I can't prevent pjsip extension register from outside

The server on cloud.
Even the “Match (Permit)” is empty (on the specific extension I connected), I can register from my home.
I try also, put there some Address (not my), I still can register.

So how prevent connect from outside?

That’s a FreePBX option. You would be better served on the FreePBX forum at https://community.freepbx.org/ as it is what configures Asterisk. From an Asterisk level there are ACLs to prevent such things, but how that works in FreePBX I don’t know.

I supposed that is Asterisk setting:
The “Match (Permit)” of FreePBX setting write down into:

That include on my machine by pjsip.conf.

That’s for matching incoming traffic based on IP address. It’s not an ACL.

According some posts, by the default asterisk not permit register from outside. unless ‘Match’ field for specific extension contain the permit IP’s string. I’m wrong?
(By the way on my machine I not found any ACL settings in asterisks conf files)

Within Asterisk, that is an incorrect and wrong statement. There is no requirement as such.

“According some posts”

Please give us a pointer to them.


Is it possible that FreePBX overloads that setting and uses it as ACL for what it calls extensions. If it doesn’t, given that it only supports inbound registration for “extensions” I wouldn’t expect the option to be available, at all.

In any case, that is a good reason to ask on the FreePBX forum, not here, as people here don’t know how FreePBX translates those settings into Asterisk .conf files.

“According some posts” like:

I try google: asterisk extension acl
I not found anything.
So what is ACL you talking about?

“as people here don’t know how FreePBX translates those settings into Asterisk .conf files.”
It’s written as:

Asterisk extensions are directory numbers; they don’t have IP address associated with them, so ACL makes no sense. Asterisk does not use “extension” in the way that FreePBX uses it. It is not surprising that your search failed.

“asterisk pjsip acl” led me to:

which should probably have been the first place to look, anyway.

Unless it also sets identify_by, that’s not a sensible thing to do. If you know the /32 address, you should not be using registration at all, but FreePBX assumes that all of what it call extensions register.

Without identify_by being overridden, this represents an alternative way of identifying it. The correct From user name will still always be accepted.

Without its using contact rather than max_contacts, it also means the outbound IP address is learned from the registration, but the inbound address is fixed.

FreePBX should not be allowing you to enter anything for “extensions”, unless it supports static addresses, as well as registration, as any other use case would be weird. I think someone didn’t test this properly.

I wonder if FreePBX sets identify_by when creating outbound, or no registration, in FreePBX terms, trunks.

I not sure what the diff between freePBX and Asterisk. the all field based on asterisk.

I found explain for identity hear:

I think, when have user name, Asterisk ignore IP on Match field. did it correct?

On regular sip, have deny/permit. and it work even we supply user. the pjsip have another approach.

The difference between FreePBX and Asterisk is the difference between a jet
engine you can buy from Pratt & Whitney, and a Boeing 747.

The engine is an essential part of an aeroplane, but you can’t fly it on its

An aeroplane is a lot more complex than just the engine, and just because you
learn to fly one type doesn’t automatically mean another type from a different
manufacturer works the same.

Asterisk is the engine. It does SIP (and other protocols) and has all sorts
of functions which can be used to create a PBX, but until someone puts them
together in a particular way, it doesn’t let you make phone calls.

FreePBX is one way of combining a dialplan, a graphical interface, and a whole
load of other software, together with Asterisk, to make a fully working PBX
which can be managed (to a reasonable extent) by a non-techie.

In the same way as you wouldn’t go to Pratt & Whitney to ask how to put the
flaps down in a Boeing 747, it’s not ideal asking here on the Asterisk list
about how to make things work in FreePBX.

FreePBX has its own forums and support mechanisms. You should start from
https://community.freepbx.org/ and you’ll find people there who know the whole
system, not just one small but vital part of it.


Asterisk is a toolkit for creating telephony applications, which is configured by text files (and, less well supported, and not for all features, by database analogues of those text files).

FreePBX is an application of Asterisk limited to single tenant PABX use, with a web based GUI, and which works by supplying canned configurations and configurations generated from its own database, that control Asterisk.

It does not provide full access to Asterisk and it uses terminology which is not used by Asterisk.

As I understand it, features of the call are tried, in an order that is configurable, against endpoints and type=identify sections. They can only match if they are included in the identify_by section for the endpoint.

I think the default, for chan_pjsip, is to prefer a match by IP, but if the IP doesn’t match, it will still match by name. It’s an OR condition, not an AND one.

So anyway, the pjsip in contrast of sip, work or by ip or by user&pass.
Thanks for all answers.

It’s more complex than that. chan_sip can also match by both, although not the way that FreePBX uses it for “extensions”.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.