Introduction to the 3CX Firewall Checker
The 3CX Firewall Checker is a tool which can be used to check that your router or firewall allows network traffic with VoIP Providers, Bridges, External Extensions and 3CXTunnel connections. A supported 3CX Phone System configuration requires that all the necessary ports are forwarded one-on-one into the LAN towards the 3CX Phone system machine. Anything less is considered as unsupported. Let us look at a simple example to illustrate this further.
For this example, let’s assume that the PBX machine has IP address “192.168.0.100″, that the test is for port “5060″, and that the public IP address for your WAN port on your WAN-to-LAN device is “11.22.33.44″.
Basically, for a port to be correctly forwarded to the 3CX Phone System machine, any UDP packet that originates from the PBX machine and therefore has, in its Ethernet headers, the “source IP::Port” reading “192.168.0.100::5060″, must reach its final destination (typically a VoIP Provider service, or a remote extension, or a bridged PBX) with the Ethernet “source IP::Port” headers reading “11.22.33.44::5060″. So in essence, even though the IP Address needs to be translated (so that the traffic can be routed across the Internet Cloud), the port must NOT be translated. Furthermore, any UDP packet that originates from the WAN with Ethernet headers “destination IP::Port” reading “11.22.33.44::5060″, must reach the 3CX Phone System machine with the Ethernet “destination IP::Port” headers reading “192.168.0.100::5060″.
The 3CX Firewall Checker can be used to determine that the port mappings are configured correctly, and will provide additional information which might help you configure your firewall properly. To run the 3CX Firewall Checker, open the 3CX Management Console, click on Settings > Firewall Checker node and click the Run Firewall Checker.
Once the test is started, networking tests will be performed and depending on the configuration of your firewall or border device, the results will be provided together with information on what you can do to fix/troubleshoot the problem.
Notes
- The 3CX Services need to be stopped before performing the tests. The PBX will not be available for the duration of the tests. The tests 1 second per port checked if the tests succeed or anywhere between 5 and 10 seconds for each failed port check. By default, the firewall checker checks 52 ports. These include port 5060, 5090 and port range 9000 – 9049. Thus if everything is configured correctly, the test should be take less than a minute. If there are issues with all the ports, the test can take between 4 minutes and 9 minutes. You are allowed to cancel the test.
- The Firewall Checker requests the STUN server configured in Settings > Network > STUN server to make connections to it on the ports being checked. Some firewalls might log a port scan since the ports are checked sequentially. When this happens, the 3CX Firewall Checker will start reporting issues after the first few ports have been checked. You might want to disable the port scan check on your firewall while running the 3CX Firewall Checker.
3CX Firewall checker – Tests Performed
The firewall checker will check for connectivity by making various requests to the STUN servers configured in Settings > Network > STUN server. The firewall checker performs the following 2 tests:
Test 1 – Internet Reachability Test
This test checks that the PBX is able to communicate with the STUN server running on the internet from the port being checked. This test will also perform a DNS resolution check if the STUN server’s hostname is specified. This test checks basic connectivity to the internet and that the STUN server is reachable.
Check the following if you get a failure on test 1:
- You might have a general problem connecting to the internet. To confirm, open a browser and check that you can connect to the internet.
- You might need to configure your firewall to allow connections from the machine running 3CX Phone System to the internet on the port being checked. Check this blog post which documents the Ports used by 3CX Phone System.
- Your firewall might need to be configured to allow both connections to the port being checked on both TCP and UDP. Once again, check this blog post which documents the Ports used by 3CX Phone System.
- This test will fail if the STUN server is not available. Confirm the STUN server in Settings > Network > STUN server, and use a different STUN server to test.
- Confirm the port being used by the STUN server. The STUN server might be running on a different port
- Apart from the WAN to LAN device (router or firewall), you should also check that the Windows Firewall installed on the local machine is allowing connections on the port being checked. Anti-virus, and other anti-malware software are also known to interfere. You will need to disable or un-install these to confirm. Note that disabling the feature might not be sufficient.
- Your ISP might be blocking traffic in the port being checked. Check this blog post which documents the Ports used by 3CX Phone System.
Test 2 – One on One Port Forwarding (a.k.a. inbound connection) test
In this test, the firewall checker tries to determine if a server on the internet is able to connect and communicate with 3CX Phone System on the port being checked. In doing so, it determines if the one to one port forwarding is configured on the firewall, as required by the PBX. This type of NAT is also known as Full Cone Nat.
In this test, 3CX will send a request to the STUN server from the port being checked, and requests the STUN server to make a connection to the PBX from a different IP address on the port being checked.
If Test 1 succeeds, but test 2 fails, you should check the following:
- Your WAN to LAN device (firewall or router) has static, one to one port forwarding configured for the ports being checked.
- Some ports need static port mapping configured for both TCP and UDP. Once again, check this blog post which documents the Ports used by 3CX Phone System.
Results / Error messages
This section provides a list of results / errors that can be returned by the firewall checker.
Success – Port forwarding is correctly implemented for this port. VoIP can work. This configuration is supported.
The tests have succeeded. Your WAN to LAN device (firewall / router) is allows connections to the internet on the specified port and performs one to one port forwarding correctly. This configuration is supported.
STUN server has no second address.
You can get this error message when you are using an incorrectly configured stun server. The STUN Server must have 2 addresses. You will need to use a different STUN server for these tests. Change to Settings > Network > STUN Server tab and configure one of the following stun servers stun.3cx.com, stun2.3cx.com, stun3.3cx.com, stun4.3cx.com
Failed – No response received or port mapping is closed. Port forwarding not configured correctly.
Port forwarding is not configured for the port being checked. In this case VoIP Providers and Remote extensions WILL NOT WORK. Log in to your router / firewall and configure port forwarding by entering the ports required by 3CX and forwarding them to the IP Address of the 3CX Phone System
Failed – Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again.
You will get this message if some ports pass the test and others do not. You will need to investigate which ports failed the test and check port forwarding on those ports. Also make sure that the firewall/router is not forwarding connections on the specific port to another IP Address. The ports should be forwarded to the IP Address of 3CX Phone System.
Failed – Malformed response received – (aka Symmetric NAT). Port forwarding not correctly implemented.
The response we got from the STUN server indicates that you do not have a one to one NAT, or Full cone NAT. 3CX Phone system requires a 1 to 1 port forwarding inbound and outbound for VoIP Providers, Bridges and external extensions to work.
STUN server did not answer or port forwarding is not configured on your firewall.
The STUN server used for this test did not answer. Possible reasons could be that STUN server is not reachable, maybe it is down or port forwarding is not configured correctly.
STUN server address cannot be resolved.
The DNS resolution used to resolve the STUN server’s IP address failed. This could be a DNS issue, or the STUN server has ceased operation altogether.
Failed – Malformed or no response received from configured STUN servers. Check your internet connection, DNS settings, or change STUN servers from Settings > Network > STUN Server tab.
Check that port forwarding is correctly implemented. Firewall might be blocking packets. Check this article on how to configure static port forwarding.
Failed – Port is in use by another application on this computer. OR
SIP port is in use by process {0}. The 3CX Firewall checker requires the SIP port to be free.
The port that is needed for this test is currently in use by another application installed on this computer. To determine the process that is listening on the specified port, run the following command in command prompt:
netstat -ano | findstr /I /C:"PID" /C:":5060"
Replace 5060 with the port that you need to check. You will find the process id of the process that is listening on the specified port in the PID column. Use this number to identify the process by using Task Manager or by running the following command in command prompt:
tasklist /fi "pid eq 4"
Replace 4 with the PID identified previously.
STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported
STUN servers configured in the Network > STUN server tab cannot be reached. Most probable causes are internet connectivity problems. Try to use the following STUN server hosted by 3CX:
Change to Settings > Network > STUN Server tab and change the STUN servers to one the following which are hosted by 3CX:
stun.3cx.com, stun2.3cx.com, stun3.3cx.com, stun4.3cx.com
Related Articles