3CX Using Mikrotik Router Issue

Discussion in '3CX Phone System - General' started by buschconsulting, Mar 14, 2013.

Thread Status:
Not open for further replies.
  1. buschconsulting

    Joined:
    Feb 15, 2012
    Messages:
    17
    Likes Received:
    0
    Hi All,

    We have a 3CX System currently with SIP trunks and are planning to replace our current Linksys BEFSX41 router with a Mikrotik RB450 Router with RouterOS v6.0rc9.

    I have setup the router using Winbox v6.0rc9 and set the first port as our external connection and the 2nd port as the internal connection.

    Also set the firewall NAT rules, but no filter rules or Mangle rules. The NAT rules are below:

    /ip firewall nat
    add action=masquerade chain=srcnat comment="Allow Outgoing Traffic & NAT" \
    disabled=yes dst-address=0.0.0.0/0 src-address=10.1.1.0/24 !to-addresses \
    !to-ports
    add action=netmap chain=srcnat comment="TCP 5060 SIP Out" protocol=tcp \
    src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
    to-ports=5060
    add action=netmap chain=srcnat comment="UDP 5060 SIP Out" protocol=udp \
    src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
    to-ports=5060
    add action=netmap chain=srcnat comment="TCP 5090 Tunnel Out" protocol=tcp \
    src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
    to-ports=5090
    add action=netmap chain=srcnat comment="UDP 5090 Tunnel Out" protocol=udp \
    src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
    to-ports=5090
    add action=netmap chain=srcnat comment="UDP 9000-9100 RTP Out" protocol=udp \
    src-address=10.1.1.220 src-port=9000-9100 to-addresses=protected_host \
    to-ports=9000-9100
    add action=netmap chain=srcnat comment="UDP 10000-10009 Fax Out" protocol=udp \
    src-address=10.1.1.220 src-port=10000-10009 to-addresses=protected_host \
    to-ports=10000-10009
    add action=netmap chain=dstnat comment="TCP 5060 SIP In" dst-address=\
    protected_host dst-port=5060 protocol=tcp to-addresses=10.1.1.220 \
    to-ports=5060
    add action=netmap chain=dstnat comment="UDP 5060 SIP In" dst-address=\
    protected_host dst-port=5060 protocol=udp to-addresses=10.1.1.220 \
    to-ports=5060
    add action=netmap chain=dstnat comment="TCP 5090 SIP Tunnel In" dst-address=\
    protected_host dst-port=5090 protocol=tcp to-addresses=10.1.1.220 \
    to-ports=5090
    add action=netmap chain=dstnat comment="UDP 5090 SIP Tunnel In" dst-address=\
    protected_host dst-port=5090 protocol=udp to-addresses=10.1.1.220 \
    to-ports=5090
    add action=netmap chain=dstnat comment="UDP 9000-9100 RTP In" dst-address=\
    protected_host dst-port=9000-9100 protocol=udp to-addresses=10.1.1.220 \
    to-ports=9000-9100
    add action=netmap chain=dstnat comment="UDP 10000-10009 Fax In" dst-address=\
    protected_host dst-port=10000-10009 protocol=udp to-addresses=10.1.1.220 \
    to-ports=10000-10009
    add action=netmap chain=dstnat comment="TCP 3CX Management" disabled=yes \
    dst-address=protected_host dst-port=5000 protocol=tcp to-addresses=\
    10.1.1.220 to-ports=5000
    add action=masquerade chain=srcnat comment="Added by webbox" out-interface=\
    E2_internal to-addresses=0.0.0.0 !to-ports
    add chain=srcnat
    add action=dst-nat chain=dstnat comment="Allow all incoming to 3CX" disabled=\
    yes dst-address=0.0.0.0/0 to-addresses=10.1.1.220 !to-ports

    When I replace the linksys with the Mikrotik, I can make calls internal/external and connect using our SIP Clients on our Android phones either through the normal connection or through the 3CX tunnel connection and they work fine.

    When I call from an external source to our internal, the call fails immediately upon attempting to connect to the 3CX server. I placed wireshark on the linksys router and the Mikrotik router to compare settings. I found that the Mikrotik fails with error "407 Proxy Authentication Required" I am not sure why this is being generated as the Linksys doesn't have this issue. I have attached the screenshots of the wireshark. Any help is greatly appreciated, thanks in advance.

    Mikrotik Screenshot:


    Linksys Screenshot:


    Thanks,
    Libert
     

    Attached Files:

  2. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    The configuration of the Mikrotik is entirely wrong, so no surprise of 3CX system not working properly.

    You must have the following simple NAT rules to make it working:
    Code:
    /ip firewall nat
    add action=masquerade chain=srcnat disabled=no src-address=10.1.1.0/24 \
        out-interface=ether1
    add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090\
        in-interface=ether1 protocol=tcp to-addresses=10.1.1.220
    add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090,9000-9049\
        in-interface=ether1 protocol=udp to-addresses=10.1.1.220
    
    where 10.1.1.220 is supposed to be the address of your 3CX server and 10.1.1.0/24 is your LAN.
    Delete all other rules.

    Also recommended to disable SIP service ports 5060 & 5061 into /ip firewall service-port.
    Consider also firmware upgrading to latest RC11 of Mikrotik, still I would prefer using version 5.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. buschconsulting

    Joined:
    Feb 15, 2012
    Messages:
    17
    Likes Received:
    0
    Hi Orlin,

    Thanks a lot! That did the trick. I tested first the SIP ALG turning it off in the service ports and it worked, turned it back on and it failed. Can't believe it was just that simple checkbox I overlooked. I did incorporate your NAT config as well as it simplified everything as I didn't know the ports can be separated by comma.

    Regards,
    Libert
     
  4. rgrocerytech@gmail.com

    Joined:
    Jun 30, 2016
    Messages:
    1
    Likes Received:
    0
    Hello Eagle2, I am in need of someone to help us configure our Mikrotik Router correctly to be used with 3cx. We are currently experiencing dropped audio on both ends, internally and externally. Sip ALG is disabled. Willing to pay $$$
     
  5. datamerge

    datamerge New Member

    Joined:
    Nov 19, 2014
    Messages:
    169
    Likes Received:
    19
    HI rgrocerytech.

    You should have no problems with a Mikrotik and 3CX. Mikrotik are perfect VOIP routers due to their flexibility and features. If you are losing internal calls, that doesn't sound like the Mikrotik, unless you are using it as the network switch and you have some funky settings going on. Internal calls should never touch the router. Is the 3CX in the LAN with the phones on the same subnet?

    When you say you have dropped audio, do you start with audio then it drops, or do you have calls with no audio from the get go?

    What timezone are you in (referecned to UTC)?
     
Thread Status:
Not open for further replies.