• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

3cx & Mikrotik Routers

Status
Not open for further replies.

neuvo

Joined
Apr 6, 2009
Messages
3
Reaction score
0
Hi All,

I am having some problems with accessing my 3cx server from behind a Mikrotik RB750g Router. 3cx is giving errors on no RTP packets received. Does anyone have any experience with these routers? if so, please contact me. happy to pay $$

for more info:

http://forum.mikrotik.com/viewtopic.php?f=2&t=51918

Cheers, Tom
 
Hi Tom

We can sure look into this for you. We have Pay As You Go Support packages that will enable us to log in remotely and fully setup the router.
 
Can you post more details about your setup? Is the 3CX on your local network, how you NAT your LAN, etc.? Are you experienced with Mikrotik coniguration ?

I'm using Mikrotik in several of my implementations and I'm not experiencing any problems, so most probably you have not configured your firewall correctly.

Generally you need to do the following:
1. Accept in firewall filter rules remote requests to ports used by 3CX, where 'protected_host' list contains the address of the 3CX (both public and local).

/ip firewall filter
add action=accept chain=forward disabled=no dst-address-list=protected_host \
dst-port=5060,5090,9000-9049 protocol=udp
add action=accept chain=forward disabled=no dst-address-list=protected_host \
dst-port=5090,5000,3389 protocol=tcp

2. In NAT configuration you need some rules like the following (assuming '192.168.88.88' is the local address of the 3CX and 'ether1' is the internet interface):

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=9000-9049 in-interface=\
ether1 protocol=udp to-addresses=192.168.88.88
add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090 in-interface=\
ether1 protocol=udp to-addresses=192.168.88.88
add action=dst-nat chain=dstnat disabled=no dst-port=5090,5000,3389 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.88
add action=masquerade chain=srcnat disabled=no src-address=192.168.88.0/24

Note that port 5000 is used for configuration of 3CX and 3389 for Windows Remote Desktop -- you may decide not to make them available from outside.


Try to switch off eventually the SIP ALG in the IP | Firewall | Service Ports | SIP menu of the Mikrotik. This can be useful if STUN is not resolved correctly (and also is recommended in 3CX documentation, nevertheless I think 3CX is working fine with SIP ALG active, at least from my experience). STUN may be not compatible with symmetric NAT configurations in some cases.

Have a look also on related post (Remote attacks) - http://www.3cx.com/forums/remote-attacks-17957.html -- I've posted some comments on Mikrotik application as firewall.

Regards,
Orlin.
 
  • Like
Reactions: NOUBISSIE YVAN
Hi Orlin,

Thank you very much for your response.

I have made the changes from reading your post which I think I have right and am still getting the following error on the 3cx host:

So you understand my setup, i have 3cx hosted offsite in a datacentre. it is also behind a mikrotik and all of the necessary ports are forwarded in /ip firewall nat

My home can connect to the 3cx host and make calls without any problems, no port forwarding is setup at home and sip alg is turned off - this router is a netgear dgnd3700

at my office, the mikrotik does stop the calls from working (so it appears). I have tried your /ip firewall filter options below and had no success.

i am not overly experienced with MT configuration, i am sure there is an error somewhere in the config that is stopping the RTP traffic. happy to allow access to the router and pay for some of your time if you can get it going.

in summary, the host is fine, it is the offsite locations connecting to the internet out through the MTs that is giving me all of the problems.

Regards,
Tom
 
Hi Tom,

it seems that for some reasons the RTP traffic is blocked - could be the Mikrotik or other device.
I suggest to look at your configuration - please see private message I sent for details.

Regards,
Orlin.
 
Hi,this is our firewall default configuration (on NAT we only have masquerade):
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input in-interface=ether2 src-address=192.168.0.0/24 comment="From our LAN" action=accept
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

We have to modify it for appliying the rules you submit ? What is the exact rule application order ?

Tx in advance
 
There is port 40032 in your error message, do you use 3cx phone? It is using port range 40000-40049 UDP by default
 
Can you post more details about your setup? Is the 3CX on your local network, how you NAT your LAN, etc.? Are you experienced with Mikrotik coniguration ?

I'm using Mikrotik in several of my implementations and I'm not experiencing any problems, so most probably you have not configured your firewall correctly.

Generally you need to do the following:
1. Accept in firewall filter rules remote requests to ports used by 3CX, where 'protected_host' list contains the address of the 3CX (both public and local).

/ip firewall filter
add action=accept chain=forward disabled=no dst-address-list=protected_host \
dst-port=5060,5090,9000-9049 protocol=udp
add action=accept chain=forward disabled=no dst-address-list=protected_host \
dst-port=5090,5000,3389 protocol=tcp

2. In NAT configuration you need some rules like the following (assuming '192.168.88.88' is the local address of the 3CX and 'ether1' is the internet interface):

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=9000-9049 in-interface=\
ether1 protocol=udp to-addresses=192.168.88.88
add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090 in-interface=\
ether1 protocol=udp to-addresses=192.168.88.88
add action=dst-nat chain=dstnat disabled=no dst-port=5090,5000,3389 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.88
add action=masquerade chain=srcnat disabled=no src-address=192.168.88.0/24

Note that port 5000 is used for configuration of 3CX and 3389 for Windows Remote Desktop -- you may decide not to make them available from outside.


Try to switch off eventually the SIP ALG in the IP | Firewall | Service Ports | SIP menu of the Mikrotik. This can be useful if STUN is not resolved correctly (and also is recommended in 3CX documentation, nevertheless I think 3CX is working fine with SIP ALG active, at least from my experience). STUN may be not compatible with symmetric NAT configurations in some cases.

Have a look also on related post (Remote attacks) - http://www.3cx.com/forums/remote-attacks-17957.html -- I've posted some comments on Mikrotik application as firewall.

Regards,
Orlin.


need help
 
@eagle2

In this thread Post 3 the following

  • In NAT configuration you need some rules like the following (assuming '192.168.88.88' is the local address of the 3CX and 'ether1' is the internet interface):

Is there any difference if 3CX Server is in "cloud" at SIP provider data Center. Do I just change the address
So change 192.168.88.88 to SIP Provider IP Address with ether1 being the WAN Port

Or would there be different rules required
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,601
Messages
748,743
Members
144,707
Latest member
Lars001
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.