Two External Addresses for the FreePBX

Hi Everyone,

Does the FreePBX support the use of two public ip addresses. In the SIP settings we could only find that only one External Address can be configured and not two? is there a way to work around and use multiple public IP addresses?

What we are trying to do is to make internet redundancy for our PBX in case one internet disconnects the other will still work.

Thanks,

You should be able to manually add an additional external address by using the custom fields at the bottom of sip settings. Look in the auto-generated conf files for hints about which keywords to duplicate.

Thank you Kolpinkb,

Yep, i see the externip and will add another record.

About the routing. on the linux we can have only one gateway? how can we setup to use those two SIP trunks and make the Freepbx work with those two SIP trunks?

I feel like I need to quote the Princess Bride, e.g., I don’t think you understand that word.

FreePBX uses Asterisk to control and manage inbound and outbound calling.
Asterisk uses Linux to access the IP network.
IP networking uses “defined” and “default” routes. You set up your defined routes so that traffic to a specific address goes through a specific route. Everything else goes through the default.

Your question makes it sound like you’re not quite sure how IP routing works, because what you are trying to do is extremely unusual.

Usually the PBX is not used as an internet failover device. You would typically use a router with multi-WAN failover support such as pfSense. The PBX would be none the wiser to which internet connection you were using if you have it behind NAT.

However, using two external interfaces would be handy if your PBX had two external public static IPs to two different ISPs. This alternative would be a more complicated configuration to initially set up but offer fewer issues with the signalling and media streams.

Your endpoints could be configured with failover options for both of the above scenarios.

Sorry Kolpinkb and Dave, if my questions seems quite confusing and thank you in providng your comments.

Here what we have . One Freepbx, two Network card with local IP address, connected to pfsense firewall each local IP address is completely one-to-one NAT with public IP address, Each public IP address is from a different ISP.

From our SIP provider we have two SIP IP addresses and one RTP IP addresses.

The one RTP IP address make things challenging as we are not able to route properly on linux machine, but for the two SIP IP addresses we inserted a routing record and each is routing on separate Network card which is good and once the packet reaches the pfsense firewall it will route based on the destination IP address via ISP 1 or ISP2.

Since we have only one RTP IP from our SIP provider then I think the only choice we have is to set the redundancy on the pfsense firewall and this requires a cronjob that runs frequently to check which external IP address is active and records will be updated on the asterisk file. Let me know you ideas on this.

.

The other option available is to route the RTP IP to one of NIC cards and configure ISP redundancy on the firewall, which means whichever internet available is routed and there will be a main and standby ISP , but I am not sure if this is going to work For example you sent the SIP from External IP 1 and RTP from External IP2 is this something that works with RTP?

I’m pretty sure the “right” way to do this is in the pfSense switch. Route both of the public IPs to the single Ethernet card with a single IP address.

The configuration you have now is making my head hurt, and I do networking for a living.

Any other solution is going to cause problems with routing the outbound packets and can generate open-jawed routes.

The other issue is that I can’t figure out why you have to different external addresses on the router. Actually, I can think of a hundred reasons why you’d want to do that, but I can’t figure out why you’d want to have two IP addresses for your phone system. Even if you are running a multi-tenant system, you end up in a single Asterisk installation, and it doesn’t play nice with multiple IP addresses where the destinations are unclear.

So, to answer your original question - No, I don’t think you can do that. If pressed the answer is probably more like “You can probably make it work, but you’re going to end up with a huge mess before you get it to work reliably.”

Hi Dave ,

The reason we have two external IP addresses is that we have two ISPs at our office for redundancy. And the reason we want to have two IP addresses for our phone system is to have redundancy, Imagine you have hundreds of calls per day on your PBX and suddenly there is an internet outage of your main ISP and you have another ISP?, wouldn’t be ideal to have an another connection and be operational in a matter of second? instead of doing it manually and changing all the IP addresses and taking it hours before you are back operational.

OK - let’s start at the top.

That’s a laudable setup. There are a few problems with it, though. In fact, your ability to do what you need to do (as described below) starts to fall apart here pretty quickly.

I don’t need to imagine it. Every installation I run has this feature. Almost all of my installations use multiple gateways through my border router (which is a NetBSD IPF Firewall).

Yes it would. The problem is that you won’t. No matter how you want to do it, you will need to reconfigure the server’s external address. Also, calls “in flight” are going to fail.

The problem is that your NAT can’t handle dual interfaces. I understand that you have a 1-to-1 NAT for both of your external IP addresses, but Asterisk only has one. You need to reset the external address in the server and restart Asterisk for you to be able to change the “external” address that the system is using.

You might be thinking at this point that it will just switch, and incoming traffic will actually probably fail over, but you’re immediately going to run into one-way audio problems because the SIP and RTP protocols embed the designated external address inside their packets. If your identified external address is 1.1.1.1 (for example) and you suddenly switch all of your SIP and RTP traffic to go through 2.2.2.2, the packets will still say ‘1.1.1.1’ until you change it.

Now having said all of that - it is possible to externally change the external interface address and switch address by restarting Asterisk. You will need to write some software to make it happen and to make it respond the way you want it to. It won’t be “manual”, but it’s not guaranteed to go completely smoothly.

Now, all of that is external to the phone server. Having two interfaces to the local network isn’t going to improve your reliability. In fact, it might mess your reliability up. The next problem is your pfSense router/firewall.

Let me explain. Your internal address for your firewall is 192.168.1.1. The other internal address is 192.168.2.1. Each of these is mapped “1-to-1” to the external addresses ‘1.1.1.1’ and ‘2.2.2.2’. To get there, they traverse the same local network (192.168.0.1/22) and are sent out via the default port from the pfSense.

You can have all the addresses you want, but ultimately, you end up with a mess. Your system is going to rely on whatever default route is in place - assuming you’ve configured pfSense to fail over (implementing OSPF or BGP would be my guess), the traffic is going to go out to whatever address is closest.

This is confusing stuff, but it’s really nuts-and-bolts of routing.

Here’s an example. You receive a call from your ITSP. It is routed to 192.168.1.1. via 1.1.1.1 and is processed and forwarded from pfSense to get the traffic there. Life’s good. This, so far, is a standard Asterisk setup.

You, however, have added a wrinkle. Your ISP at 1.1.1.254 fails (line fade, power, whatever). Your traffic is suddenly coming in on 2.2.2.2 to 192.168.2.1. The server is still set up to tell the other end that the address at this end is your old external address (1.1.1.1). even though the traffic is coming in for 2.2.2.2. The traffic is now open jawed through a dead connection. The only way to get this connection to work is to change the external address for the SIP connections, which will fail as soon as your original ISP comes back on line.

So, where you looking for redundancy, you’ve just caused two outages for every outage. This is the opposite of where you wanted to end up.

So now, a suggestion. Instead of the 1-to-1 mapping, set up your phone system so that it has a single “external” address - pick one, it doesn’t matter.

So now, you have two potential incoming routes (redundancy achieved for this leg). Both of these addresses get routed to your single IP address in the local network. The routing tables for the server are simplified. You’re still going to have some work to do in the pfSense switch, but that’s external to this phones.

Use a job that monitors the incoming IP address, and when the primary fails, you change the “external” address of the server to the other external address and restart Asterisk. All of your calls drop at this point, but they were probably gone anyway, since the link they were coming in on went down. Once the server restarts, all of the phones will reconnect and your incoming calls will come in on the second external address and be processed through that address (since the external address is set correctly).

The reliability problem is still there, though. Every time you switch from one ISP to the other, you end up having to change the external address in the server and restarting Asterisk.

Even if you DID have to do it manually, it wouldn’t take more than a few seconds. Letting it happen automatically, could reduce your reliability to nearly zero. The constant switching back and forth between two networks is going to kill all of your calls and force a restart of the server. This is basically the opposite of where you wanted to end up.

Now, there may actually be a device out there that will let you do this, but it won’t be Asterisk. I’m going to invite @dicko into the conversation, cause knows a lot more about the call routing stuff than I do. He might be able to get you to where you actually want to end up.

Looking for some clarification myself here. Can asterisk accept calls and registrations on two external interfaces?

For example, two modems, each from a different ISP. Each modem is in bridge mode directly assigning a static public IP to whatever device is connected to it. Let’s says our single PBX with two external interfaces. Each static IP has a separate DNS record for a different subdomain, say server1.example.com and server2.example.com. If the endpoints were set up with both these servers (say server2 as afailovr) asterisk should be able to accept calls on server2, IP2, and external interface 2 correct?

I am also using two ISPs going to my firewall/gateway (sonicwall) and one FPBX server behind NAT on my LAN.

The way I have set this up is:
-sonicwall is configured to failover from one ISP to the other if main link is down
-In FreePBX turn on DDNS in sysadmin
-Under SIP settings set external IP to dynamic and enter your hostname there. Set update DDNS to a relatively short interval.

All my sip providers point to my hostname.

Now I don’t know if above setup relieves me of having to press the detect external IP button under SIP settings whenever my main ISP goes down, cause I haven’t had that happen yet.
My expectation is that the PBX will check for it’s external IP, via the check hostname IP function.
@cynjut, and @dicko, maybe that will work for @abdel33 as well.

@avayax That might work. The period of the outage should be less than five minutes if you ever change interfaces.

To be clear, though, you are still using a single IP address (at a time) for your connectivity. Using two simultaneous addresses is still not supported as far as I can tell.

Also, you are using DDNS, which wasn’t one of the factors in the original question. Adding that might make it a workable solution. Since the published “external” address is dynamic, it is probably bounced against the DNS for resolution, so now you are also reliant on routing through multiple paths for that service too.

Well, Multiple outbound routes is not a problem, just prioritize them in your outbound routes, inbound routing will be a problem, do all your VSP’s provide a failover destination for your did’s ? if not, how will the inbound calls get to you?

It was mentioned here about BGP, a good idea but not trivial to implement and requires compliance with all your ip route providers. If you have BGP working, you can easily set up a set of redundant Sip Proxies (I use Kamailio) to handle network failures, and distribute calls appropriately to reachable instances of your PBX’s , you can also use that proxy cluster to register your phones but still have the convenience of a PBX, some phones also have fail-over registrar addresses etc. . . . .

@dicko, our SIP provider will sent the first Invite message to ISP 1 IP and if no response it will resend to ISP 2 IP.

@cynjut Thank your detailed explanation. @avayax seems to suggest a solution with dynamic IP .

@avayax how about outbound in the SIP trunk, we don’t need to provide any externip= parameter right? and this will be automatically whatever domain translation gives us whether it is ISP1 or ISP2

Maybe it would be as simple as adding siproxd to your pfsense

https://doc.pfsense.org/index.php/Asterisk_VoIP

also

https://help.dyn.com/ddclient/

to update the record on a network failure.

That alone won’t help if Asterisk doesn’t know its proper external IP after the fail over occurred.

What do you mean by outbound in the SIP trunk? Peer details?

This is what I have under Asterisk SIP setings. My hostname in the dynamic host field updating every two minutes.

Isn’t that what the rPORT settings are for in the endpoints? They ignore the IP in the SIP header and reply to the IP where the packet actually came from?

Dear @avayax,

If we use the dynamic DNS it will be either IPs, IP1 or IP2 so that will work I guess. so It wouldnt bother to have an Invite resend if there is no response.