FreePBX SIP-Settings

At this point, it should be emphasized again that the FreePBX or Asterisk telephone system—like any other device on the local network—is a network-capable computer and behaves accordingly. As shown in the diagram, all devices, including the FreePBX system, access the Internet via the DSL router or firewall. The telephone system also uses this route, for example, to register with the telephony provider's SIP trunk.

In many cases, it is necessary to deactivate the integrated telephony functions of conventional DSL routers (such as the FRITZ!Box), as otherwise they can interfere with SIP connections and registration on the SIP trunk may fail.

A much more robust and controllable solution is to use an OpenWRT router with correctly configured SIP NATing (Session Initiation Protocol – Network Address Translation). This ensures that the SIP and RTP protocols required by Asterisk are properly routed through the NAT firewall.

In addition, you benefit from the advanced features of an OpenWRT firewall compared to typical consumer routers – for example, through targeted port forwarding, SIP handling via iptables/conntrack, and last but not least, through the use of security mechanisms such as Fail2ban to protect SIP registration attempts against brute-force attacks.

The SIP settings are located under "Settings → Asterisk SIP Settings" (http://IP-Adresse/admin/config.php?display=sipsettings). Important settings can be configured under the "General SIP Settings" and "SIP Settings [chan_pjsip]" tabs.

Settings in “Security Settings”

The "Allow SIP Guests" parameter allows unauthenticated SIP clients to connect to the Asterisk server. If set to "Yes", any SIP client can attempt to send requests to the server—even without registration or authentication. Therefore, this parameter should always be set to "No".

[Translate to English:] Misc PJSip Settings, TLS/SSL/SRTP Settings

[Translate to English:] Transports, UDP, TCP

Settings in “NAT Settings”

To ensure the Asterisk PBX is accessible externally, the external IP address must be entered under "External Address". Additionally, the local network is entered under "Local Networks". This can be easily done using the two buttons.

As long as the FreePBX/Asterisk PBX is behind a dynamic IP address, this must be done manually after each IP address change. Alternatively, you could obtain a hostname from DynDNS Service, for example. This is for security reasons, because

If the server does not communicate encrypted (e.g., SIP without TLS, RTP without SRTP), any man-in-the-middle (even at the ISP level) can intercept content.
In some cases, free services may engage in tracking, logging, or even DNS manipulation.

Therefore, this approach will not be pursued further here, but rather another elegant solution.

Some SIP providers do not use the Contact or Via header (where the external IP is entered), but respond directly to the IP address from which the SIP packet came.

This also works if Asterisk specifies an old IP in the SIP header.
This works particularly well if Asterisk is behind a static NAT and no asymmetric NAT is in use.

But here I offer my solution, which automatically updates the external IP address on the FreePBX/Asterisk PBX on a regular basis. We already know that FreePBX settings end up in a MySQL database, from where they are transferred to the actual Asterisk configuration files using fwconsole reload, and the Asterisk service is reloaded. We now use this with a script that checks for a new IP address and, if so, updates both the database and the Asterisk configuration. A cron job ensures that this happens daily.

~# vi /usr/local/bin/sip_external_ip_update.sh

#!/bin/bash
# -----------------------------------------------------------------------------
# Script: sip_external_ip_update.sh
# Description:
# Updates the "externip" field in the Asterisk (FreePBX) database with the
# current public IP address, if it has changed. Automatically reloads
# FreePBX configuration via fwconsole if updated.
#
# Intended for use with dynamic IP (e.g. behind NAT or DSL).
# Designed for safe execution via root's crontab.
#
# Author: Andreas Günther
# License: GNU General Public License v3.0 (GPLv3)
# License URL: www.gnu.org/licenses/gpl-3.0.txt
# Encoding: UTF-8
# -----------------------------------------------------------------------------

# ----------------------------
# Configuration
# ----------------------------
DB_NAME="asterisk"
DB_USER="dbuser"
PW="topsecret"
KV_KEY="externip"
IP_SERVICE="https://api.ipify.org"

# ----------------------------
# Logging Setup
# ----------------------------
exec 2> >(logger -t update_sip_external_ip -p user.err)
logger -t update_sip_external_ip “[DEBUG] Script started.”

# ----------------------------
# Get public IP
# ----------------------------
current_ip=$(curl -s "$IP_SERVICE")
logger -t update_sip_external_ip “[DEBUG] Fetched public IP: $current_ip”

if ! [[ $current_ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
logger -t update_sip_external_ip "[ERROR] Invalid public IP: $current_ip"
exit 1
fi

# ----------------------------
# Read IP from DB
# ----------------------------
db_ip=$(mysql -u "$DB_USER" -p"$PW" -N -B -e "SELECT val FROM kvstore_Sipsettings WHERE \`key\` = '$KV_KEY';" "$DB_NAME")
logger -t update_sip_external_ip “[DEBUG] Current DB IP: $db_ip”

if [[ "$current_ip" == "$db_ip" ]]; then
logger -t update_sip_external_ip "[INFO] IP unchanged: $current_ip – no action necessary."
exit 0
fi

# ----------------------------
# Update IP in the DB
# ----------------------------
mysql -u "$DB_USER" -p"$PW" -e "UPDATE kvstore_Sipsettings SET val='$current_ip' WHERE \`key\` = '$KV_KEY';" "$DB_NAME"
if [[ $? -ne 0 ]]; then
logger -t update_sip_external_ip "[ERROR] Error updating IP in database."
exit 2
fi
logger -t update_sip_external_ip “[INFO] IP updated: $db_ip → $current_ip”

# --------------------------------------
# fwconsole reload via su (safe context)
# --------------------------------------
logger -t update_sip_external_ip “[DEBUG] Running fwconsole reload via su - asterisk”

if output=$(su - asterisk -c "/usr/sbin/fwconsole reload" 2>&1); then
logger -t update_sip_external_ip "[INFO] fwconsole reload executed successfully."
else
logger -t update_sip_external_ip -p user.err "[ERROR] fwconsole reload failed: $output"
exit 3
fi

logger -t update_sip_external_ip "[sip_external_ip_update.shDEBUG] Script completed successfully."
exit 0

Of course, the script must be made executable.

~# chmod a+x /usr/local/bin/sip_external_ip_update.sh

Then it can be executed daily via Cronjob, for example

~# crontab -e
….
@daily * * * /usr/local/bin/sip_external_ip_update.sh
….

This reliably integrates the external IP address into the FreePBX/Asterisk telephone system, without the need for DynDNS services or constant manual follow-up. Why don't FreePBX developers come up with such a simple idea?

Settings in “RTP Settings”

The settings under "RTP Settings" should be accepted as offered. The "RTP Port Ranges" of "10000-20000" are especially important, as we need to allow them in the firewall.

Settings in “Audio-Codecs”

Codecs (coders and decoders) are crucial to the proper functioning of the connection. They determine how audio data is compressed, transmitted, and decoded during a VoIP call. They influence voice quality, bandwidth usage, and compatibility with end devices and providers. For VoIP over Telekom lines (e.g., SIP trunks or extracted SIP access data from routers), there are clear specifications:

g722 (HD Voice, preferred)
alaw (G.711a – Fallback, ISDN quality)

However, the following should not be used:

ulaw (G.711u – is usually not supported in the European network)
gsm, g726, g729 (outdated or incompatible with Telekom Trunk)

If codecs are enabled but not supported, you may experience disconnections, SIP errors (488 Not Acceptable), one-way audio, or no call answer at all.

In the FreePBX GUI, you can arrange the codecs in the correct order by selecting and dragging them with the mouse. This is important, as the second value will always be the fallback. Generally, you should check with your provider about the supported codecs.

When configuring SIP trunks in FreePBX/Asterisk, the choice of codecs is crucial. Providers like Deutsche Telekom typically expect g722 (HD Voice) to be used first, with alaw as a fallback. Using additional codecs like ulaw, gsm, g726, or g729 can lead to incompatibilities and should be avoided with these providers. The actual codec selection should always be based on the requirements of the respective VoIP provider.

Settings in “Misc PJSip Settings"

The “Show Advanced Settings” parameter is set to “Yes” to display advanced or hidden configuration options that are hidden in normal mode to keep the user interface clear.

Settings in “TLS/SSL/SRTP Settings"

Here, in the "Certificate Management" section, select "default" and set the "SSL Method" to "tlsv1_3." This is important for Telekom, as they only allow registration using this SSL method.

Settings in “Transports"

Finally, the value for "udp - 0.0.0.0 - All" must be set to "Yes", saved, and then reloaded to make the final settings. Under "Port to Listen On", you'll find two port specifications, one for UDP and one for TCP. UDP listens on "5060", while TCP listens on port "5061". This is important for Telekom, because when DSL is encrypted, Telekom requires port “5061”.

This completes the SIP settings. Continue here to configure the trunks.