Guide on How to Configure a Draytek 2820 Router Firewall for Use With the 3CX Phone System

Introduction

This document describes the configuration of a Draytek 2820 for the use with 3CX Phone System. We will take look into the NAT configuration necessary for 3CX Phone System and the QoS configuration to prioritize SIP and RTP traffic. The firmware version tested was version 3.3.3 dated 23 October 2009.

Status

In general Draytek routers are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. Take extra care when following this guide.

The status of this type of firewall is “Supported”.
Nat Type: Not tested

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read http://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

NAT Configuration

Disable SIP ALG

You first need to disable SIP ALG on your Draytek Router by following the steps outlined below:

  1. Open a Command Prompt and telnet to the Draytek router by typing the following command: >telnet IP-Vigor_Router
  2. Enter the following commands to disable the SIP ALG Handler on the device:
    >sys sip_alg 0
    >sys commit

If you are using a Vigor2750 or a Vigor2130 use the following steps:

  1. Open a Command Prompt and telnet to the Draytek router by typing the following command: >telnet IP-Vigor_Router
  2. Enter the following commands to disable the SIP ALG Handler on your device
    > kmodule_ctl nf_nat_sip disable
    > kmodule_ctl nf_conntrack_sip disable

Port Forwarding

For an up to date list of the ports that need to be open check “Firewall & Router Configuration“, as the ports may depend on the version you are using.

  1. Browse to the Router’s Web Interface (the device’s default IP Address is 192.168.1.1).
  2. Go to the “NAT -> Open Ports” menu
  3. In this example, 3CX PhoneSystem is installed on a server with IP Address 192.168.1.200, and the Draytek is connected to the Internet via the WAN1 interface. Go to the first free position in the “Open Port” menu, and configure as follows:
  4. Ensure the “Enable Open Ports” checkbox is enabled
  5. Set the “Comment” field to “3CX”
  6. Set the “WAN Interface” field to “WAN1”
  7. Set the “Local Computer” field to the IP Address of the 3CX PhoneSystem machine (in this example 192.168.1.200)
  8. Set the first line as follows:
    1. Set the “Protocol” field to “TCP”
    2. Set the “Start Port” and “End Port” fields to “5000” if Abyss Webserver or “80” if IIS Web Server
  9. Set the second line as follows:
    1. Set the “Protocol” field to “TCP”
    2. Set the “Start Port and “End Port” fields to “5001” if Abyss Webserver or “443” if IIS Web Server
  10. Set the third line as follows:
    1. Set the “Protocol” field to “TCP/UDP”
    2. Set the “Start Port and “End Port” fields to “5060“.
  11. Set the fourth line as follows:|
    1. Set the “Protocol” field to “TCP”
    2. Set the “Start Port and “End Port” fields to “5061“.
  12. Set the fifth line as follows:
    1. Set the “Protocol” field to “UDP”
    2. Set the “Start Port” field to “9000” and the “End Port” field to “9500
  13. Set the sixth line as follows:
    1. Set the “Protocol” field to “TCP/UDP”
    2. Set the “Start Port and “End Port” fields to “5090
  14. Click on the “OK” button at the bottom of the page.


This will send you back to the “Open Ports” summary page.

QoS Configuration

To configure the Quality of Service part of the Draytek 2820 please follow the next Steps

1. Bandwidth Management – Quality of Service


  1. Browse to the Router’s Web Interface (the device’s default IP Address is 192.168.1.1).
  2. Go to the “Bandwidth Management -> Quality of Service” menu. The first thing that we need to define the ports and services used by 3CX Phone System. Proceed as follows:
  3. Click the “Edit” link under the “Service Type” heading.
  4. Click on “Add”, and insert the following service: Name: “3CX HTTP”, Service Type: “TCP”, Type: “Single”, Port Number: “5000” if Abyss Webserver or “80” if IIS Web Server
  5. Click on “Add”, and insert the following service: Name: “3CX HTTPS”, Service Type: “TCP”, Type: “Single”, Port Number: “5001” if Abyss Webserver or “443” if IIS Web Server
  6. Click on “Add”, and insert the following service: Name: “3CX SIP”, Service Type: “TCP/UDP”, Type: “Single”, Port Number: “5060
  7. Click on “Add”, and insert the following service: Name: “3CX SECURE SIP”, Service Type: “TCP”, Type: “Single”, Port Number: “5061
  8. Click on “Add”, and insert the following service: Name: “3CX TUNNEL”, Service Type: “TCP/UDP”, Type: “Single”, Port Number: “5090
  9. Click on “Add”, and insert the following service: Name: “3CX RTP”, Service Type: “UDP”, Type: “Range”, Port Number: “9000 – 9500


  1. Click the “Cancel” button to go back to the previous page. After that we need to create a “Class Rule”:

2. Creating a Class Rule


  1. Click on the “Edit” link in the “Class 1” row under the “Rule” header
  2. Set the “Name” field to “3CX VOIP”
  3. Click on the “Add” button
  4. Set the “ACT” field to Enabled
  5. Set the “Local Address” field to the IP Address of the PBX Machine (in this example 192.168.1.200)
  6. Ensure the “Remote Address” field is set to “Any”
  7. Ensure the “DiffServ Codepoint” field is set to “Any”
  8. Set the “Service Type” field to “3CX SIP”
  9. Click the “OK” button
  10. Repeat the last 7 steps for each of the 4 remaining service types, changing the “Service Type” field to “3CX HTTPS”, “3CX HTTP”,”3CX SIP”,”3CX SECURE SIP”, “3CX RTP”  and “3CX TUNNEL” respectively.
  11. Click on the “OK” button to save the Class Rule.


This will take you to the QoS Main Page.

3. Assign a Priority Level

Now we need to instruct the router what priority level to assign to traffic of class “3CX VOIP”.

  • Click on the “Setup” link on the “WAN1” row.
  • Set the “Enable the QoS Control” checkbox, and set the traffic direction to “BOTH”
  • Set the “Reserved_bandwidth Ratio” field for traffic of class “3CX VOIP” to 70%
  • Set the “Reserved_bandwidth Ratio” field for traffic of Class 2 and Class 3 to 10%
  • Click on the “OK” button to complete the configuration

Note that the “Reserved_bandwidth Ratio” percentage value does not reserve bandwidth at all times, but only when other traffic types are competing with “3CX VOIP” class traffic for bandwidth.

Important Note for users of Draytek VoIP Models

If you have a Draytek VoIP model you also need to perform the following steps in addition to the steps described above to enable it to work with 3CX Phone System:

  1. Log in to your Draytek Router’s Web Interface
  2. Select VoIP and then click on SIP Accounts in the Draytek Management Console
  3. Select Change the SIP port in VoIP to something else other than 5060 (Please note that all SIP account ports should be changed).
  4. Press OK to save your changes. After you finish modifying all your your accounts, restart your Draytek Router.

Validation

Run the 3CX Firewall Checker to validate the setup from the 3CX Phone System Management Console Settings > Firewall Checker. All tested ports must return green / working.

Liked this article?


Get notified of new articles
or share
You might also be interested in:
  1. Pingback: 3CX VoIP Blog » Configuring a Draytek 2820 Router for 3CX with QoS configuration

  2. Good to see this article, as we have been using Draytek Routers on voice and data networks for many years. The V2820 is a very robust and powerful router that we can thoroughly recommend. It is also notable that this router can give you dual-WAN connection (2 x load-shared ADSL) and alternate connection via GSM USB wireless.

    May 24, 2010 at 2:40 pm
  3. Tonnie

    Normal the draytek can be a little messy with it’s sip_alg (most of the times on hosted voip systems) so we always put the settings off.
    how?

    Quote from the manual:
    “> sys sip_alg ? usage: sys sip_alg [value]
    0 – disable SIP ALG 1 – enable SIP ALG current SIP ALG is disabled”

    May 24, 2010 at 3:23 pm
    • Kevin

      Hi Tonnie

      The document assumes that you start off from factory defaults. By default the SIP ALG should start disabled.

      It should be left disabled.

      However you can manually disable the SIP ALG by logging onto the Draytek using telnet, and issuing the command:

      sys sip_alg 0

      Regards

      May 27, 2010 at 1:29 am
  4. Pingback: 3CX VoIP TK Anlage Blog » Firewall Konfiguration für das 3CX Phone System

  5. Brian Campbell

    “Set the “Start Port” field to “5060″ and the “End Port” field to “5090″”

    Why are you opening Ports 5060 to 5090? Should it not just be Ports 5060(Sip) & 5090(3CX Tunnel)?

    May 26, 2010 at 7:56 pm
    • Kevin

      Hi Brian

      Yes, opening only ports 5060 and 5090 would be more accurate – thanks for pointing this out.

      I have updated the blog post accordingly.

      Regards

      May 27, 2010 at 2:03 am
  6. Fred Fremaux

    For many years, Draytek has been our choice for VoIP routers for many of the same reasons. Some may find this helpful, in your last figure, WAN 1 General Setup, bottom right corner is the option Online Statistics – this is an excellent graphic tool to help you test and verify that your QOS settings are working as planned – or not.

    May 27, 2010 at 5:59 pm