.0.0.1
147.75.60.160/28
34.210.91.112/28
147.75.65.192/28
34.226.36.32/28

I use the FreePBX 14 firewall:

If you do, make sure to trust all of the POP networks in the firewall for UDP/TCP/whatever traffic.

Make sure in your Settings/Asterisk Sip settings you have your external address and applicable local network if need be:

In the chan PJSIP tab, I have the following on my wildcard transport for UDP:

Insure that you have configured an inbound route on flowroute correctly. This is key depending on what type of authentication you are using and method of routing strategy NAPTR/A record, etc.

Make sure you have routed the DID/s to the inbound route you created.

Under the Reports Tab for PJSIP you should see something like this:

As you can see, all of the Flow Route POP’s are matched.

I hope this helps.

cloudpbxfuzz · September 19, 2018, 5:04pm

That is amazing. Thank you for detailing this out! Looks like they are using 2 IPs for each POP region.

Thanks again. This was really helpful.

Scion · September 19, 2018, 5:19pm

My pleasure.

Stewart1 · September 19, 2018, 8:23pm

Assuming that your networking setup permits (public IP address is static and you have proper control over any hardware firewall), I recommend routing calls directly to your PBX. This is more robust, as it eliminates the possibility of failure from “lost registration” or DNS issues. See https://support.flowroute.com/SIP_Trunking_and_Voice/Getting_Started/Statically_route_your_phone_number_to_a_host_system_for_inbound_calls . In this configuration, manually list the four POP netblocks in the Match field for your trunk.

You might also consider IP authentication for outbound calls. See https://support.flowroute.com/SIP_Trunking_and_Voice/Getting_Started/Set_up_IP-based_Authentication_for_Outbound_Calls . This is a little more secure – you can disable credentials. It also reduces call setup time by eliminating the need to respond to authentication challenges.

system · September 19, 2019, 8:23pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.