[Freeswitch-users] ACLs through proxy

Bill W freeswitch at aastral.net
Tue Dec 15 20:58:46 PST 2009

Hi All,

I have a FreeSWITCH cluster behind an OpenSIPS proxy/load balancer, and 
I'd like to be able to use the auth-calls feature in my sip profile in 
conjunction with the <param name="auth-acl" value=""/> 
parameter in the directory.

In addition to running the INVITEs through the load balancer, I also 
need to run the REGISTERs through the load balancer because some of my 
endpoints are behind NAT firewalls, and therefore won't accept incoming 
calls from IPs other than the IP they registered to.  INVITEs from the 
cluster going to registered endpoints are sent back through the proxy, 
thereby solving the NAT problem.

However, having the proxy in the path effectively negates using IP based 

The functionality I require is as follows:
1. Only allow registration if the endpoint IP matches it's own unique 
acl CIDR (specified in the directory).

2. Only accept INVITEs from endpoints that authenticate AND match the 
acl CIDR (again, specified in the directory).

Does anyone have any recommendations on the best way to get the 
auth-calls functionality using an IP other than the IP of the last hop?

If not, how hard would it be to add a feature to the auth-calls 
parameter to accept a channel variable from which to obtain the actual 
endpoint IP?


More information about the FreeSWITCH-users mailing list