Configuring a Zyxel P-662H-D1 Router with 3CX Phone System

Introduction

This document describes the configuration of a Zyxel P-662 for the use with 3CX Phone System. We will take look into the NAT configuration necessary for 3CX Phone System and VoIP Providers, Remote Extensions or Bridges. The firmware version tested was ZyNOS Firmware Version V3.40(AGZ.9) dated 01/08/2010.

Zyxel P-662H-D1 Router

Status

In general the Zyxel P-662H-D1 routers are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections.

The status of this type of firewall is “Supported”.
Nat Type: Not tested 

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read http://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configure the Firewall to Allow VoIP Traffic from the Internet

Note: Screenshots are for illustration purposes only and settings should not be copied from the screenshots.

For an always up to date list of the ports that need to be open check “Firewall & Router Configuration“, as the ports may depend on the version you are using.

  1. Using your browser, browse to the IP address of the Zyxel P-662H-D1 Router.
  2. Log in using the administrator password.
  3. From the menu on the left, change to “Security” > “Firewall”.
  4. If Active Firewall is not enabled, and you do not intend to enable the firewall, you can proceed to the next section (Configure NAT).
  5. If the Default Action for “WAN to LAN” is set to “Permit”, and you do not intend to change this, you can proceed to the next section (Configure NAT).
  6. Click on the “Rules” tab.
  7. From the Packet Direction drop down list, select “WAN to LAN”, and click the “Add” button.
  8. Scroll to the “Services” section, and click on the “Edit Customized Services”  link.
  9. Add the following services in the table (click on the number to add an entry). Click “Back” when done:
    1. HTTP TCP 5000 for Abyss Web Server or TCP 80 for IIS
    2. HTTPS TCP 5001 for Abyss Web Server or TCP 443 for IIS
    3. SIP TCP/UDP 5060
    4. SECURE SIP TCP 5061
    5. RTP UDP 9000-9500
    6. TUNNEL TCP/UDP 5090
  10. Scroll back to the top and configure the following settings:
    1. Active: Enabled
    2. Action for Matched Packets: Permit
    3. Source – Address Type: Add IP address if known or leave default “Any Address”.
    4. Destination – Address Type: Add IP address if known or leave default “Any Address”.
    5. Service – Available Services: Add “*SIP (TCP/UDP:5060)”, and remove “Any (UDP)” and “Any (TCP)” from the list.
    6. Day to Apply: “Everyday” (or as needed).
    7. Time of Day to Apply: “All day” (or as needed).
    8. Click “Apply” when done.
  11. Repeat step 10 for each service configured in step 9. The rules should be similar to what is shown in this screenshot:

Configure NAT so that VoIP Traffic from the Internet is Forwarded to the PBX

      1. From the menu on the left, change to “Network” > “NAT”.
      2. Click on “Port Forwarding”.
      3. In the Service Name, select “User define”.
      4. Configure the Rule as follows:
        1. Active: Enabled
        2. Service Name: SIP
        3. Start Port: 5060
        4. End Port: 5060
        5. Server IP Address: Internal IP of PBX (e.g. 192.168.1.109).
        6. Click “Apply” when done.
      5. Repeat steps 3 to 5 for the following ports:
        • HTTP TCP 5000 for Abyss Web Server or TCP 80 for IIS
        • HTTPS TCP 5001 for Abyss Web Server or TCP 443 for IIS
        • SIP TCP/UDP 5060
        • SECURE SIP TCP 5061
        • RTP UDP 9000-9500
        • TUNNEL TCP/UDP 5090

        Click “Apply” to save the configuration.

Liked this article?


Get notified of new articles
or share
You might also be interested in: