Link to home
Start Free TrialLog in
Avatar of davidwylie
davidwylie

asked on

IP Ranges In Asterisk SIP Peers

Is it possible to have IP ranges (or subnets) in peer definitions in Asterisk? Currently, I allow everything through and then run an AGI script to check the incoming IP to see if it's valid. I know I can create a peer with a single host ip, but some of my suppliers send me calls from whole subnets.

What I'm trying to achieve is verification of inbound calls on IP and, if required, username & password. I then want to send the verified inbound calls to a definable context. I also know I can set up a dynamic host with username & password verification and I could go on to verify the IP within the context but I'm trying to be flexible and allow either/or in a single method for ease of writing configuration screens.

Am I barking up the wrong tree here, or just barking?

Thanks.
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

If I have this right...you want to send calls to a specific context, depending on which IP subnet it's coming from.... ?

If that is right, then I think a reasonable approach would be to evaluate SIPCHANINFO(recvip) to a variable, from within the dialplan...using IF or GOTOIF functions to send it to specific context extension based on your arguments.

http://www.voip-info.org/wiki/view/Asterisk+func+sipchaninfo

exten => s,1,Set(IPSUBNET=${SIPCHANINFO(recvip)}:0:9)
'If the sip peer's ip was 192.168.6.120, then ${IPSUBNET} would equal 192.168.6.
...or....you could evaluate it all in one line like this...
exten => s,n,GotoIf($["${SIPCHANINFO(recvip):0:9}" = "192.168.6."]?pass:fail)

Never tried this myself, so this is just a suggestion.... let me know if it works..
Avatar of davidwylie
davidwylie

ASKER

Hi,
thanks for your reply. We are currently using an AGI script to do the same thing. The dial plan essentially does this :

exten=>_X.,1,Set(myContext=failed)
exten=>_X.,n,Agi(check-ip.pl)
exten=>_X.,n,Goto(myContext,s,1)
exten=>_X.,n,Hangup(34)

The AGI script then checks the inbound IP against a table which can be web configured to add clients. The table returns a client id and a context which the dial plan can then go on to process. I wanted to remove this step and handle the IP check inside Asterisk itself from within SIP.CONF. It just looks like it should be able to be done, but no combination I try seems to do it.

Maybe it's just not possible? I can find nothing on the web.
Ok, cool....

In sip.conf, you can allow or deny subnets and hosts globally, and you can assign each peer a specific host address or hostname.  I don't think it is possible to assign a peer to a subnet in the peer definition however.....

For example, if you defined a peer with Host=10.1.1.29.... that would be fine if the host IP address never changes on that device.  The peer wouldn't be able to register, unless the host IP, or hostname matched (e.g. Sipura117272.yourdomain.com).  If the IP address or hostname matched, then the device would register, and the peer would be able to access the dialplan begining from the starting context specified in the peer definition.
"I don't think it is possible to assign a peer to a subnet in the peer definition however..... "

I was wrong on this apparently...

You can use Permit, Deny with peer definitions.
http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask
Hi,
I had already tried that, but I'll try it again because sometimes you can't see the wood for the trees.

Thanks,
ASKER CERTIFIED SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,
ok, it works.

The confusing thing is that changes to permit/deny require you to shut down asterisk for any changes to  take effect. This I did not realise so all my previous testing is void.

Thanks for your input on this. Got there in the end!


You can type "SIP RELOAD" at the Asterisk CLI, which will reload the sip.conf file without having to restart Asterisk completely.
Also... I think it only applies the ip subnet changes after the client attempts to re-register... restarting asterisk forces them to re-register.
the changes do not reload on SIP RELOAD nor on RELOAD.
Not on mine at least ....

Also, I'm not registering. This is for inbound calls from telcos without registration.

I'm going to upgrade to 1.6 tomorrow to see if this allows me to reload the config. Unless I'm doing something blindlingly obviously wrong.

Are you issuing the command from the Asterisk CLI ?

To start the * CLI, type  ASTERISK -r, on the linux command shell.

Then issue a SIP RELOAD...

This will force asterisk to parse the sip.conf file.  However, I suspect that changes to peer permit / deny definitions wouldn't take affect until a phone, softphone, or another pbx re-registers.  Even if you are recieving an inbound call from another telco over sip, and even if you are not using authentication, there is still a registration process involved.