Hi All, I have a FreeSWITCH cluster behind an OpenSIPS proxy/load balancer, and I'd like to be able to use the auth-calls feature in my sip profile in conjunction with the <param name="auth-acl" value="1.2.3.0/8"/> parameter in the directory.
In addition to running the INVITEs through the load balancer, I also need to run the REGISTERs through the load balancer because some of my endpoints are behind NAT firewalls, and therefore won't accept incoming calls from IPs other than the IP they registered to. INVITEs from the cluster going to registered endpoints are sent back through the proxy, thereby solving the NAT problem. However, having the proxy in the path effectively negates using IP based ACLS. The functionality I require is as follows: 1. Only allow registration if the endpoint IP matches it's own unique acl CIDR (specified in the directory). 2. Only accept INVITEs from endpoints that authenticate AND match the acl CIDR (again, specified in the directory). Does anyone have any recommendations on the best way to get the auth-calls functionality using an IP other than the IP of the last hop? If not, how hard would it be to add a feature to the auth-calls parameter to accept a channel variable from which to obtain the actual endpoint IP? Thanks! Bill _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
