Extensions - Permit IP

[CosteesP]

Are there any ways to permit extension registration only from specific IPs (per extension)?
Also, can i set an extension to have only one phone registration simultaneously?

 

[eddv123]

No, it is bound by the MAC address of the phone not IP - I can only think that the reason for this is because in most scenarios phones use DHCP allocation, so the likelihood of IP changing is high where Mac never will change.

I am going to presume that you do not want more than one endpoint connecting to this extension for security reasons (from the outside world) - for this the extension has the setting "Disallow use of extension outside the LAN" which is enabled by default.

Disallow use of extension outside the LAN – Blocks any registrations from outside of the network. This setting applies to IP phones.

 

[CosteesP]

Does the MAC filter work for phones connected over WAN?
Also i didn't mention that the PBX is hosted on cloud, so Disallow use of extension outside the LAN should be disabled.

In the case of LAN PBX/extensions, wouldn't it again allow multiple LAN devices to register as an extension, as it would simply create a new Phone?

 

[eddv123]

"Disallow use of extension outside the LAN" should be disabled if you are using phones provisioned using the STUN method - however if security is your concern (which it sounds like it is) you would be much better off using the 3CX SBC as it uses a single port 5090.

If you insist on using STUN then do so but make sure your firewall rules are configured correctly (not allow all to port 5060) and possibly use secure SIP and SRTP (which should be allowed by default at some point in the future): https://www.3cx.com/docs/secure-sip/

Firewall on a hosted platform like Google, AWS etc is normally in the form of ACL type rules (in AWS they are called security groups).

You could use the IP Blacklist to allow/deny connections in (you can enable this for ranges) however it does not cover when IP addresses change.

3CX's in-built security is pretty good for a PBX platform but I would also look at strengthening this by configuring your firewall for only trusted IP's and also on the VoIP Provider level - so outside of normal working hours restrict the amount of calls/call costs allowed via the platform itself.

 

[CosteesP]

I will continue using the firewall for now until i find a better solution, but i think it is a basic security option to allow registration from only a range or specific IP or at least to disallow phones registering except from those that are already created manually in the provision.

 

[eddv123]

I think to achieve exactly what you want the 3CX SBC would be the better option:
https://www.3cx.com/docs/3cx-tunnel-session-border-controller/

You can use the Raspberry Pi option - supported up to 20 extensions.
Or the Windows or Linux versions - which support up to 50 extensions.

Then you can enable "Disallow use of extension outside the LAN" which will bolster up your security.

STUN I am afraid does not offer as good security as the SBC (or soft-client with in-built tunnel) so you need to choose between one or the other. That being said if you use STUN with the conjunction of the above guidelines I provided (3CX security, locked down firewall and VoIP Provider) then I cannot see you having too many issues.