Registering a PJSIP trunk vs another freepbx system with auth

I have 2 freepbx servers in the same building (Sitting about 4u away from each other) that need to talk.

for some reason, our IAX2 trunk has started to sound like hot garbage.

I want to switch to using a PJSIP trunk between these servers, but I don’t trust raw IP Authentication.
I know that on a PJSIP trunk, I can enter credentials… but I am fuzzy on how to make two PJSIP trunks register to each other?

Curious how i would go about making a PJSIP trunk on serverA register and talk to a PJSIP trunk on serverB

Authentication is not the same as registration. Registration is only necessary if the registrant knows the registrar’s address, but the registrar doesn’t know the registrant’s address.

You should configure to identify by IP, but with either both having general authentication with the same credentials, or each having both inbound and outbound authentication, but with the credential swapped over.

I’m not a FreePBX user myself, so I’m not sure how this translates to the GUI, but it is easy in the configuration files.

It is common to assume that registration is about authentication, but it really about addressability. At least one side of a trunk needs to know the IP address of the other, even to use registration, so two way registration doesn’t make sense.

for a straight up SIP trunk, i would agree, as I can specify my details for inbound and outbound… PSIP is confusing on that as its hard for me to see anything obvious.

While I love the idea of simply talking (not really… but…) from 192.168.1.5 to 192.168.1.6, i’d feel much more comfortable if there was a password/passphrase/something other than blindly accepting traffic as from-internal

You are only accepting traffic fomr another PBX’s IP. What is the issue here?

does my paranoid security guy count?

IAX2 gives you some form of basic auth for free (but audio sounds like hot garbage), I feel like he’d shit a kitten if I proposed going to completely IP-whitelist.

Sounds like a bad security guy IMO. explicit whitelist is much more secure than credentials any day of the week.

But if you want to use auth with pjsip, you will need to do it yourself as the GUI does not support it to my knowledge.

You can see a sample here:

Do you suspect a MITM in 192.168.0/24 that is sniffing the port that you are using for chan_pjsip ?

You missed the point. You do not have to register to enable password authentication.

(And in principle, you can register without any authentication, other than a valid user name (address of record).)

For the truly paranoid, perhaps using a level 2 approach, on both machines, create a tagged vlan interface on both machines in your LAN that both would use to communicate with each-other for that trunk. if any of your 256 hosts in that network appear on that vlan, suggest your IT department tell your management to fire them

Pretty simple…

image1568×1236 104 KB

use same trunk name & secret on both ends. Just change the SIP Server IP to point to the other one. Oh, and change the context to “from-internal” if they are buddies and should be able to access each others’ internal dialplan.

thank you @billsimon , that was indeed exactly what I wanted, even if i worded it poorly.

Auth plus a specific IP (or hostname) is definitely preferred over raw ip-whitelisting based on our specific use-case

Very much appreciated that you took the time and provided a clear example/solution! <3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.