Elastix plus sign on caller ID messing things up.

This article will tell you how to remove the leading + sign on caller ID that some carriers insert.

If you look at your CDR report and see all of your incoming calls look like this:


Your SIP provider is passing on incoming calls to your PBX with a + sign in front of the Caller ID. This plus sign is a veritable gremlin inside your PBX and will reek all sorts of havoc. Here is a list of just a few things that having leading plus sign breaks that I have discovered so far:

Inbound routes sorted by CID
On-Demand Call Recording Web Interface
Return Calls to Missed Callers

The good news is that you can fix this relatively easily thanks to a little trunk programming that was originally posted on Spiceworks by ericTR

Step 1

Go to PBX tools Asterisk File Editor and edit extensions_custom.conf or use ssh to edit /etc/asterisk/extensions_custom.conf

Add the following Context and Dialplan to the bottom of the file

exten => _X!,1,GotoIf($["${CALLERID(num):0:2}" != "+1"]?noplusatstart) 
exten => _X!,n,Set(CALLERID(num)=${CALLERID(num):1}) 
exten => _X!,n(noplusatstart),Goto(from-trunk,${EXTEN},1)

Reload Asterisk

Step 2
Go to the settings for each trunk that is adding the + sign and add the line:


Save the settings

Step 3
Click Apply Changes from the FreePBX GUI
After the changes are applied, “+” should no longer show up on incoming CallerIDs.


Snom + Elastix Transfer Button Bug Workaround

It has come to my attention that I am not the only person who has this problem, a weird bug that I seemingly could not believe at first when reported by my users. The reports came in that when they were busy on the phones, and they had multiple people on hold, that sometimes, two holding clients would be connected to each other and disconnected by pressing the hold button. I was baffled, “you must be hitting the conference button I said” but no. There is a definite bug in the behavior of the transfer button on the Snom when using Elastix. It works fine with call waiting disabled, but it’s behavior is terrible with multiple lines ringing.

Here is what the button does.

If there is only one line active it places the current line on hold and lets you dial a number or extension then connects the caller to that extension.

If there are multiple lines active, It connects the current active line with the previously active line if two lines are active.

It is trying to do an attended transfer where you hold a call, call the intended recipient, fill them in and press Transfer again to connect them.


This means if you get a call, put it on hold to answer a second call and then try and transfer the second call by pressing transfer, it thinks you are completing an attended transfer and connects your two held calls together, causing confusion and anger.

The solution to this problem is a combination of training and disabling or moving the transfer behavior on the phone.

If you have multiple lines active and you want to transfer a call you need a transfer button that just transfers and does not try and be smart and connects your callers. The easiest thing to do is to reprogram the transfer button on the phone in the Snom’s user interface from:




Pressing the # key in Elastix activates the PBX’s built in transfer function the voice on the line will say “Transfer” and you key the extension to connect the caller to the intended recipient and disconnect from you.

If you want to you can reprogram the Snom button to be the transfer button’s old behavior as I did and explain the behavior to the user and that they need to place the current call on hold, with the hold button, and then call the intended party and push the snom button for an attended transfer.

Here is the function key screen once reprogrammed.

Asterisk Failover – Switch to Second ISP Script

I wanted to make a script to make my failover to a secondary ISP easy and fast if my dedicated WAN link for VoIP went down and I needed to route traffic through my data WAN link in a hurry.

Lets assume the following:

  1. You have a secondary IP connection that you use exclusively for voip traffic.
  2. You have a NAT Router/Firewall for each WAN link plugged into your main switch, and use one as a gateway for data and the other for VoIP but you have SIP and RTP forwarded to the Asterisk Server from both NAT/Firewalls.
  3. Your SIP Provider supports failover to a Secondary IP and you have configured the failover to your secondary data WAN
  4. Both WAN Connections have a static IP address
  5. You only have one asterisk server

I know this is super specific, but you may get some use out of this script in other similar scenarios. You need to do a bit of setup in order for this to work. The script will switch between configuration files and restart associated services. The files affected are:


Assuming your system is currently set up for your VoIP ISP, lets assume its AT&T, and your data WAN is Time Warner Cable, you want to make a config file for each ISP as follows:

# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.att
# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.twc
# cp /etc/sysconfig/network /etc/sysconfig/network.att
# cp /etc/sysconfig/network /etc/sysconfig/network.twc
# cp /etc/resolv.conf /etc/resolv.att
# cp /etc/resolv.conf /etc/resolv.twc

now edit all of the .twc files in your text editor of choice and change the settings needed.

in sip_nat you need to change the external ip to the static ip address for your data WAN, in network, you need to change the gateway to the local IP of the NAT router/firewall for the data WAN and in resolv.conf you need to change the DNS servers if you are using the router or your ISP’s DNS servers. If you are using a third party like google or openDNS you don’t need to change the values.

So now you have two alternative versions of the configuration files, one for ISP att and one for ISP twc.

now just make the shell script.

# nano /usr/local/bin ispswitch.sh
#Change Gateway to config based on argument
cp /etc/sysconfig/network.$1 /etc/sysconfig/network
#Change DNS Server to Arg Config
cp /etc/resolv.$1 /etc/resolv.conf
#Restart Networking
/sbin/service network restart
#Change SIP-NAT to arg config
cp /etc/asterisk/sip_nat.$1 /etc/asterisk/sip_nat.conf
#Restart Asterisk
asterisk -rx "restart now"
# sudo chmod +x ispswitch.sh

Now you have a shell script that will switch between the sets of config files when you feed it the three letter file extension as follows:

# ./usr/local/bin/ispswitch.sh att

Will switch to the ATT configuration files. If you feed the argument “twc” it will switch to those files.

Obviously this is not something you want to do or test while people are on the phone, but it will get the job done. The scenario would go that your VoIP data link goes down, your VoIP provider tries to route the calls to the backup IP address and it will start to ring through on the backup IP (but with one way audio due to the gateway and improper sip_nat.conf settings) you then quickly run this script and switch the settings while you fix the primary WAN connection.



VoIP Security: Configuring the Elastix Firewall GUI

So you’ve got your Asterisk based Elastix system up and running and you are able to make and receive calls. Its probably safe to assume you have a static public IP address,  and a NAT router/firewall forwarding SIP traffic on port 5060 to your server and RTP traffic on a range of ports forwarded to your server as well. Your setup may vary, and I’ll assume that you have the knowledge to get the traffic to your server.

The good news is that your setup works, the bad news is that your VoIP server is probably still exposed to hackers who are (NO JOKE) actively trying to access your server. SIP is a very high value target for hackers and people are constantly scanning the internet for open connections on port 5060. When they find one the first thing they usually do is to try and brute force attack common extensions and get access to the server.

You will get notifications in your log like this one that show someone is trying to break in:

Screen shot 2014-01-02 at 10.44.06 AM

I am sure you were smart and set up very strong passwords for your extensions, but to be even safer it is a good idea to block inbound SIP traffic from non-trusted IP ranges.

The Elastix GUI interface allows you to control your server’s firewall settings by taking control of IPTables which is Linux’s software based firewall. If you choose to use the Elastix Firewall GUI, it is best to just use it and not rely on hand-coded IPTables rules.

The first thing to do is go to the Security Tab on the Elastix Admin.

Screen shot 2014-01-02 at 11.37.35 AM

The first thing open should be the Firewall settings and you need to specify to turn the Elastix Firewall on. At this point Elastix Firewall is controlling your IPTables and any hand coded settings you have made are nullified so you need to set up your firewall settings in the Elastix Firewall GUI exclusively.

Note that if you have services that are running on ports not covered by the default rules, like for example Webmin, they will cease to function until you allow them.

The default settings for the Elastix Firewall are pretty much useless for security purposes, just letting any traffic from anywhere into the serve.  You need to know how they work to configure them, they are numbered and are processed in order. You should not modify the First rule or the last three as they are critical to the system. Rule 1 allows local loopback traffic in the last three rules also allow the system to function.

For an in-depth look at how these rules and the Elastix Firewall GUI work check out This Guide that will help with most everything covered here except the final configuration.

If the only thing you are running on your system is Elastix/Asterisk and your VOIP provider has given you the IP addresses of their servers from where you can expect incoming traffic, you need to create a rule for each IP address and move it up anywhere above the last three rules. You should click the new rule button and add the IP address of the first server with the CIDR of /32 (One address allowed)

Screen shot 2014-01-02 at 11.54.07 AM

Then move the rule up using the up and down buttons next to the service number, anywhere above the last three rules will work. Make a new rule for each valid server IP address from your SIP trunk provider. Your SIP provider may give you a range of expected RTP IP addresses as well, and you can set up those addresses for RTP in a similar fashion. My SIP trunk provider only provides them for SIP connections so I have to leave RTP open.

Now go ahead and edit the Firewall rules for the services that you do use to include only the IP ranges you want to allow to access them, For example edit the incoming SIP rule to your local network to allow for LAN devices to connect. Edit the SSH rule to be your personal workstation or your local LAN.

Now use the Lightbulb icon to deactivate any services you do not use.

At the end of the day your firewall should look similar to this:

Screen shot 2014-01-02 at 12.07.20 PM

The rules basically say:

  1. Loopback traffic is OK
  2. Traffic from /16 on any protocol is Blocked (Region was trying to break in often)
  3. Traffic from my LAN is allowed on SSH
  4. Traffic from Provider SIP IP 1 on UDP:5060 is allowed
  5. Traffic from Provider SIP IP 2 on UDP:5060 is allowed
  6. Traffic from Provider SIP IP on UDP:5060 is allowed
  7. Traffic from Provider SIP IP on UDP:5060 is allowed
  8. Traffic from my LAN on UDP:5060 is allowed
  9. Traffic from my LAN on HTTPS is allowed
  10. Traffic from my lan on Dell Openmanage is allowed
  11. Traffic from any address on RTP is allowed

To set up rule 10 or a similar rule for a non-standard service/port you need to go to define ports and add a new port for your service then add a firewall rule to allow the service for the appropriate IP ranges.

All the rules below are disabled with the yellow light bulb except the final three system rules.

Screen shot 2014-01-02 at 10.40.24 AM

Now you have a more-secure Elastix system, using the Elastix Firewall GUI.

A word to the wise, should you break your ability to access the Elastix admin via HTTPS with the Elastix Firewall GUI, you need to SSH or locally access the system and type:

SUDO service iptables stop

Then go ahead and log in via the admin panel, change the offending rule and then go back in via SSH or local access and type:

SUDO service iptables start

Asterisk Adventure – The Prelude

I am going back pretty far into the past, but I want to tell the story here.

Work has been using the same phone system for about a million years. The main part of it is an old Siemens Analog PBX that used to be interfaced with a PRI and has since been converted by the Provider From Hell (PRF – a lot more on that later) to use an Adtran SIP>PRI Gateway to utilize a SIP trunk to varying success over a T1 line to the office.

The problems with this system are myriad.

• Unreliable call quality

• Regular crashes of the PBX requiring a hard reboot

• Intermittent Trunk to PSTN routing problems that result in fast busy when dialing

Trying to diagnose the issues are compounded by the fact that we are using ancient equipment with a million points of failure and the PRF is very hard to deal with in getting a straight answer about anything. I will concede that my users are also incredibly hard to deal with in that they seem to have unlimited free time in their complaining schedule, but there accurate notation of errors schedule is completely booked.

All this is a nightmare, and considering when this all started, I knew basically nothing about telecom and VoIP other than that carried voice over IP, hence the name, I was highly reticent to involve myself at all in the process.

It finally came to pass that the difficult users and the PFH built up enough hatred towards one another that they needed to divorce, and hey, I handle IT right, it should totally be your job to fix all this.

Now it was the time to embark on a project to hopefully achieve all of the stated goals:

• Provide relatively reliable phone service

• Save a bunch of money

• Be able to handle everything but the data link and trunk in house.

If you are still reading this and don’t know what VoIP or a SIP trunk are, VoIP stands for Voice over Internet Protocol, which takes standard phone communication and directs a lot of it over the internet, rather than the PSTN (Public Switched Telephone Network) and in the process saves money in a lot of cases. Also since it works over IP, Techies like myself have an easier time working with it because we are already familiar with IP.

A SIP trunk is a service that takes SIP (Session Initiated Protocol) communications (the most popular way to transmit VoIP) and connects them to the PSTN if necessary so that Internet calls can become “real” calls and go over the phone network and ring your grandma’s old-school phone line.