I have 2 freepbx servers in the same building (Sitting about 4u away from each other) that need to talk.
for some reason, our IAX2 trunk has started to sound like hot garbage.
I want to switch to using a PJSIP trunk between these servers, but I don’t trust raw IP Authentication.
I know that on a PJSIP trunk, I can enter credentials… but I am fuzzy on how to make two PJSIP trunks register to each other?
Curious how i would go about making a PJSIP trunk on serverA register and talk to a PJSIP trunk on serverB
Authentication is not the same as registration. Registration is only necessary if the registrant knows the registrar’s address, but the registrar doesn’t know the registrant’s address.
You should configure to identify by IP, but with either both having general authentication with the same credentials, or each having both inbound and outbound authentication, but with the credential swapped over.
I’m not a FreePBX user myself, so I’m not sure how this translates to the GUI, but it is easy in the configuration files.
It is common to assume that registration is about authentication, but it really about addressability. At least one side of a trunk needs to know the IP address of the other, even to use registration, so two way registration doesn’t make sense.
for a straight up SIP trunk, i would agree, as I can specify my details for inbound and outbound… PSIP is confusing on that as its hard for me to see anything obvious.
While I love the idea of simply talking (not really… but…) from 192.168.1.5 to 192.168.1.6, i’d feel much more comfortable if there was a password/passphrase/something other than blindly accepting traffic as from-internal
IAX2 gives you some form of basic auth for free (but audio sounds like hot garbage), I feel like he’d shit a kitten if I proposed going to completely IP-whitelist.
For the truly paranoid, perhaps using a level 2 approach, on both machines, create a tagged vlan interface on both machines in your LAN that both would use to communicate with each-other for that trunk. if any of your 256 hosts in that network appear on that vlan, suggest your IT department tell your management to fire them
use same trunk name & secret on both ends. Just change the SIP Server IP to point to the other one. Oh, and change the context to “from-internal” if they are buddies and should be able to access each others’ internal dialplan.