• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Extension to connect both inside an outside the LAN

Status
Not open for further replies.

Colin911

Customer
Joined
Dec 9, 2018
Messages
64
Reaction score
3
Hello,

How do I get an extension to work inside and outside the LAN?

I have a VM running 3cx inside my LAN (all ports open correctly and firewall test runs fine).

If I install the 3cx client on my cell phone an scan the QR code, the extension works fine inside the LAN. But as soon as I disconnect from the LAN (and use my data connection) and try to connect I cannot. (The "connect using 3g option is on")

If I try to provision the softphone by scanning the QR code while not on the internal lan I get the following Provisioning error: "PBX could not be reached. Connection time out.

Thanks
 
Under the extension options make sure "Disallow use of extension outside the LAN (Remote extensions using Direct SIP or STUN will be blocked)" is unchecked.
 
Thanks. That is unchecked... but still not working.
 
Have you opened up the correct port(s) in your router?

How are you handling DNS once the endpoint is outside of your network?
 
In your initial post you have not actually mentioned what you are using (hard phone) and the method - it has been assumed you are using remote STUN but there are methods for remote extensions also.

Please advise what endpoint you are connecting to the system and the method you are using to connect.

If you are using STUN you need a fully supported phone https://www.3cx.com/sip-phones/, and you can use this guide for this: https://www.electronicfrontier.co.uk/provisioning-remote-phones-using-rps-direct-sipstun/

I agree it is likely to be a networking issue if this guide does not check out.
 
Have you opened up the correct port(s) in your router?

How are you handling DNS once the endpoint is outside of your network?

I'm assuming everything is correctly open if the Firewall Check is all green? see attached

Not sure what you mean about the DNS. Since it is the 3cx client (android app), I figured it would get DNS records just like every other app and connect through the FDQN I set up xxxx.3cx.agency . see attached
 

Attachments

  • Capture.JPG
    Capture.JPG
    64 KB · Views: 18
  • Capture.JPG
    Capture.JPG
    37.5 KB · Views: 18
In your initial post you have not actually mentioned what you are using (hard phone) and the method - it has been assumed you are using remote STUN but there are methods for remote extensions also.

Please advise what endpoint you are connecting to the system and the method you are using to connect.

If you are using STUN you need a fully supported phone https://www.3cx.com/sip-phones/, and you can use this guide for this: https://www.electronicfrontier.co.uk/provisioning-remote-phones-using-rps-direct-sipstun/

I agree it is likely to be a networking issue if this guide does not check out.

I'm using the android app downloaded from google play. I'll admit, I have not one anything specific to STUN, but I figured the auto provision would take care of that since this is all in supported applications.
 
Ok, I turned off the 3CX tunnel in the account settings of the app. It says "requires 3CX phone system for windows". Since I have neither a Windows machine install on the PBX or a windows base app for that extension, not sure why it would even enable that.
 
I'm assuming everything is correctly open if the Firewall Check is all green? see attached

Not sure what you mean about the DNS. Since it is the 3cx client (android app), I figured it would get DNS records just like every other app and connect through the FDQN I set up xxxx.3cx.agency . see attached

DNS needs to point to the correct server. If your server is internal then it will have an internal IP when accessed from inside your LAN and a different, external, IP when accessed from the internet and it will only be able to be accessed from the internet if the port forwarding has been done correctly.

Take a look at that extension - under "phone provisioning / options / Network interface for registration and provisioning" does it show your FQDN or an IP address?

edit: And are you able to access your web front end from outside of your LAN?
 
Last edited:
I'm using the android app downloaded from google play. I'll admit, I have not one anything specific to STUN, but I figured the auto provision would take care of that since this is all in supported applications.

OK so if it is just the Android App you need port 5090 for the tunnel open and 5001 if you want to provision.

This is most likely going to be network related, and I would definitely not un-tick the "use 3CX tunnel setting" as this adds encryption and camouflage via the tunnel.

What version of 3CX are you running on Windows or Linux and what platform if any ?
 
Hello @Colin911

While the mobile device is connected to 3G/4G try to access the management console of the PBX using the FQDN. Are you able to reach the management console and login?
 
whenever i try to access xxxx.3cx.agency I just get the management page of my router. So it is forwarding to the proper external IP, but I think both the management page of the router and 3cx are using the same port. I think 3cx can;t change the management port after setup right?
 
Under the extension options make sure "Disallow use of extension outside the LAN (Remote extensions using Direct SIP or STUN will be blocked)" is unchecked.
Shouldn't this remain checked and use the tunnel instead?

Screen Shot 2018-12-10 at 10.29.43 AM.png
 
whenever i try to access xxxx.3cx.agency I just get the management page of my router. So it is forwarding to the proper external IP, but I think both the management page of the router and 3cx are using the same port. I think 3cx can;t change the management port after setup right?

Only 1 Static IP Available?
Can you change the Management Port of the Router?
 
whenever i try to access xxxx.3cx.agency I just get the management page of my router. So it is forwarding to the proper external IP, but I think both the management page of the router and 3cx are using the same port. I think 3cx can;t change the management port after setup right?

If that's on your LAN then that is expected behaviour and demonstrates that the issue may lay with DNS resolution - you want DNS to resolve xxxx.3cx.agency to your internal IP on your LAN and your internet (preferably fixed) IP outside your LAN.

If that's outside your LAN then you can usually turn off remote management on your router to free up that port. It's probably a sensible move anyway unless you need remote management as it can be a security hole.

This is why I asked the question above about whether the provisioning for that extension has a FQDN or IP address...
 
So i'm assuming that during setup 3cx made my .3cx.agency DNS record point to my external IP. I have opened up ports 443, 5000, 5001, 5060, 5061, 5090 and 9000-10999 are there others I need to open?
 
Mere fact that I was being pointed to the router management page by going to xxxx.3cx.agency means the DNS record is correct and points to my external IP. Just have to figure out how to route it properly I guess... Turned off the management page on the router but not working. What port will it try to connect to?
 
when trying to connect to xxxx.3cx.agency the page just times out. If I put in xxxx.3cx.agency:5000, I get a 403 Forbidden Error, and when I do xxxx.3cx.agency:5001 I get a 400 bad request (plai9n HTTP request was sent to HTTPS port)
 
usually 443 or 80
i don't see you have 80 open - but you do have 443.
Are you for sure using 5000/5001 or 80/443 on 3cx?
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,405
Messages
747,492
Members
144,370
Latest member
Imperial Treasure
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.