Static IP or Public?

What’s the best setting for a hosted VM PBX with Vultr or FreePBX hosting?

They assign you a (public) static IP address.

So do you use the public IP setting in Asterisk SIP settings or do you set it as a static IP? Both seem to work but which setting is best or correct?

“Public” implies a “private” component.

“Static” doesn’t.

So, if the system is actually exposed to the Internet (and only to the Internet), use the “static” address option. If the system has a outward facing and inward facing interface (which doesn’t sound like what you’re doing), you’d use the public address.

It’s a hosted PBX with static IP and I would assume no NAT on the PBX side.
Isn’t that a public IP address?

Since it’s a hosted system with static IP, it is exposed to the Internet (no router)
so (imho) NAT = NO in SIP settings
and nat = yes for the extensions.

If I use the Static IP setting, sip show settings is
SIP address remapping: Enabled using externaddr
Externaddr: x.x.x.x

If I use the public IP setting, sip show settings is:
SIP address remapping: Disabled
Externaddr: (null)

Both work fine as far as I can tell. Is there really a difference and which one is correct?

In your case, static IP would be correct.

Public address implies you are running a system in a NATed network. Your public address is the address of your router, which then forwards all of the traffic for the PBX to a private address.

A static address is simply one that does not change. There is no NAT nor are there any DynDNS interactions.

The NAT thing is completely something else, though.

If your device has a non-routable address and talks to a device that has a routable (public/static) address, the device needs to have NAT turned on. The reason is because of the way that VOIP traffic is transmitted through the Internet.

If your server and your phone are on the same network, there’s no reason to set NAT=yes - there’s no address translation in the route. If your phone is in the local network and your server is outside, you need NAT=yes so that your audio knows how to get to your phone. If the phone is on the Internet and the server is on the Internet, NAT=no, since no address translation is happening. If the server is behind a firewall and the phone is not, the server would need NAT=yes (since it’s behind the firewall) and the phone would need NAT=no (since it’s already on the Internet).

So, if your device (server or phone) has a routable address, it needs NAT=no. If the device has an external address that’s different from the internal address, then NAT=yes.

I hope that helps.

Yes. Thanks.

So in my case (no router, server exposed to Internet)
I use “Static IP and Nat = no” in SIP settings

and for the individual extensions I use "Nat = yes"
since they are behind a router.

Yes. That should work.

I have always had similar thoughts about that Asterisk SIP setting.

I have my PBX behind a router. One of the interfaces on my router is a public subnet and no NAT is done on that interface. That is where I have my PBX.

Router’s WAN interface is, LAN is, LAN2 is 69.yyy.yyy.yyy/29.

PBX is 69.yyy.yyy.yy(y+1)/29

When static IP is selected the following help bubble appears:

Override External IP


“External Static IP or FQDN as seen on the WAN side of the router. (asterisk: externip) Note that this will, by default, inherit the settings from the General page”

Going by the above information, the external static IP as seen on the wan size of my router, is the same IP that is actually assigned to the PBX.

Is this overside setting not meant for a PBX to include the router’s WAN IP in the sip signalling? in cases where the PBX is assigned a address with NAT?

OK, so you have the WAN address set up as the external interface, LAN1 as the local interface, and LAN2 as the DMZ.

Since your PBX external address is routable and in the DMZ, you should be able to choose “static” address and it should work. While there is a router in between, it isn’t performing any Network Address Translation, so it’s effectively connected straight to the Internet.

Not exactly. When you have the system set up like that, there is a GUI box called “Extern IP”, which is the “outside” address for your NAT Firewall. Since you have the external address assigned to an interface, you don’t really need that. You’ll have your interface address, which ( in that case) would be in the 192.168.x.x address space.

Unless you only have one interface for your PBX, e.g., it has both the 69.yyy.yyy.(yyy+1) and the addresses assigned to the same interface. While it’s doable, for $10 you can add a second interface and make the routing and configuration so much simpler than that would be…

I have one interface for the PBX and it is physically connected to a switch on LAN2 along with a bunch of other servers.

Desktops, laptops, printers, wifi, etc are on LAN.

VoIP desk phones are on LAN3 (not mentioned earlier, sorry) with a subnet of

Is the override address not the same thing as the “extern IP”?

OK, so your PBX only has one interface? How do you have it configured?

At this point, I’m not convinced that the network is configured the way you think it is.

In a normal network, your PBX connection is on LAN2. That means it’s set up on the 69.x.x.x/29 local network. The address is still routable, so I’m not sure why you’d want or need an “override” address.

If that’s true and your phones are in the 192.168.2.x network, there has to be some way for the traffic to route from the phones to the PBX, and more importantly, back. That could be static routes through your router or NAT. If it’s static routes, then I don’t think you’ll need NAT anywhere - there’s no address translation, so NAT’s not pertinent. If you are doing NAT from the 192.168.2.x network to the 69.x.x.x/29 network, the NAT on the phones is required.

In your configuration, the override address (which I’m not sure why you have) and the external IP (which, again, isn’t something you should be using) would, in fact, be exactly the same thing. The PBX’s address is going to be 69.x.x.x. Everything will communicate with it on that address.

Thanks for taking the time to discus this with me @cynjut . So so many how-to’s do a terrible job of explaining NAT and routing with regards to VoIP.

I just want to clarify that I have never have nor wanted to use the override extern IP setting.

Every route needs a gateway. Even my particular WAN address has a gateway at the other end of the the /32 link.

There are tricks built in to some router software such as #pfsense referred to as virtual IPs (VIPs for short). They allow a device on your LAN to have a address but actually have an external publicly routeable address assigned at the firewall. Not the best configuration as it tends to break default configurations of stuff like VoIP and especially webRTC. It’s only really used when you don’t have hardware allowing physically separate subnets.

I’m really confused by your post where you mention that “public implies a private component” and I think a lot of other people are too.

I’ve attached a diagram of my current setup so you can better understand my setup. One of the IPs from my /29 is used as an interface. The only downside is that I loose an IP to the gateway. With VIPs I wouldn’t waste one. I think it might also be possible to bridge the WAN with one of the LANx interfaces but I haven’t had much luck with that.

1 Like

To continue this discussion…
With the settings described in this thread

Sip Settings: "Static IP + Nat = no"
Extensions: “Nat = yes”

everything works fine except for calls between remote extensions where the users complain of one way audio. Should I look at their routers for SIP ALG or try setting NAT=yes in SIP Settings?

I am hesitant to look at the router because these extensions are configured with TLS and SRTP so SIP ALG shouldn’t really affect them.

You’re definitely right about the common router SIP ALG. I have seen some routers mishandle SIP even with ALG turned off. A common way to get around this is to simply use a port other than 5060. Some routers are slightly more advanced and will actually inspect the packets in which case you’ll need a port other than 5060 and encryption turned on to disguise the packets as well.

Regarding the no audio, a lot of softphone endpoints have the option to force rPort for signalling and separately for media. Try turning both rPorts on so that the endpoints responds to the same port it received on.

The 2 remote extensions are Grandstream GXP1610 and the end users are not allowing access to their routers so I might be out of luck here. I already use TLS and SRTP on the phones which I thought would help but oddly enough the TLS phones are reporting more issues than my UDP users.

Changing to a non-standard SIP port (bindport=xxxx) (I believe affects the entire server but I only have an issue on 8 phones and don’t want to screw up the entire server. Is there a way to make the change only for those 8 phones?

NAT=yes in SIP settings seems to fix the one way audio between the remote phones but I am concerned it may cause other issues later on.

Weird that you have more problems with TLS. TLS is actually over TCP which includes a form or error correction throughout the call signaling.

I found with UDP I had more complaints of calls not being picked up correctly and other feature codes not being transmitted correctly as well.

Regarding the listening port, I think you can add multiple bind ports for Asterisk to listen on. You just have to do it manually by entering multiple binport=xxxx entries. Don’t quote me in that one but I’ve done it with Apache, postfix and dovecot.