3CX Virtual PBX Server Firewall Setup
pixel500w-500x1
Zero Admin
With the new Dashboard
pixel500w-500x1
Bulletproof Security
With SSL certs and NGINX
pixel500w-500x1
Install on $150 Appliance
Intel MiniPC architecture
pixel500w-500x1
New, Intuitive Windows Client
More themes, more UC
pixel500w-500x1
More CRM Integrations
Scripting Interface to add your own
pixel500w-500x1
Improved Integrated Web Conferencing
iOS and Android apps included
pixel500w-500x1
Personal Click2Meet URLs

3CX Virtual PBX Server Firewall Setup

3CX Virtual PBX Server Firewall Setup

Introduction

General Considerations

3CX Port Requirement Overview

Shared Ports

Dedicated Ports

pfSense Sample Setup

Grouping Information

Step 1: Group the internal IP Address range

Step 2: Group the Shared and Dedicated Ports

Network Address Translation

Step 3: Add Virtual IPs address

Step 4: Configure NAT Entries

Step 5: Add Rules Policy to Allow Traffic into your PBX

Summary

Introduction

In order to host 3CX Virtual PBX to leverage modern server hardware to it’s fullest and keep windows installation overhead at a minimum the following guide will show a sample setup of a firewall to serve multiple instances (customers) using 3CX Phone System as Virtual PBX Server.

General Considerations

In order to provide this service to multiple customers a reliable WAN link is an essential aspect as it will enable the customers to connect to the hosted service without issue. Although the reliability of internet access it self is out of the scope of this document, a firewall is just as important to ensure connectivity.

Even though it is not enforced to have a setup which requires a NAT device in place and you can purely rely on the windows firewall, it may become very difficult to manage as your  multiple 3CX Virtual PBX server infrastructure grows in time. A more efficient way to manage your network connectivity and security is to implement a centralized firewall that is to carry out the following functions:

  • Handle multiple external IP addresses, as each 3CX Virtual PBX Server requires its own public ip address.
  • Provide full cone nat functionality (What is full cone nat).
  • Be able to turn of any SIP ALG operation (What is SIP ALG).
  • Has the ability to be setup in failover mode, however be aware that the pfSense does NOT support the more common VRRP protocol which is maybe required by the datacenter.
  • Has the ability to handle high throughput limits and max. connection limits (for high density system operation).

3CX Port Requirement Overview

The 3CX Virtual PBX server requires a set of dedicated ports for each instance and also some shared port ranges which are required by all instances.

Shared Ports

Common Ports to all Instances:

  • 3CX Management Console (HTTP & HTTPS) & Presence - 80 & 443 TCP
  • Media Server Range - 54,000 – 65,000 UDP Only

Dedicated Ports

Each instance uses 3 ports dedicated to their deployment slot:

Instance 1 - Will dynamically use ports in the range 5000 to 5999. You need to forward:

  • Phone System SIP Port - 5060 TCP & UDP
  • Phone System Secure SIP Port - 5061 TCP
  • 3CX Tunnel Service - 5090 TCP and UDP

Instance 2 - Will dynamically use ports in the range 6000 to 6999. You need to forward:

  • Phone System SIP Port - 6060 TCP & UDP
  • Phone System Secure SIP Port - 6061 TCP
  • 3CX Tunnel Service - 6090 TCP and UDP

Additional Tenants - Follow the exact same pattern in the following ranges:

  • Instance 3 - 7000
  • Instance 4 - 8000
  • Instance 5 - 9000
  • Instance 6 - 10000
  • Instance n - +1000

pfSense Sample Setup

The following sample setup is based on a pfSense firewall. The multiple instance setup has many differences to a single instance setup which can be reviewed here.

Why we have chosen a pfSense for this sample setup:

  • First and foremost It is free of charge.
  • It can utilize the already existing failover redundancy features of any hyper V or vmware cluster which may already be utilized for 3CX Virtual PBX installation(s).
  • Has the ability to be setup in failover mode, however be aware that the pfSense does. not support the more common VRRP protocol which is maybe required by the datacenter.
  • Simplified installation and maintenance.

Grouping Information

In order to get the best performance from the assigned resources on your pfSense VM, the amount of rules and nat policies should be kept to a minimum. Therefore working with aliases and grouping information into a single place is beneficial for two reasons:

  • To keep a nice overview of all set policies.
  • To keep the amount of rules and policies to a minimum.

In the setup we need to group two types of information:

  • The ports required
  • The Virtual PBX Server internal IP addresses.

To achieve all this you will need to complete the following 5 steps:

  • Step 1: Group the internal IP Address range.
  • Step 2: Group the Shared and dedicated Ports.
  • Step 3: Add Virtual IPs address.
  • Step 4: Configure NAT Entries.
  • Step 5: Add Rules Policy to Allow Traffic into your PBX.

Step 1: Group the internal IP Address range

To group the IP Address Range:

  1. Log on the the pfsense firewall then click the “Firewall” tab and choose “Aliases” from the drop down menu.
  2. In the “IP” tab click the “Add Aliases”  button.  
  3. Type a name for the group, for example, “cloud_server”.
  4. From the drop down set the type to “Network” and enter the range of all your internal IP addresses.
  • If you start with only one server you may add the internal IP’s of additional 3CX Virtual Servers at time of the servers creation. In this example we use a range of 11 IP Addresses.
  1. Click “Save”, then click the “Apply Changes” button.

Step 2: Group the Shared and Dedicated Ports

To group the ports referring to the port list above:

  1. From the  “Firewall” tab and choose “Aliases” from the drop down menu.
  2. This time switch to the Ports” tab, click the “Add Aliases”  button.
  3. Type a name for the group, for example, “cloud_ports”.
  4. Click the “Add another entry” button  and add the first port.
  • Then add all the shared and dedicated ports into this group by clicking the “Add another entry” button each time to add the next entry.
  • The port range for the media server can be written in the this format “54000:65000” which defines the entire range.
  1. Click “Save”, then click the “Apply Changes” button.

Network Address Translation

In a Virtual PBX installation the NAT type is set to 1to1 NAT. In order to set this up for 11 3CX Virtual servers follow the steps bellow. 

Step 3: Add Virtual IPs address

To configure the Virtual IP Addresses:

  1. Under the section “Firewall” tab, choose “Virtual IPs” from the drop down menu.
  2. In the “Virtual IPs tab”, click the “Add entry” button  and add the 11 virtual ip addresses. In this sample the public IP address of the pfSense it self is 1.1.100.1/26.
  • For the 3CX Virtual PBX server IP addresses 1.1.100.10-1.1.100.20 have been chosen.
  • Set the type to “IP Alias” and enter the 11 IP Addresses one at a time.
  1. Click “Save”, then click the “Apply Changes” button.

Step 4: Configure NAT Entries

To configure NAT settings:

  1. Under the “Firewall” tab, choose “NAT” from the drop down menu and switch to the “1:1” tab.
  2. Click the “Add entry” button  and add the network translation of the external IPs to the internal IPs.
  • Important: Make Sure that you enter the external subnet IP and the internal IP with the corresponding subnet mask. In our case /26.
  1. Click “Save”, then click the “Apply Changes” button.

Step 5: Add Rules Policy to Allow Traffic into your PBX

The last step is to allow traffic from the outside to to the internal servers.

  1. Under the “Firewall” tab, choose “Rules” from the drop down menu.
  2. Click the “Add entry” button  and change the “Protocol” type from “TCP” to “TCP/UDP”.
  3. Specify the address destination: In this example we use “Cloud_server” and use the “Cloud_port” as the destination range.
  4. Click “Save”, then click the “Apply Changes” button.

Summary

With these steps you have created a setup for a total of 275 instances (clients) with as little as 4 rules. In case the customer base grows, add additional Virtual IPs to the gateway, include the internal IP of the 3CX Virtual Server into the “cloud_server” alias group and the server will be ready to go.

You might also be interested in:


Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding

Leave a Reply

<