• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Solved Whitelisting help

Status
Not open for further replies.

TurabG

Free User
Joined
Jun 12, 2018
Messages
58
Reaction score
1
Hi.

I have seen some advices to use whitelisting over blackisting which I agree. What I wonder is; do we need to allow only VoIP provider IPs for port 5060? It's said that softphones use port 5090 to communicate with 3CX. Then why would strange IPs are trying to register on port 5060?

I mean if I whitelist my VoIP provider's IPs on port 5060 and block everything else, will softphones still work while they are out of the LAN connection?
 
UDP/TCP port 5060 is always being scanned on the big bad internet and you will see connection attempts very frequentl. That is why it is good that 3CX creates a cryptic extension Authentication ID and password as a line of defense against this attack on port 5060 if it is left open to the outside world.

3CX softphones should use the tunneling protocol when offsite on 5090 but use this as a guide

https://www.3cx.com/ports-used-3cx-phone-system-v14-v15/
 
So it means is it safe if I block all connections to 5060 port if they do not match trunk's IP? If yes, then why would registration requests come to port 5060 and how they will continue to work outside the LAN?
 
So you seem to be confusing the terms somewhat. Whitelisting and blacklisting (at least from a 3CX perspective) is strictly by IP, not port. What you are talking about sounds more like ACLs in your firewall. If you are confused as to what ports do what you should read the link provided above.
 
@cobaltit , I guess I didn't make it clear; I was talking about whitelisting in the router settings. Because as far as I know, there's no whitelisting option in 3CX anyway? I already went through that guide for several times; but my question is about the suggestions in the forum.

I will go through that guide again and check if there's something specific about what I'm asking.
 
Hello @TurabG

Please note that 3CX clients using the tunnel will use the port 5090 so port 5060 will be used only by Voip providers or remote extensions not using the tunnel so you can limit access to that port only from your VOip provider.
 
@cobaltit, that is not essentially whitelisting. "Allow"ing an IP address does not necessarily implement blocking every other thing. What I ment was, "allowing only whitelisted IP addresses and blocking all others".

In most of the routers, you can see this option which usually reads like; "Allow IP addresses that are on the list and block everything else". Or some of them let you enter an external IP when you are opening the port. (aka forwarding) This is actually whitelisting; which is not an option in 3CX.

But the thing I was also trying to ask; is it safe to whitelist trunk IPs and block everything else on port 5060? Doesn't the registration process go through port 5060?

I think local phones register on port 5060 and remote phones register on 5090.
 
But the thing I was also trying to ask; is it safe to whitelist trunk IPs and block everything else on port 5060? Doesn't the registration process go through port 5060?
The registration process for what? If you mean the provider then the IP will be included in the whitelist so no issues there.

I think local phones register on port 5060 and remote phones register on 5090.
Local phone do register to 5060 but remote extensions using STUN also use 5060 to register. Clients and SBC use port 5090.
 
The registration process for what?

Registration process of the external extension to PBX. Like a softphone on Android, outside the LAN.

Local phone do register to 5060 but remote extensions using STUN also use 5060 to register. Clients and SBC use port 5090.

How to know which is which? I mean I accomplished what I wasked (note below); I am just trying to learn further now. When, why and how a remote extension should or would use STUN and how my current settings effect it if something changes later?

I blocked all the traffic now; in and out on ports 5060/5061 allowing only incoming from and outgoing to the SIP trunk provider IP. Checking with port scanners, now my 5060/5061 ports do not respond to anyone (port scanners show them closed) but SIP trunks continue working. External extensions are also working.
 
Last edited:
@TurabG

I'm not debating what whitelisting and blacklisting means. I'm simply stating that using the same terms to describe something on your firewall which also has similar name/functionality in 3CX is confusing. And yes you are correct 3CX does not have a setting to only allow whitelisted IPs. You would have to use a combination of both blacklist and whitelist entries to achieve the that.

And it's been said several times here in this post and it is listed in the firewall page which I snipped the specific entry for you. The 3CX tunnel protocol is 3CX specific, so only 3CX clients or the 3CX SBC will use that. Otherwise standard SIP endpoints not configured to use the SBC will use 5060.
 
Registration process of the external extension to PBX. Like a softphone on Android, outside the LAN.
If the clients are using the 3CX tunnel (they are configured to do so by default) then they will register through port 5090.

How to know which is which? I mean I accomplished what I wasked (note below); I am just trying to learn further now. When, why and how a remote extension should or would use STUN and how my current settings effect it if something changes later?
If you have remote IP phones then you select the method used when setting up the extension. If the IP phones are setup to use STUN then you need port 5060 for registration. If you have setup an SBC on the remote site (an SBC requires additional equipment) then phones will also use the tunnel to connect. If you need to deploy remote extensions in the future i would recommend using an SBC so you can avoid additional configuration on your firewall. If you need to use STUN then you will need to allow the public IP of your remote location to the whitelist.
 
Thank you @cobaltit, I had read and exercised those guides; there were some blury points which now @YiannisH_3CX is answering thanks to him.

If you have remote IP phones then you select the method used when setting up the extension. If the IP phones are setup to use STUN then you need port 5060 for registration. If you have setup an SBC on the remote site (an SBC requires additional equipment) then phones will also use the tunnel to connect. If you need to deploy remote extensions in the future i would recommend using an SBC so you can avoid additional configuration on your firewall. If you need to use STUN then you will need to allow the public IP of your remote location to the whitelist.

I recently updated my IP settings in 3CX, because we had 2 internet connections for redundancy; which have static IPs of their own. So I had to configure PBX to dynamic IP. When I enabled that, 3CX automatically set STUN options. (Thus I opened port 3478 for that) But remote softphones work with SBC, without any problem while 5060 port closed to public. On the other hand, remote IP phones will have to have a local server now?
 
No remote IP phones (STUN) will need access through the firewall. So you will need to whitelist their IPs if static, or whitelist their provider ranges if dynamic. The only way they would work with the local server address is if you have a site to site VPN in which case you would provision them as Local LAN, not remote (STUN).
 
If they will be using port 5060 without STUN. But if I wanted to use SBC so that I wouldn't have to whitelist any dynamic IP, then I will need to setup a server and install SBC on that.
 
Raspberry Pi 3 works well for less than 20 extensions
 
Thank you both for your answers. This might be marked as solved.
 
Glad to see the issue has been resolved
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,622
Messages
748,861
Members
144,737
Latest member
damiano giannini
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.