Inbound Carrier Setup with IP Range [Solved]

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Inbound Carrier Setup with IP Range [Solved]

Postby khuff » Fri Jun 24, 2016 8:09 am

Hey guys,

So one of our carriers (Plivo) is updating their network and are switching to a huge range of ips. Like 3 different /26 subnets, and 9 /27's, that's almost 500 ip addresses, seems crazy. Supposedly sip traffic can come from any of them. I was wondering if there was anyway to get around setting up 456 carrier entries on each of my 3 servers. Like can I setup a range of IPs in the carrier entry? If not will I come into any issues having like 1500 carrier entries?

Thanks,
Kevin
Last edited by khuff on Wed Jun 29, 2016 11:54 pm, edited 1 time in total.
Vicibox 8.1 | ViciDial VERSION: 2.14-687a BUILD: 180908-1618 | Asterisk: 11.25.3-vici | Multi Server 12 x Dialers / 2 x Web / 1 x Master DB / 1 x Slave DB / 1 x Archive | No extra software or hardware after install
khuff
 
Posts: 80
Joined: Mon Feb 20, 2012 12:19 pm

Re: Inbound Carrier Setup with IP Range

Postby khuff » Mon Jun 27, 2016 10:23 am

Did a bit more digging looks like the best option would be to setup the server to allow anonymous connections and send any call from DID's not setup straight to hang. It's a bit scary, but I'm not sure there are any better options. If any one has any input I'd be happy to hear it.
Vicibox 8.1 | ViciDial VERSION: 2.14-687a BUILD: 180908-1618 | Asterisk: 11.25.3-vici | Multi Server 12 x Dialers / 2 x Web / 1 x Master DB / 1 x Slave DB / 1 x Archive | No extra software or hardware after install
khuff
 
Posts: 80
Joined: Mon Feb 20, 2012 12:19 pm

Re: Inbound Carrier Setup with IP Range

Postby khuff » Wed Jun 29, 2016 11:54 pm

Just wanted to leave an update here for future generations since I didn't get much traction when I asked. So the easiest solution to get 400+ ip addresses added (this is required for Plivo so hopefully anyone running into this with them can find this) to be able to receive inbound calls is as follows: (This worked in my case your milage may vary.)

  • Setup your firewall real good in yast
  • Allow ONLY http through the external side and anything else you need, block all the sip stuff and anything else
  • Setup custom rules for your existing carriers that aren't 100's of ips long through yast (one for tcp 5060, one for udp 5060, and one for udp 10000:20000)
  • Download the /etc/sysconfig/SuSEfirewall2 file and edit the FW_SERVICES_ACCEPT_EXT= section
  • Add one line for tcp 5060, one for udp 5060, and one for udp 10000:20000 for each ip on your list
    eg:
    Code: Select all
    99.99.99.99,tcp,5060
    99.99.99.99,udp,5060
    99.99.99.99,udp,10000:20000
  • Get that file back on the server and restart the firewall
  • Edit the sip.conf and set allowguest=yes

After that your server will block any external sip traffic from anything but the ips listed in your /etc/sysconfig/SuSEfirewall2 file. And everything will go through your default route, unless of course you have a carrier entry setup, which this seems to jive just fine for. The calls from the ips that don't have a carrier entry setup will show as their ip in your logs. That should do it, at least I hope. I did some testing tonight and it looks all good, but the ip changes go live tomorrow so I'll be watching it like a hawk in the morning. If anyone sees any issues with the steps I followed please let me know.
Vicibox 8.1 | ViciDial VERSION: 2.14-687a BUILD: 180908-1618 | Asterisk: 11.25.3-vici | Multi Server 12 x Dialers / 2 x Web / 1 x Master DB / 1 x Slave DB / 1 x Archive | No extra software or hardware after install
khuff
 
Posts: 80
Joined: Mon Feb 20, 2012 12:19 pm

Re: Inbound Carrier Setup with IP Range [Solved]

Postby williamconley » Thu Jun 30, 2016 12:46 am

I find it likely that the plivo IPs fall into specific IP ranges. IP ranges can be added to the firewall via "yast firewall"=>Custom Rules

Ordinarily carriers actually own entire IP ranges, but only use "some" of them for audio traffic. It's usually not hard to find this information if you check a few live calls (by checking the "whois" databases) and then ask if "these are their ranges", they usually just say yes. Now you can open the IPs they own.

If you add carriers with IP ranges in this manner, the IPs they own will be allowed and other IPs won't. And if they add a new server on their IP range next week, you'll probably already have it allowed (even though it was a mail server last year).

And then in that case, of course, you would allow all inbound calls to land in Vicidial's inbound DID script. Since there's no "and bounce to outgoing" possible using that method, you're still secure.

Also, you can configure the 'default' DID to forward to a red-alarm-bell somewhere in the office (or a special script? LOL) so if an inbound call arrives that has not been properly configured ... an alarm will sound.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Majestic-12 [Bot] and 127 guests