QUESTION Adding IP Ranges to whitelist?

dhoppy

Active Member
Joined
Mar 9, 2009
Messages
439
Reaction score
179
My setup:
Incrediblepbx 11 with Travelin' Man 4 whitelist.

I use Vitelity for inbound and outbound calling. While trying to solve a call quality problem, they suggested I reconfigure my trunks without registration strings (because I have a static IP). What I've noticed is without the registration string, the firewall blocks inbound calls from Vitelity. I added the inboundXX.vitelity.net FQDN, and it started working, for about 5 minutes. I wondered if Vitelity was sending the calls from IPs not in my whitelist, so I asked Vitelity support, and they gave me a huge range of IPs. When I run iptables -nL, most of the IPs are not listed. These are the #s they gave me:

64.2.142.0/24
66.241.96.0/24
66.241.97.0/24
66.241.99.0/24
66.241.111.0/24
207.166.136.0/24
207.166.137.0/24

Should I add them? I can't imagine that Vitelity has that many IP addresses. If the answer is yes, is there an easy way to add those ranges to the whitelist?

Forgive me if this has been covered, I have been searching all day it seems.
 

Jake

Active Member
Joined
Aug 27, 2010
Messages
418
Reaction score
81
I was having a similar issue and this is how I did it:


Code:
iptables -A INPUT -p udp -m udp -s 64.2.142.0/24 --dport 5060:5069 -j ACCEPT
 
iptables -A INPUT -p udp -m tcp -s 64.2.142.0/24 --dport 5060:5069 -j ACCEPT

Then repeat above for each subnet.

Code:
service iptables-persistent restart

This commits the changes to your iptables.

(If you are using Incredible PBX 12 Ubuntu then just execute the ./add-ip script found in /root)
 

dhoppy

Active Member
Joined
Mar 9, 2009
Messages
439
Reaction score
179
Thanks.

Is it safe to add that many IPs to the whitelist?


Those IPs are owned by XO, Vitelity, and Websecure.
 

rossiv

Guru
Joined
Oct 26, 2008
Messages
2,624
Reaction score
139
Most likely those are the ranges that their carriers use for media, if they aren't proxying it.
You can just do ./add-ip vitelity1 64.2.142.0/24 and it should work fine. I see no issue adding them if that's what Vitelity told you to do.
 
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
You MAY be able to trim this down by watching the logs. The router should be able to negotiate the RTP traffic so the question becomes what IP(s) are the control channel (port 5060) commands coming in on. In many cases it's one or two IP addresses. Depends how much you want to watch this or how often it changes.
 

Members online

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top