Solved

IP Ranges In Asterisk SIP Peers

Posted on 2009-05-18
11
1,584 Views
Last Modified: 2013-12-21
Is it possible to have IP ranges (or subnets) in peer definitions in Asterisk? Currently, I allow everything through and then run an AGI script to check the incoming IP to see if it's valid. I know I can create a peer with a single host ip, but some of my suppliers send me calls from whole subnets.

What I'm trying to achieve is verification of inbound calls on IP and, if required, username & password. I then want to send the verified inbound calls to a definable context. I also know I can set up a dynamic host with username & password verification and I could go on to verify the IP within the context but I'm trying to be flexible and allow either/or in a single method for ease of writing configuration screens.

Am I barking up the wrong tree here, or just barking?

Thanks.
0
Comment
Question by:davidwylie
  • 7
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24418626
If I have this right...you want to send calls to a specific context, depending on which IP subnet it's coming from.... ?

If that is right, then I think a reasonable approach would be to evaluate SIPCHANINFO(recvip) to a variable, from within the dialplan...using IF or GOTOIF functions to send it to specific context extension based on your arguments.

http://www.voip-info.org/wiki/view/Asterisk+func+sipchaninfo

exten => s,1,Set(IPSUBNET=${SIPCHANINFO(recvip)}:0:9)
'If the sip peer's ip was 192.168.6.120, then ${IPSUBNET} would equal 192.168.6.
...or....you could evaluate it all in one line like this...
exten => s,n,GotoIf($["${SIPCHANINFO(recvip):0:9}" = "192.168.6."]?pass:fail)

Never tried this myself, so this is just a suggestion.... let me know if it works..
0
 

Author Comment

by:davidwylie
ID: 24419166
Hi,
thanks for your reply. We are currently using an AGI script to do the same thing. The dial plan essentially does this :

exten=>_X.,1,Set(myContext=failed)
exten=>_X.,n,Agi(check-ip.pl)
exten=>_X.,n,Goto(myContext,s,1)
exten=>_X.,n,Hangup(34)

The AGI script then checks the inbound IP against a table which can be web configured to add clients. The table returns a client id and a context which the dial plan can then go on to process. I wanted to remove this step and handle the IP check inside Asterisk itself from within SIP.CONF. It just looks like it should be able to be done, but no combination I try seems to do it.

Maybe it's just not possible? I can find nothing on the web.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24422339
Ok, cool....

In sip.conf, you can allow or deny subnets and hosts globally, and you can assign each peer a specific host address or hostname.  I don't think it is possible to assign a peer to a subnet in the peer definition however.....

For example, if you defined a peer with Host=10.1.1.29.... that would be fine if the host IP address never changes on that device.  The peer wouldn't be able to register, unless the host IP, or hostname matched (e.g. Sipura117272.yourdomain.com).  If the IP address or hostname matched, then the device would register, and the peer would be able to access the dialplan begining from the starting context specified in the peer definition.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24442038
"I don't think it is possible to assign a peer to a subnet in the peer definition however..... "

I was wrong on this apparently...

You can use Permit, Deny with peer definitions.
http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask
0
 

Author Comment

by:davidwylie
ID: 24442138
Hi,
I had already tried that, but I'll try it again because sometimes you can't see the wood for the trees.

Thanks,
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 250 total points
ID: 24443073
If you make changes to sip.conf, just make sure you reload sip.conf from the asterisk cli for the changes to take affect and allow time for phones to reregister in order to see if it works...

....i'm sure you already knew that but I had to say it anyway.
0
 

Author Comment

by:davidwylie
ID: 24446100
Hi,
ok, it works.

The confusing thing is that changes to permit/deny require you to shut down asterisk for any changes to  take effect. This I did not realise so all my previous testing is void.

Thanks for your input on this. Got there in the end!


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24446374
You can type "SIP RELOAD" at the Asterisk CLI, which will reload the sip.conf file without having to restart Asterisk completely.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24446384
Also... I think it only applies the ip subnet changes after the client attempts to re-register... restarting asterisk forces them to re-register.
0
 

Author Comment

by:davidwylie
ID: 24446940
the changes do not reload on SIP RELOAD nor on RELOAD.
Not on mine at least ....

Also, I'm not registering. This is for inbound calls from telcos without registration.

I'm going to upgrade to 1.6 tomorrow to see if this allows me to reload the config. Unless I'm doing something blindlingly obviously wrong.

0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24451829
Are you issuing the command from the Asterisk CLI ?

To start the * CLI, type  ASTERISK -r, on the linux command shell.

Then issue a SIP RELOAD...

This will force asterisk to parse the sip.conf file.  However, I suspect that changes to peer permit / deny definitions wouldn't take affect until a phone, softphone, or another pbx re-registers.  Even if you are recieving an inbound call from another telco over sip, and even if you are not using authentication, there is still a registration process involved.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone! First, let's talk about the intended audience for…
I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question