Any ideas what would break it when going from 5 to 6?
Someone else setup the system so I donât know much about the trunks.
I guess theyâre going through Kazoo with some middleman in between.
None of the trunk info changed, it all got migrated, so why did my main in-bound number break?
OK I think I figured it out.
In the CLI I noticed this warning: "from-sip-external: "Rejecting unknown SIP connection from x.x.x.x"
I then turned on âAllow Anonymous Inbound SIP Callsâ to get the existing trunks to work again. Is this a security risk?
Is there anywhere I can specify this IP address as where the calls should be coming from & then turn this setting back off?
I have this in my trunkâs peer details: host=xxxxx.s.zswitch.net
username=xxxxxxxx
secret=xxxxxxx
type=peer&friend
nat=force-rport
srvlookup=yes&yes
context=from-trunk
insecure=very
sendrpid=yes
trustrpid=yes
From what I understand itâs coming from Bandwidth: https://www.bandwidth.com
Is that still a HUGE security risk?
How do I get it to work with âAllow Anonymous Inbound SIP Callsâ turned off?
First, you went through the effort to upgrade from an old system, but you stopped short of the current supported version. You should be running Distro firmware 10.13.66, or have a good reason why you canât.
In and of itself, this need not be a security risk. You have configured your system to direct all inbound SIP requests to a specific context, so as long as you limit access to Asterisk SIP services to trusted hosts, there is no issue. Since you are running 12, you donât have the benefit of the FreePBX Firewall, which means securing your system is harder than it could be if running 13.
I donât have a good understanding of this parameter, but I believe âveryâ is deprecated. Try setting:
Thanks very much for the reply.
Actually, I did finish the update path. Iâm now on: 10.13.66-17.
I think I forgot to mention that part as I noticed the trunk stopped working after version 6.
I now have FreePBX 13.0.190.11 running with the firewall on.
Iâll try changing the âinsecureâ parameter tonight after hours.
Thanks very much for the help.
I currently have Asterisk Version: 11.25.1 running.
What are the advantages/disadvantages of using the âasterisk-version-switchâ command?
Should I switch to version 12 or 13?
OK, I set âinsecure=port,inviteâ & I could still call into the PBX, but when I turn âallow anonymousâ off, I still got âThe number Iâve dialed is no longer in serviceâ.
Just an FYI, I signed up for a free trial of SIPStation & it had âinsecure=veryâ in the PEER details.
Another security issue I think I have is, my eth1 public IP address interface has to be set to âtrustedâ. If I change it to âExternalâ, I donât get anything at all when I call the PBX, just dead air.
Bump.
What happened? I was getting great support yesterday, then it all stopped.
Iâm getting a tune of these in my CLI:
[2017-01-24 13:42:36] WARNING[8731][C-0000079c]: Ext. s:3 @ from-trunk: Friendly Scanner from 198.24.165.26
[2017-01-24 13:43:07] WARNING[31760]: chan_sip.c:4038 retrans_pkt: Retransmission timeout reached on transmission b04367a0700a872b75c8a8d8b318f9bb for seqno 1 (Critical Response) â See Home - Asterisk Documentation
If I turn off âAllow Anonymous Inbound SIP Callsâ I get âThe number Iâve dialed is no longer in serviceâ.
If I change my eth1 public facing interface to âExternalâ, no calls are connected, nothing from the PBXâŚ
If these two things are related, it probably means your trunk is misconfigured. Inbound calls from your provider are coming from an unrecognized host. The call appears to come from 198.24.165.26, does that IP correspond to any of the host settings for your trunk?
No that IP isnât realted to our trunk.
I actully just banned it with iptables.
The trunk settings didnât change when we upgrated from the old system to the latest.
Only when we swtiched from the old iptables to the new firewall system did these issues start.
I think it unlikely that the Firewall module is somehow causing your inbound calls to arrive as anonymous (but am prepared to be proven wrong), if you disable the Firewall does it solve anything? I am out of ideas, Asterisk thinks the calls are anonymous, and as far as I know, that is always trunk configuration.
OK, I guess these are 2 different issues.
When I disabled the firewall & turned off âAllow Anonymous Inbound SIP Callsâ I still get "Number, not in service"
I guess I was just mentioning the firewall, because of all the âFriendly Scannerâ messages I was getting.
I canât help any further. At the asterisk CLI, if you run sip show peers you will see the IP addresses associated with your trunk peers. If an inbound SIP invite comes from a host other than that IP, then you will see what you are describing. My experience tells me this is trunk misconfig, but am heartily prepared to be wrong.
OK I think you might be right.
I setup a SIPStation acct/trunk.
I turned off âAllow Anonymous Inbound SIP Callsâ & I put my public facing interface as âExternalâ.
I called the PBX & everything worked fine.
Any way to compare the SIPStation vs. my existing trunk to figure out the diff.
Or is it an upstream issue?