Configuring AVM FritzBox as a Firewall with 3CX Phone System

Introduction

This guide will show how to configure an AVM Fritzbox router / firewall as a border device with 3CX Phone System in the LAN. The tests were made using a FritzBox 7170 with firmware version 29.04.76

Note: This document will show screenshots in German as we could not upload an English language firmware on the device. However some settings are translated from German to English.

AVM FRITZ Box

Status

Important:  The FritzBox has an integrated SiP Server inside. This makes the usage and natting of ports 5060 TCP and UDP to the 3CX Phone System impossible because the Fritzbox SIP server will not allow you to do this. For that reason we have to configure 3CX to “listen” for SIP traffic on a different port.

The status of this type of firewall is “Not Supported”.
Nat Type: Not tested 

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read http://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

FritzBox Setup

Note: Screenshots are for illustration purposes only and settings should not be copied from the screenshots.

For an always up to date list of the ports that need to be open check “Firewall & Router Configuration“, as the ports may depend on the version you are using.

1. Activate Expert Mode on the Router

  1. Press on “Einstellunden” (Settings) in the top bar.
  2. Click “Erweiterte Einstellungen” (Advanced Settings) /  “System” (System) / “Ansicht” (View)
  3. Check the“Expertenansicht aktivieren” (activate expert view) box.

2. Enable NAT for SIP requests through the AVM FritzBox.

This option is only available and needed when you use FritzBox in “LAN Mode” and not intended for usage in DSL Mode.

  1. Open “Erweiterte Einstellungen” (Advanced settings) menu, go to “Telefonie” (Telefony) and then the “Erweiterten Einstellungen” (Advanced settings).
  2. Check the check-box for “Portweiterleitung des Internet-Router für Internettelefonie aktiv halten” (enable port forwarding of the Internet-Router for internet calls).
  3. Set the value to 5 minutes.

3. Set the NAT rules that will be used for the PBX

  1. Open the “Erweiterte Einstellungen” (Advanced settings) menu,select  “Internet” (Internet), then “Freigaben” (Sharing) and click the tab “Portfreigaben” (port sharing).
  2. The following example shows the PBX on IP: 10.172.0.141
  3. The port for SIP CAN NOT BE 5060 as normal and must be changed.  Alternatively you may reconfigure your AVM as documented here.
  4. This example shows it for port 5062

. 4. Add the Ports you Need in the FritzBox Configuration

For an always up to date list of the ports that need to be open check “Firewall & Router Configuration“.

  1. HTTP TCP 5000 IF ABYSS WEBSERVER OR TCP 80 IF IIS WEB SERVER
  2. HTTPs TCP 5001 IF ABYSS WEBSERVER OR TCP 443 IF IIS WEB SERVER
  3. SIP TCP/UDP 5060
  4. SECURE SIP TCP 5061
  5. RTP UDP 9000-9500
  6. TUNNEL TCP/UDP 5090

3CX Phone System Setup

1.  Setting up the 3CX PBX

Due to the FritzBox catching all traffic to port 5060 we have to change the SIP Port in the 3CX Phone System.
In the FritzBox port forwarding configuration the SIP Port has been set to 5062 for TCP and UDP by following the steps described in the “FritzBox Setup” part of this guide.
The 5062 port has to be set in the PBX  as well.

  1. Log in to the 3CX Management Console using your credentials
  2. Click on “Settings” menu and go to “Network”
  3. Change the SIP Port accordingly (5062 was used here as the example)

Important: Global changes that need to be made in this scenario

  1. The provisioning files will be updated but the phones will need to be re-provisioned with the new settings.
  2. All phones in your network have to register to Port 5062 and not more to 5060 as usual.
    • Example: Configuration of a Snom Phone

    • ExampleConfiguration of a 3CXPhone

 

Liked this article?


Get notified of new articles
or share
You might also be interested in: