• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

3CX pfsense

Status
Not open for further replies.

Eagle IT

Bronze Partner
Joined
Jul 14, 2015
Messages
4
Reaction score
0
Hi all,

We are having some diffuclties getting our virtual multitenant 3CX install working.

I followed this guide:
http://www.3cx.com/docs/virtual-pbx-firewall-setup/
https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to

Our Setup:
A Pfsense 2.3-1 that has the PPOE session
Transit VLAN
a pfsense connected to the transit vlan

each pfsense that is connected has a virtual external static ip. With a 1:1 NAT mapping.

so I'll try to give an example:
1.1.1.1 --> 192.168.1.1 pfsense 1
192.168.1.2 --> 192.168.0.1 pfsense 2 (has 2.2.2.2 as Virtual IP - NAT mapping)
192.168.0.100 --> 3CX

3CX instance 9 (yeah somehow this is the first? :) )
Sip port: 13060
Sip Tunnel: 13090

Now the problem:
Every phonecall got disconnected after 32 seconds.

A second try:
I moved the 3CX into the transit VLAN.
1.1.1.1 --> 192.168.1.1 pfsense 1
192.168.1.100 --> 3CX (has 2.2.2.2 as Virtual IP - NAT mapping)

The problem with this is:
The phonecall keeps connected now, but I have no sound.
Logs keep telling me:

31-mei-2016 14:03:30.506 NAT/ALG check:L:5.1[Extn] REQUEST 'INVITE' - some of SIP/SDP headers may contain inconsistent information or modified by intermediate hop
SIP contact header is not equal to the SIP packet source(IP:port):
Contact address:192.168.1.2:37587
Received from :192.168.1.2:57977
'audio' media IP is not equal to the IP specified in contact header:
'audio' media IP is not equal to the SIP packet source(IP:port):

So obviously I am doing something wrong.
I just don't know what. I checked over and over for settings.

Need more info? Please ask!
 
Hello there,

Please make sure that you have SIP ALG disabled on your firewall and try again as this looks to be a firewall issue.
Give it a try and let us know

And yes multitenant installations start from instance 9 by default :)
 
pfsense does not have a button for disabling SIP ALG. (not that I know :) )

I did the outbound static port mapping.
But that is not a success.

I asked with pfsense, I will update this soon!
 
Hi,

There was nothing wrong with the setup, I tested it with my laptop (on the neighbors wifi). It works perfect!

So, what are the changes I need to do on our own firewall?
 
Make sure you have all needed ports open and forwarded as the guide suggests:

Common Ports to all Instances:

3CX Management Console (HTTP & HTTPS) & Presence - 80 & 443 TCP
Media Server Range - 54,000 – 65,000 UDP Only
Dedicated Ports

Each instance uses 3 ports dedicated to their deployment slot:

Instance 1 - Will dynamically use ports in the range 5000 to 5999. You need to forward:

Phone System SIP Port - 5060 TCP & UDP
Phone System Secure SIP Port - 5061 TCP
3CX Tunnel Service - 5090 TCP and UDP

Also make sure that you don't have another device in your network interfering with your configuration like a modem or another router as they could be the reason you are having trouble.
 
To add onto that, generally when a call drops after 32 seconds, it means that the 3CX Phone System server did not receive the ACK SIP message.
This could be caused by various things like port forwarding and/or SIP ALG as mentioned above, or even the information in the initial SIP message, e.g. the Contact Field in the SIP message has the wrong IP.

What I would recommend is getting a packet capture from the 3CX Server of a call that drops after 32 seconds, and if you look at the call flow it should pretty apparent where the issue is.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.