3CX pfsense

Discussion in '3CX Phone System - General' started by eagle5, May 31, 2016.

Thread Status:
Not open for further replies.
  1. eagle5

    Joined:
    Jul 14, 2015
    Messages:
    3
    Likes Received:
    0
    Hi all,

    We are having some diffuclties getting our virtual multitenant 3CX install working.

    I followed this guide:
    http://www.3cx.com/docs/virtual-pbx-firewall-setup/
    https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to

    Our Setup:
    A Pfsense 2.3-1 that has the PPOE session
    Transit VLAN
    a pfsense connected to the transit vlan

    each pfsense that is connected has a virtual external static ip. With a 1:1 NAT mapping.

    so I'll try to give an example:
    1.1.1.1 --> 192.168.1.1 pfsense 1
    192.168.1.2 --> 192.168.0.1 pfsense 2 (has 2.2.2.2 as Virtual IP - NAT mapping)
    192.168.0.100 --> 3CX

    3CX instance 9 (yeah somehow this is the first? :) )
    Sip port: 13060
    Sip Tunnel: 13090

    Now the problem:
    Every phonecall got disconnected after 32 seconds.

    A second try:
    I moved the 3CX into the transit VLAN.
    1.1.1.1 --> 192.168.1.1 pfsense 1
    192.168.1.100 --> 3CX (has 2.2.2.2 as Virtual IP - NAT mapping)

    The problem with this is:
    The phonecall keeps connected now, but I have no sound.
    Logs keep telling me:

    31-mei-2016 14:03:30.506 NAT/ALG check:L:5.1[Extn] REQUEST 'INVITE' - some of SIP/SDP headers may contain inconsistent information or modified by intermediate hop
    SIP contact header is not equal to the SIP packet source(IP:port):
    Contact address:192.168.1.2:37587
    Received from :192.168.1.2:57977
    'audio' media IP is not equal to the IP specified in contact header:
    'audio' media IP is not equal to the SIP packet source(IP:port):

    So obviously I am doing something wrong.
    I just don't know what. I checked over and over for settings.

    Need more info? Please ask!
     
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,436
    Likes Received:
    354
    Hello there,

    Please make sure that you have SIP ALG disabled on your firewall and try again as this looks to be a firewall issue.
    Give it a try and let us know

    And yes multitenant installations start from instance 9 by default :)
     
  3. eagle5

    Joined:
    Jul 14, 2015
    Messages:
    3
    Likes Received:
    0
    pfsense does not have a button for disabling SIP ALG. (not that I know :) )

    I did the outbound static port mapping.
    But that is not a success.

    I asked with pfsense, I will update this soon!
     
  4. eagle5

    Joined:
    Jul 14, 2015
    Messages:
    3
    Likes Received:
    0
    Hi,

    There was nothing wrong with the setup, I tested it with my laptop (on the neighbors wifi). It works perfect!

    So, what are the changes I need to do on our own firewall?
     
  5. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,436
    Likes Received:
    354
    Make sure you have all needed ports open and forwarded as the guide suggests:

    Common Ports to all Instances:

    3CX Management Console (HTTP & HTTPS) & Presence - 80 & 443 TCP
    Media Server Range - 54,000 – 65,000 UDP Only
    Dedicated Ports

    Each instance uses 3 ports dedicated to their deployment slot:

    Instance 1 - Will dynamically use ports in the range 5000 to 5999. You need to forward:

    Phone System SIP Port - 5060 TCP & UDP
    Phone System Secure SIP Port - 5061 TCP
    3CX Tunnel Service - 5090 TCP and UDP

    Also make sure that you don't have another device in your network interfering with your configuration like a modem or another router as they could be the reason you are having trouble.
     
  6. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,283
    Likes Received:
    68
    To add onto that, generally when a call drops after 32 seconds, it means that the 3CX Phone System server did not receive the ACK SIP message.
    This could be caused by various things like port forwarding and/or SIP ALG as mentioned above, or even the information in the initial SIP message, e.g. the Contact Field in the SIP message has the wrong IP.

    What I would recommend is getting a packet capture from the 3CX Server of a call that drops after 32 seconds, and if you look at the call flow it should pretty apparent where the issue is.
     
Thread Status:
Not open for further replies.