• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

3CX Using Mikrotik Router Issue

Status
Not open for further replies.

buschconsulting

Joined
Feb 15, 2012
Messages
17
Reaction score
0
Hi All,

We have a 3CX System currently with SIP trunks and are planning to replace our current Linksys BEFSX41 router with a Mikrotik RB450 Router with RouterOS v6.0rc9.

I have setup the router using Winbox v6.0rc9 and set the first port as our external connection and the 2nd port as the internal connection.

Also set the firewall NAT rules, but no filter rules or Mangle rules. The NAT rules are below:

/ip firewall nat
add action=masquerade chain=srcnat comment="Allow Outgoing Traffic & NAT" \
disabled=yes dst-address=0.0.0.0/0 src-address=10.1.1.0/24 !to-addresses \
!to-ports
add action=netmap chain=srcnat comment="TCP 5060 SIP Out" protocol=tcp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="UDP 5060 SIP Out" protocol=udp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="TCP 5090 Tunnel Out" protocol=tcp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 5090 Tunnel Out" protocol=udp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 9000-9100 RTP Out" protocol=udp \
src-address=10.1.1.220 src-port=9000-9100 to-addresses=protected_host \
to-ports=9000-9100
add action=netmap chain=srcnat comment="UDP 10000-10009 Fax Out" protocol=udp \
src-address=10.1.1.220 src-port=10000-10009 to-addresses=protected_host \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="UDP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=udp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="TCP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=udp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 9000-9100 RTP In" dst-address=\
protected_host dst-port=9000-9100 protocol=udp to-addresses=10.1.1.220 \
to-ports=9000-9100
add action=netmap chain=dstnat comment="UDP 10000-10009 Fax In" dst-address=\
protected_host dst-port=10000-10009 protocol=udp to-addresses=10.1.1.220 \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 3CX Management" disabled=yes \
dst-address=protected_host dst-port=5000 protocol=tcp to-addresses=\
10.1.1.220 to-ports=5000
add action=masquerade chain=srcnat comment="Added by webbox" out-interface=\
E2_internal to-addresses=0.0.0.0 !to-ports
add chain=srcnat
add action=dst-nat chain=dstnat comment="Allow all incoming to 3CX" disabled=\
yes dst-address=0.0.0.0/0 to-addresses=10.1.1.220 !to-ports

When I replace the linksys with the Mikrotik, I can make calls internal/external and connect using our SIP Clients on our Android phones either through the normal connection or through the 3CX tunnel connection and they work fine.

When I call from an external source to our internal, the call fails immediately upon attempting to connect to the 3CX server. I placed wireshark on the linksys router and the Mikrotik router to compare settings. I found that the Mikrotik fails with error "407 Proxy Authentication Required" I am not sure why this is being generated as the Linksys doesn't have this issue. I have attached the screenshots of the wireshark. Any help is greatly appreciated, thanks in advance.

Mikrotik Screenshot:


Linksys Screenshot:


Thanks,
Libert
 

Attachments

  • mikrotik-protected.jpg
    mikrotik-protected.jpg
    97.4 KB · Views: 1,905
  • linksys-protected.jpg
    linksys-protected.jpg
    174 KB · Views: 1,904
The configuration of the Mikrotik is entirely wrong, so no surprise of 3CX system not working properly.

You must have the following simple NAT rules to make it working:
Code:
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.1.1.0/24 \
    out-interface=ether1
add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090\
    in-interface=ether1 protocol=tcp to-addresses=10.1.1.220
add action=dst-nat chain=dstnat disabled=no dst-port=5060,5090,9000-9049\
    in-interface=ether1 protocol=udp to-addresses=10.1.1.220
where 10.1.1.220 is supposed to be the address of your 3CX server and 10.1.1.0/24 is your LAN.
Delete all other rules.

Also recommended to disable SIP service ports 5060 & 5061 into /ip firewall service-port.
Consider also firmware upgrading to latest RC11 of Mikrotik, still I would prefer using version 5.

Regards
 
Hi Orlin,

Thanks a lot! That did the trick. I tested first the SIP ALG turning it off in the service ports and it worked, turned it back on and it failed. Can't believe it was just that simple checkbox I overlooked. I did incorporate your NAT config as well as it simplified everything as I didn't know the ports can be separated by comma.

Regards,
Libert
 
Hello Eagle2, I am in need of someone to help us configure our Mikrotik Router correctly to be used with 3cx. We are currently experiencing dropped audio on both ends, internally and externally. Sip ALG is disabled. Willing to pay $$$
 
HI rgrocerytech.

You should have no problems with a Mikrotik and 3CX. Mikrotik are perfect VOIP routers due to their flexibility and features. If you are losing internal calls, that doesn't sound like the Mikrotik, unless you are using it as the network switch and you have some funky settings going on. Internal calls should never touch the router. Is the 3CX in the LAN with the phones on the same subnet?

When you say you have dropped audio, do you start with audio then it drops, or do you have calls with no audio from the get go?

What timezone are you in (referecned to UTC)?
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,626
Messages
748,908
Members
144,739
Latest member
Ghisl1
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.