AllowedAddresses filter on SIP Trunk

Telephony
1

Hello,

I’m trying to increase security for my SIP trunk so I just allow receiving calls coming from a specific IP. My understanding is that I can use the AllowedAddresses field for that.

So I have the following:
$ lk sip inbound list
Using default project [******]
┌─────────────────┬───────┬───────────────────────────────────────────────┬──────────────────┬────────────────┬────────────────┬────────────┬─────────┬──────────┐
│ SipTrunkID │ Name │ Numbers │ AllowedAddresses │ AllowedNumbers │ Authentication │ Encryption │ Headers │ Metadata │
├─────────────────┼───────┼───────────────────────────────────────────────┼──────────────────┼────────────────┼────────────────┼────────────┼─────────┼──────────┤
│ ST_****** │ Tests │ +34*********,*********,+34*********,********* │ 1.2.3.4/32 │ │ │ DISABLE │ │ │
└─────────────────┴───────┴───────────────────────────────────────────────┴──────────────────┴────────────────┴────────────────┴────────────┴─────────┴──────────┘

With this configuration, I would expect a call to be rejected, but I am still receiving it. Am I doing anything wrong?

2

What is the trunk ID (starts with ST_)? Or better a call–id. It can the the SIP call-id or LiveKit call id that starts with “SCL_”

With that I can take a look at the config and ses what might be happening and why we passed the call that is not allowed in the allow list.

3

Hello CWilson,

For the example provided, you can check the calls SCL_w3Frck9y7DnB, SCL_iDCKLsZ5X4db, **SCL_jtb8XvhJfRf2
**
This corresponds to a local deployment in my local machine, for testing. I also did an equivalent test in a diferent Livekit project in some machine on the cloud, just in case it had relation, with equivalent results. For this other experiment, you can check calls SCL_vCeWEpnLW7VM, SCL_5bcSjV64uggA

4

@nestor.morales can you please try now, our eng team report that the issue you were seeing has been resolved.

5

Hello Darryn, I checked and now it works!

Many thanks for your prompt answer!

6

Hello ,
I have today the same issue :

I set allowedAddresses on my inbound trunk to 1.2.3.4/32 just for testing(Same as Nestor), but I can still call the LiveKit SIP URI directly from MizuDroid and the call gets established.

Inbound trunk config


{
  "sipTrunkId": "ST_XXXXXXXXXX",
  "name": "test-trunk",
  "allowedAddresses": [
    "1.2.3.4/32"
  ],
  "authUsername": "************",
  "authPassword": "************",
  "includeHeaders": 3
}

Dispatch rule config

{
  "sipDispatchRuleId": "SDR_XXXXXXXXXX",
  "rule": {
    "dispatchRuleIndividual": {
      "roomPrefix": "call-"
    }
  },
  "trunkIds": [
    "ST_XXXXXXXXXX"
  ],
  "name": "test-dispatch",
  "roomConfig": {
    "agents": [
      {
        "agentName": "xxxxx"
      }
    ]
  }
}

Logs


2026-05-12 13:21:35,438 [INFO] agent joined room=xxxxx storage=xxx
2026-05-12 13:21:36,874 [INFO] SIP audio track unsubscribed room=xxxxxx participant=xxx

I was using:

lk version 2.16.2 when setting up the config.

7

@PC which project is this? I see two projects under your account

8

(post deleted by author)

9

Hello Darryn.
Its the XXXXX project.

10

@PC Please try now, it should work

11

Hello Darryn.

It works now :slight_smile:
Is this an issue that will happen again if i create a new project or ? Since currently this is a test project.

Thank you !

12

@PC if you need it enabled on another project, please DM me in this community and I’ll make sure it gets enabled.

I know this situation isn’t ideal and we will make improvements in the future, but for now I’ll make sure you get unblocked.

13

@darryncampbell We are selfhosting livekit and livekit sip bridge. What have we to do, that the AllowedAdresses filter is working again ?

14

What do you mean you are self hosting. You mean you are self hosting LiveKit server or self hosting LiveKit agents?

If you are using LiveKit cloud what is your project ID? What trunk is it not working on? If you are self hosting LiveKit server I am not sure how to help you.