Provider configuration¶
Overview¶
The xynap telephony system is connected to two SIP providers operating via different authentication methods and IP versions.
| Provider | Profile | Auth | IP version | Numbers |
|---|---|---|---|---|
| Plusnet | external-ipv4 | IP-Auth (no REGISTER) | IPv4 | +493455667290 |
| 1&1 | internal | REGISTER (User/Pass) | IPv6 (Pflicht!) | +493455664337, +493455630488 |
1&1 blocks Hetzner IPv4
1&1 rejects SIP registrations of Hetzner IPv4 addresses with503 Service Unavailable. All 1&1-trunks ** must run over IPv6. This concerns both the Sofia profile (ext-sip-ip,ext-rtp-ip) and the outbound proxy.
Plusnet¶
Key data¶
| Parameters | Value |
|---|---|
| Proxy | sip.plusnet.de |
| Outbound proxy | 92.197.176.16 |
| Authentication | IP Auth (NOREG) |
| Sofia profile | external-ipv4 |
| Bind-IP | 46.4.96.105(IPv4) |
| Number | +49 345 566 7290 |
| caller-id-in-from | false |
Special features¶
Outbound-Proxy is mandatory
Plusnet uses DNS Round-Robin forsip.plusnet.de. Without solid outbound proxy, INVITE and ACK may land at different SIP servers, leading to408 Request Timeout. The outbound proxy92.197.176.16must always be set.
IP-Authentifizierung: Plusnet authenticates exclusively via the source IP. The IP46.4.96.105must be enabled in the Plusnet customer portal. A REGISTER does not take place.
Gateway-Status: Since no REGISTER occurs,sofia statusdoes not display the gateway status asREGED. The gateway stage isNOREG, which is correct.
Trunk configuration (Platform API)¶
The Trunk configuration is managed via the Platform API. Relevant fields:
Provider: Plusnet
Proxy: sip.plusnet.de
Outbound-Proxy: 92.197.176.16
Register: false
Profile: external-ipv4
Caller-ID: +493455667290
1&1¶
Key data¶
| Parameters | Value |
|---|---|
| Proxy | sip.1und1.de |
| Outbound proxy | [2001:8d8:104:100:212:227:124:129](IPv6!) |
| Authentication | REGISTER (user name/password) |
| Realm | sip.1und1.de |
| Sofia profile | internal(dual stack) |
| ext-sip-ip / ext-rtp-ip | 2a01:4f8:140:829d::2(IPv6) |
Numbers¶
| Number | Use |
|---|---|
| +49 345 566 43378 | IVR main number |
| +49 345 563 0488 | Support hotline |
Special features¶
Realm configuration
The realm must besip.1und1.de, not1und1.de. A false realm leads to401 Unauthorizedwhen registering, although username and password are correct.
IPv6-Outbound-Proxy: The outbound proxy must be in square brackets:[2001:8d8:104:100:212:227:124:129]. Without clips, the address is not recognized as IPv6.
Passwords: The SIP passwords are Fernet-encrypted in the database and are decrypted only at runtime. You are available via the API:
# Extension-Config inkl. SIP-Credentials (nur mit passender Permission)
GET /api/v1/sip/extensions/{id}/config
Trunk configuration (Platform API)¶
Provider: 1und1
Proxy: sip.1und1.de
Outbound-Proxy: [2001:8d8:104:100:212:227:124:129]
Register: true
Realm: sip.1und1.de
Profile: internal
Username: (aus DB)
Password: (verschluesselt in DB)
Gateway soldering (mod xml curl)¶
Gateways are defined not static in XML files, but are dynamically loaded viamod_xml_curl:
FreeSwitch Startup / REGISTER-Event
│
▼
POST /api/v1/sip/xml-curl
section=directory
│
▼
Platform API generiert XML mit Gateway-Definitionen
│
▼
FreeSwitch lädt Gateways in Sofia-Profile
For changes to trunks via the API, anSofia-Reloadis automatically triggered via the ESL connection.
Gateway discovery¶
In the directory request, the API also delivers gateway definitions in addition to user limits. FreeSwitch recognizes new gateways and launches the REGISTER process (at trunks withregister: true).
Row sequence at start
FreeSwitch must be able to reach the Platform API before gateways are loaded. When starting the container, it can take 5–10 seconds until the API responds to Port 8001. The ESL connection has a car reconnect.
Sofia profiles in detail¶
external-ipv4¶
This profile binds exclusively to IPv4 and is used for providers using IP authentication.
<!-- Wesentliche Parameter -->
<param name="sip-ip" value="46.4.96.105"/>
<param name="sip-port" value="5060"/>
<param name="ext-sip-ip" value="46.4.96.105"/>
<param name="ext-rtp-ip" value="46.4.96.105"/>
internal¶
The internal profile binds to::(Dual-Stack) and serves both IPv6 providers and internal extensions and WebRTC.
<!-- Wesentliche Parameter -->
<param name="sip-ip" value="::"/>
<param name="sip-port" value="5060"/>
<param name="ext-sip-ip" value="2a01:4f8:140:829d::2"/>
<param name="ext-rtp-ip" value="2a01:4f8:140:829d::2"/>
<param name="tls-sip-port" value="5061"/>
<param name="wss-binding" value=":7443"/>
ext-rtp-ip und Audio
Theext-rtp-ipmust fit the IP version of the provider. For 1&1 (IPv6) the IPv6 address must be here, otherwise there is no audio — although the call connects, there is silence in both directions.
Firewall rules (UFW)¶
Only the IP areas of the providers are allowed for SIP:
Plusnet (IPv4)¶
# SIP Signaling
ufw allow from 92.197.176.0/24 to any port 5060 proto udp
ufw allow from 92.197.177.0/24 to any port 5060 proto udp
ufw allow from 92.197.182.0/24 to any port 5060 proto udp
# TLS
ufw allow from 92.197.176.0/24 to any port 5061 proto tcp
ufw allow from 92.197.177.0/24 to any port 5061 proto tcp
ufw allow from 92.197.182.0/24 to any port 5061 proto tcp
1&1 (IPv6)¶
# SIP Signaling (IPv6)
ufw allow from 2001:8d8:104:100:212:227:124:128/125 to any port 5060 proto udp
# SIP Signaling (IPv4 — für Fallback)
ufw allow from 212.227.124.0/24 to any port 5060 proto udp
General¶
# WebRTC (offen, da über Traefik/TLS gesichert)
ufw allow 7443/tcp
# RTP Media (offen fuer alle, da dynamische Ports)
ufw allow 10000:10060/udp
ufw allow 16384:16484/udp
Second protective layer: FreeSwitch ACL
In addition to the UFW firewall, FreeSwitch uses its own ACLsip-gatewayswithdefault deny. Only explicitly registered IP areas may send SIP requests to theinternalprofile.