3cx & Mikrotik Routers

Discussion in '3CX Phone System - General' started by neuvo, May 23, 2011.

Thread Status:
Not open for further replies.
  1. neuvo

    Joined:
    Apr 6, 2009
    Messages:
    3
    Likes Received:
    0
    Hi All,

    I am having some problems with accessing my 3cx server from behind a Mikrotik RB750g Router. 3cx is giving errors on no RTP packets received. Does anyone have any experience with these routers? if so, please contact me. happy to pay $$

    for more info:

    http://forum.mikrotik.com/viewtopic.php?f=2&t=51918

    Cheers, Tom
     
  2. davidbenwell

    davidbenwell Active Member

    Joined:
    Apr 27, 2010
    Messages:
    704
    Likes Received:
    0
    Hi Tom

    We can sure look into this for you. We have Pay As You Go Support packages that will enable us to log in remotely and fully setup the router.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Can you post more details about your setup? Is the 3CX on your local network, how you NAT your LAN, etc.? Are you experienced with Mikrotik coniguration ?

    I'm using Mikrotik in several of my implementations and I'm not experiencing any problems, so most probably you have not configured your firewall correctly.

    Generally you need to do the following:
    1. Accept in firewall filter rules remote requests to ports used by 3CX, where 'protected_host' list contains the address of the 3CX (both public and local).

    /ip firewall filter
    add action=accept chain=forward disabled=no dst-address-list=protected_host \
    dst-port=5060,5090,9000-9049 protocol=udp
    add action=accept chain=forward disabled=no dst-address-list=protected_host \
    dst-port=5090,5000,3389 protocol=tcp

    2. In NAT configuration you need some rules like the following (assuming '192.168.88.88' is the local address of the 3CX and 'ether1' is the internet interface):

    /ip firewall nat
    add action=dst-nat chain=dstnat disabled=no dst-port=9000-9049 in-interface=\
    ether1 protocol=udp to-addresses=192.168.88.88
    add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090 in-interface=\
    ether1 protocol=udp to-addresses=192.168.88.88
    add action=dst-nat chain=dstnat disabled=no dst-port=5090,5000,3389 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.88
    add action=masquerade chain=srcnat disabled=no src-address=192.168.88.0/24

    Note that port 5000 is used for configuration of 3CX and 3389 for Windows Remote Desktop -- you may decide not to make them available from outside.


    Try to switch off eventually the SIP ALG in the IP | Firewall | Service Ports | SIP menu of the Mikrotik. This can be useful if STUN is not resolved correctly (and also is recommended in 3CX documentation, nevertheless I think 3CX is working fine with SIP ALG active, at least from my experience). STUN may be not compatible with symmetric NAT configurations in some cases.

    Have a look also on related post (Remote attacks) - http://www.3cx.com/forums/remote-attacks-17957.html -- I've posted some comments on Mikrotik application as firewall.

    Regards,
    Orlin.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    NOUBISSIE YVAN likes this.
  4. neuvo

    Joined:
    Apr 6, 2009
    Messages:
    3
    Likes Received:
    0
    Hi Orlin,

    Thank you very much for your response.

    I have made the changes from reading your post which I think I have right and am still getting the following error on the 3cx host:

    So you understand my setup, i have 3cx hosted offsite in a datacentre. it is also behind a mikrotik and all of the necessary ports are forwarded in /ip firewall nat

    My home can connect to the 3cx host and make calls without any problems, no port forwarding is setup at home and sip alg is turned off - this router is a netgear dgnd3700

    at my office, the mikrotik does stop the calls from working (so it appears). I have tried your /ip firewall filter options below and had no success.

    i am not overly experienced with MT configuration, i am sure there is an error somewhere in the config that is stopping the RTP traffic. happy to allow access to the router and pay for some of your time if you can get it going.

    in summary, the host is fine, it is the offsite locations connecting to the internet out through the MTs that is giving me all of the problems.

    Regards,
    Tom
     
  5. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Hi Tom,

    it seems that for some reasons the RTP traffic is blocked - could be the Mikrotik or other device.
    I suggest to look at your configuration - please see private message I sent for details.

    Regards,
    Orlin.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Eurylink

    Eurylink New Member

    Joined:
    May 25, 2008
    Messages:
    174
    Likes Received:
    3
    Hi,this is our firewall default configuration (on NAT we only have masquerade):
    / ip firewall filter
    add chain=input connection-state=established comment="Accept established connections"
    add chain=input connection-state=related comment="Accept related connections"
    add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
    add chain=input protocol=udp action=accept comment="UDP" disabled=no
    add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
    add chain=input protocol=icmp action=drop comment="Drop excess pings"
    add chain=input in-interface=ether2 src-address=192.168.0.0/24 comment="From our LAN" action=accept
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
    add chain=input action=drop comment="Drop everything else"

    We have to modify it for appliying the rules you submit ? What is the exact rule application order ?

    Tx in advance
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. mixig

    mixig Active Member

    Joined:
    Dec 13, 2011
    Messages:
    519
    Likes Received:
    11
    There is port 40032 in your error message, do you use 3cx phone? It is using port range 40000-40049 UDP by default
     
  8. NOUBISSIE YVAN

    Joined:
    May 1, 2017
    Messages:
    1
    Likes Received:
    0

    need help
     
  9. GPBackups

    Joined:
    May 29, 2017
    Messages:
    1
    Likes Received:
    0
    @eagle2

    In this thread Post 3 the following

    • In NAT configuration you need some rules like the following (assuming '192.168.88.88' is the local address of the 3CX and 'ether1' is the internet interface):

    Is there any difference if 3CX Server is in "cloud" at SIP provider data Center. Do I just change the address
    So change 192.168.88.88 to SIP Provider IP Address with ether1 being the WAN Port

    Or would there be different rules required
     
Thread Status:
Not open for further replies.