My SIP supplier wants to send calls to my system using SIP URI.
They have given me a list of SIP Signalling servers, which i have whitelisted on the firewall on port 5060, however, they have stated that there are so many “media IPs” that calls could come from, that i need to open up 10,000-20,000 to the internet.
In order to have calls accepted by the system, i have had to enable allow anonymous calls.
So really my question is - is it safe to have 5060 open to a specific set of IPs, whilst having
10,000-20,000 open to the world, with allow anonymous calls enabled?
Although this is safe, it is IMO not the best way, because you may have trouble if you add another trunking provider; you want the system to know which trunk a call comes from.
Instead, in your pjsip trunk, Match (Permit) field, put the list of IP addresses that your provider uses for SIP signaling. You should now be able disable anonymous and inbound calls should still work. The logs should now show the correct trunk name for incoming calls.
I agree with @avayax that pjsip is the way to go. However, if you can’t get it to work, it is still possible to use chan_sip. If your provider sends calls from only a few addresses, create a separate inbound trunk for each address. If there are many, see Step 1 of https://www.callcentric.com/support/device/asterisk/14 .
Set up one ‘template’ trunk (you can do this in the GUI), then add two lines to sip_custom.conf as shown for each IP address they use for signaling.