Question about allow anonymous calls


(Guy) #1

My SIP supplier wants to send calls to my system using SIP URI.
They have given me a list of SIP Signalling servers, which i have whitelisted on the firewall on port 5060, however, they have stated that there are so many “media IPs” that calls could come from, that i need to open up 10,000-20,000 to the internet.

In order to have calls accepted by the system, i have had to enable allow anonymous calls.

So really my question is - is it safe to have 5060 open to a specific set of IPs, whilst having
10,000-20,000 open to the world, with allow anonymous calls enabled?

Appreciate any thoughts
G


(Jared Busch) #2

Yes. No one can initiate anything with RTP traffic.


(Guy) #3

Amazing, thanks for the quick reply!!


#4

Although this is safe, it is IMO not the best way, because you may have trouble if you add another trunking provider; you want the system to know which trunk a call comes from.

Instead, in your pjsip trunk, Match (Permit) field, put the list of IP addresses that your provider uses for SIP signaling. You should now be able disable anonymous and inbound calls should still work. The logs should now show the correct trunk name for incoming calls.


(Guy) #5

Thats really helpful, thanks! Will give that a go in the morning.


#6

Will that work for incoming SIP calls too? My extens use PJSIP but my provider uses SIP and I’m required to set allow annoynous call to yes too.


(Avayax) #7

Yes

PJSIP and ChanSIP are purely Asterisk concepts and don’t mean anything to your provider, he doesn’t use either one of them, he uses SIP according to the SIP RFC.

So if you are receiving SIP signalling from several IP addresses, then use pjsip and add all your provider’s IP addresses to the match field, like described by post above.


#8

I agree with @avayax that pjsip is the way to go. However, if you can’t get it to work, it is still possible to use chan_sip. If your provider sends calls from only a few addresses, create a separate inbound trunk for each address. If there are many, see Step 1 of https://www.callcentric.com/support/device/asterisk/14 .

Set up one ‘template’ trunk (you can do this in the GUI), then add two lines to sip_custom.conf as shown for each IP address they use for signaling.


#9

I just remembered I dont have an inbound SIP or PJSIP Trunk for my provider to receive calls. I just enable Allow Anonymous calls, and point my DIDs to my PBX’s IP Address.

Maybe I could setup a dummy PJSIP trunk, add the providers IP ranges in match field then turn off Anonymous calls?

I do, however, use a SIP trunk for outbound calls to the provider. (the inbound section of the SIP trunk is empty). Not sure if that would help?

Thanks,
Fraser.


(Avayax) #10

Just use one PJSIP trunk for both in and outbound.
The IP addresses that SIP signaling will come from on inbound calls you put in the match field.
Done.
Anonymous calls not required.


(Jared Busch) #11

Good SIP trunking providers in the US works this way now. You create a single trunk (pjsip) and and the various IP blocks in the match field and it is all win for the inbound calling.