This guide is outdated please refer to the latest guide.

Introduction

This document describes the configuration of a Draytek 2820 for the use with 3CX Phone System. We will take look into the NAT configuration necessary for 3CX Phone System and the QoS configuration to prioritize SIP and RTP traffic. The firmware version tested was version 3.3.3 dated 23 October 2009.

Status

In general Draytek routers are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. Take extra care when following this guide.

The status of this type of firewall is “Supported”.
Nat Type: Not tested

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/voip-howto/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

NAT Configuration

Disable SIP ALG

You first need to disable SIP ALG on your Draytek Router by following the steps outlined below:

  1. Open a Command Prompt and telnet to the Draytek router by typing the following command: >telnet IP-Vigor_Router
  2. Enter the following commands to disable the SIP ALG Handler on the device:
    >sys sip_alg 0
    >sys commit

If you are using a Vigor2750 or a Vigor2130 use the following steps:

  1. Open a Command Prompt and telnet to the Draytek router by typing the following command: >telnet IP-Vigor_Router
  2. Enter the following commands to disable the SIP ALG Handler on your device
    > kmodule_ctl nf_nat_sip disable
    > kmodule_ctl nf_conntrack_sip disable

Port Forwarding

For an up to date list of the ports that need to be open check "Firewall & Router Configuration", as the ports may depend on the version you are using.

  1. Browse to the Router's Web Interface (the device's default IP Address is 192.168.1.1).
  2. Go to the "NAT -> Open Ports" menu
  3. In this example, 3CX PhoneSystem is installed on a server with IP Address 192.168.1.200, and the Draytek is connected to the Internet via the WAN1 interface. Go to the first free position in the "Open Port" menu, and configure as follows:
  4. Ensure the "Enable Open Ports" checkbox is enabled
  5. Set the "Comment" field to "3CX"
  6. Set the "WAN Interface" field to "WAN1"
  7. Set the "Local Computer" field to the IP Address of the 3CX PhoneSystem machine (in this example 192.168.1.200)
  8. Set the first line as follows:
    1. Set the "Protocol" field to "TCP"
    2. Set the "Start Port" and "End Port" fields to "5000" if Abyss Webserver or "80" if IIS Web Server
  9. Set the second line as follows:
    1. Set the "Protocol" field to "TCP"
    2. Set the "Start Port and "End Port" fields to "5001" if Abyss Webserver or "443" if IIS Web Server
  10. Set the third line as follows:
    1. Set the "Protocol" field to "TCP/UDP"
    2. Set the "Start Port and "End Port" fields to "5060".
  11. Set the fourth line as follows:|
    1. Set the "Protocol" field to "TCP"
    2. Set the "Start Port and "End Port" fields to "5061".
  12. Set the fifth line as follows:
    1. Set the "Protocol" field to "UDP"
    2. Set the "Start Port" field to "9000" and the "End Port" field to "9500"
  13. Set the sixth line as follows:
    1. Set the "Protocol" field to "TCP/UDP"
    2. Set the "Start Port and "End Port" fields to "5090"
  14. Click on the "OK" button at the bottom of the page.


This will send you back to the "Open Ports" summary page.

QoS Configuration

To configure the Quality of Service part of the Draytek 2820 please follow the next Steps

1. Bandwidth Management - Quality of Service


  1. Browse to the Router's Web Interface (the device's default IP Address is 192.168.1.1).
  2. Go to the "Bandwidth Management -> Quality of Service" menu. The first thing that we need to define the ports and services used by 3CX Phone System. Proceed as follows:
  3. Click the "Edit" link under the "Service Type" heading.
  4. Click on "Add", and insert the following service: Name: "3CX HTTP", Service Type: "TCP", Type: "Single", Port Number: "5000" if Abyss Webserver or "80" if IIS Web Server
  5. Click on "Add", and insert the following service: Name: "3CX HTTPS", Service Type: "TCP", Type: "Single", Port Number: "5001" if Abyss Webserver or "443" if IIS Web Server
  6. Click on "Add", and insert the following service: Name: "3CX SIP", Service Type: "TCP/UDP", Type: "Single", Port Number: "5060"
  7. Click on "Add", and insert the following service: Name: "3CX SECURE SIP", Service Type: "TCP", Type: "Single", Port Number: "5061"
  8. Click on "Add", and insert the following service: Name: "3CX TUNNEL", Service Type: "TCP/UDP", Type: "Single", Port Number: "5090"
  9. Click on "Add", and insert the following service: Name: "3CX RTP", Service Type: "UDP", Type: "Range", Port Number: "9000 – 9500"


  1. Click the "Cancel" button to go back to the previous page. After that we need to create a "Class Rule":

2. Creating a Class Rule


  1. Click on the "Edit" link in the "Class 1" row under the "Rule" header
  2. Set the "Name" field to "3CX VOIP"
  3. Click on the "Add" button
  4. Set the "ACT" field to Enabled
  5. Set the "Local Address" field to the IP Address of the PBX Machine (in this example 192.168.1.200)
  6. Ensure the "Remote Address" field is set to "Any"
  7. Ensure the "DiffServ Codepoint" field is set to "Any"
  8. Set the "Service Type" field to "3CX SIP"
  9. Click the "OK" button
  10. Repeat the last 7 steps for each of the 4 remaining service types, changing the "Service Type" field to "3CX HTTPS", "3CX HTTP","3CX SIP","3CX SECURE SIP", "3CX RTP"  and "3CX TUNNEL" respectively.
  11. Click on the "OK" button to save the Class Rule.


This will take you to the QoS Main Page.

3. Assign a Priority Level

Now we need to instruct the router what priority level to assign to traffic of class "3CX VOIP".

  • Click on the "Setup" link on the "WAN1" row.
  • Set the "Enable the QoS Control" checkbox, and set the traffic direction to "BOTH"
  • Set the "Reserved_bandwidth Ratio" field for traffic of class "3CX VOIP" to 70%
  • Set the "Reserved_bandwidth Ratio" field for traffic of Class 2 and Class 3 to 10%
  • Click on the "OK" button to complete the configuration

Note that the "Reserved_bandwidth Ratio" percentage value does not reserve bandwidth at all times, but only when other traffic types are competing with "3CX VOIP" class traffic for bandwidth.

Important Note for users of Draytek VoIP Models

If you have a Draytek VoIP model you also need to perform the following steps in addition to the steps described above to enable it to work with 3CX Phone System:

  1. Log in to your Draytek Router's Web Interface
  2. Select VoIP and then click on SIP Accounts in the Draytek Management Console
  3. Select Change the SIP port in VoIP to something else other than 5060 (Please note that all SIP account ports should be changed).
  4. Press OK to save your changes. After you finish modifying all your your accounts, restart your Draytek Router.

Validation

Run the 3CX Firewall Checker to validate the setup from the 3CX Phone System Management Console Settings > Firewall Checker. All tested ports must return green / working.