D-Link DFL-300 Firewall

Discussion in '3CX Phone System - General' started by hollyb, Jul 30, 2011.

Thread Status:
Not open for further replies.
  1. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    Hi,

    I am wondering if anyone has successfully gotten a D-LINK DFL-300 Firewall to work with 3CX.

    We have 3CX version 10 with a Sangoma A200 gateway.

    Everything internally works fine. We are having trouble with External extensions. There is no sound. These phones are Grandstream GXP1450 phones that we provisioned in the office and then taken off site. We changed the private IPs to the Public IPs. This to me is a problem with the ports on our firewall but I have checked and double checked as well as had another engineer look and do not see a problem.

    The external phone dials, rings 2 times and appears to go to voice mail for the extension it called. We also have the same problem with our external Bria softphone users.

    Here is the server log.

    13:05:17.562 Currently active calls - 1: [6]
    13:05:10.359 [CM503007]: Call(6): Device joined: sip:999@127.0.0.1:40600;rinstance=62c55bcabdc42122
    13:05:10.359 [CM503007]: Call(6): Device joined: sip:707@192.168.X.XXX:5060;user=phone
    13:05:10.359 [MS210005] C:6.1:Answer provided. Connection(proxy mode):192.168.XX.XX:7024(7025)
    13:05:10.359 [MS210001] C:6.3:Answer received. RTP connection[unsecure]: 127.0.0.1:40618(40619)
    13:05:10.359 Remote SDP is set for legC:6.3
    13:05:10.343 [CM505001]: Ext.999: Device info: Device Identified: [Man: 3CX Ltd.;Mod: Voice Mail Menu;Rev: General] Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [3CX Voice Mail Menu] PBX contact: [sip:999@127.0.0.1:5060]
    13:05:10.343 [CM503002]: Call(6): Alerting sip:999@127.0.0.1:40600;rinstance=62c55bcabdc42122
    13:05:10.234 [CM503003]: Call(6): Call to sip:408@192.168.XX.XX has failed; Cause: 487 Request Cancelled; from IP:192.168.XX.XXX:5060
    13:05:10.234 [CM503025]: Call(6): Calling Ext:Ext.999@[Dev:sip:999@127.0.0.1:40600;rinstance=62c55bcabdc42122]
    13:05:10.234 [MS210004] C:6.3:Offer provided. Connection(proxy mode): 127.0.0.1:7028(7029)
    13:05:10.171 [CM503005]: Call(6): Forwarding: Ext:Ext.999@[Dev:sip:999@127.0.0.1:40600;rinstance=62c55bcabdc42122]
    13:05:00.265 [CM505001]: Ext.408: Device info: Device Identified: [Man: Polycom;Mod: SoundPoint IP Series;Rev: General] Capabilities:[reinvite, replaces, unable-no-sdp, no-recvonly] UserAgent: [PolycomSoundPointIP-SPIP_331-UA/3.3.1.0933] PBX contact: [sip:408@192.168.XX.XX:5060]
    13:05:00.265 [CM503002]: Call(6): Alerting sip:408@192.168.XX.XXX:5060
    13:05:00.156 [CM503025]: Call(6): Calling Ext:Ext.408@[Dev:sip:408@192.168.XX.XXX:5060]
    13:05:00.156 [MS210006] C:6.2:Offer provided. Connection(by pass mode): 192.168.X.XXX:9004(9005)
    13:05:00.109 [CM503004]: Call(6): Route 1: Ext:Ext.408@[Dev:sip:408@192.168.XX.XXX:5060]
    13:05:00.109 [MS210000] C:6.1:Offer received. RTP connection: 192.168.X.XXX:9004(9005)
    13:05:00.109 [CM503010]: Making route(s) to <sip:408@75.145.XXX.XX;user=phone>
    13:05:00.109 Remote SDP is set for legC:6.1
    13:05:00.109 [CM505001]: Ext.707: Device info: Device Identified: [Man: Grandstream;Mod: GXP Series;Rev: General] Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [Grandstream GXP1450 1.0.1.66] PBX contact: [sip:707@192.168.XX.XX:5060]
    13:05:00.109 [CM503001]: Call(6): Incoming call from Ext.707 to <sip:408@75.145.XXX.XX;user=phone>
    13:05:00.093 [CM500002]: Info on incoming INVITE:
    INVITE sip:408@75.145.XXX.XX;user=phone SIP/2.0
    Via: SIP/2.0/UDP 192.168.X.XXX:5060;branch=z9hG4bK760801006;rport=5060;received=67.186.XXX.XXX
    Max-Forwards: 70
    Contact: "IXXX SXXX"<sip:707@192.168.X.XXX:5060;user=phone>
    To: <sip:408@75.145.XXX.XX;user=phone>
    From: "Imran Siddiqui"<sip:707@75.145.XXX.XX;user=phone>;tag=1011917716
    Call-ID: 1377627333-5060-27@BJC.BGI.B.BBE
    CSeq: 21 INVITE
    Accept: application/sdp, application/dtmf-relay
    Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
    Proxy-Authorization: Digest username="707",realm="3CXPhoneSystem",nonce="414d535c0444d8cb01:f2457f77057aa5a7ed9b08b60e0abde6",uri="sip:408@75.145.XXX.XX;user=phone",response="eae043b96dc410d4cb16adf053edf459",algorithm=MD5
    Supported: replaces, path, timer
    User-Agent: Grandstream GXP1450 1.0.1.66
    Privacy: none
    P-Preferred-Identity: "IXXX SXXX" <sip:707@75.145.XXX.XX;user=phone>
    Content-Length: 0
     
  2. mylove4life

    mylove4life New Member

    Joined:
    Jan 7, 2010
    Messages:
    165
    Likes Received:
    0
    Post the config of your firewall if you can...
     
  3. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Have you run the firewall checker ?
    You need to NAT public address of the router to the internal address of 3CX server for ports 5060 (UDP), 5090 (TCP & UDP) and 9000 - 9049 (UDP only).

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    Thanks for your help. Here is my current incoming services settings. These ports are forwarded to my phone system. The firewall checker comes up with no errors and everything passes.
     

    Attached Files:

  5. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    Today we were able to get the external extension to work if we use the 3CX SIP Proxy. However, since these people are telecomuters all they have onsite is their notebooks. Therefore, the phone will only work if their notebook is on.
     
  6. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Hi,

    I don't have experience with these routers, but why don't you try forwarding ports in 1:1 mode, i.e.

    internal 5060:5060 <=> public 5060:5060
    internal 5090:5090 <=> public 5090:5090
    internal 9000:9049 <=> public 9000:9049

    UDP or TCP correspondingly.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    I am not sure what you mean by the 1:1. We don't block any outgoing ports.
     
  8. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    I think what eagle2 meant is, why is your Client Port not equal to the Server Port? Make your Client and Server ports equal to each other.
    e.g. Row #1 - Protocol UDP - Client Port 5060:5060 - Server Port 5060:5060 and so one.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Exactly what I meant,

    I'm afraid Hollyb is losing packets in NAT the way it is configured. A Wireshark capture could prove it.

    This should be a type of 'destination' NAT public address to private one without port translation.
    'Source' NAT is not defined in that table and should implement also port mapping / translation (it should be OK).

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    The table that I provided is a list of all the ports that we configured for use with 3CX.

    We also have an inbound policy that points the public ip to the private ip of the #CX server using the ports in that grid.

    I tried changing the client ports to match but that does not help either.
     
  11. hollyb

    Joined:
    Jul 30, 2011
    Messages:
    6
    Likes Received:
    0
    Here is a capture of wireshark during the time a call was made by an external extension to an internal extension.

    I have also included the Server Activity log from that time frame as well.

    19:08:17.671 Currently active calls [none]
    19:07:47.593 Currently active calls [none]
    19:07:40.796 [MS105000] C:5.1: No RTP packets were received:remoteAddr=192.168.1.111:9004,extAddr=0.0.0.0:0,localAddr=192.168.48.70:7022
    19:07:18.562 [CM503008]: Call(5): Call is terminated
    19:07:18.546 [CM503021]: Call(5): ACK is not received
    19:07:17.562 Currently active calls - 1: [5]
    19:06:58.906 [CM506001]: STUN request to resolve SIP external IP:port mapping is sent to STUN server 96.9.132.83:3478 over Transport 192.168.48.70:5060
    19:06:47.546 Currently active calls - 1: [5]
    19:06:46.500 [CM503007]: Call(5): Device joined: sip:999@127.0.0.1:40600;rinstance=aece7bff687e2640
    19:06:46.500 [CM503007]: Call(5): Device joined: sip:703@192.168.1.111:5060;user=phone
    19:06:46.500 [MS210005] C:5.1:Answer provided. Connection(proxy mode):192.168.48.70:7022(7023)
    19:06:46.500 [MS210001] C:5.3:Answer received. RTP connection[unsecure]: 127.0.0.1:40618(40619)
    19:06:46.468 Remote SDP is set for legC:5.3
    19:06:46.468 [CM505001]: Ext.999: Device info: Device Identified: [Man: 3CX Ltd.;Mod: Voice Mail Menu;Rev: General] Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [3CX Voice Mail Menu] PBX contact: [sip:999@127.0.0.1:5060]
    19:06:46.468 [CM503002]: Call(5): Alerting sip:999@127.0.0.1:40600;rinstance=aece7bff687e2640
    19:06:46.375 [CM503003]: Call(5): Call to sip:408@192.168.48.70 has failed; Cause: 487 Request Cancelled; from IP:192.168.48.233:5060
    19:06:46.328 [CM503025]: Call(5): Calling Ext:Ext.999@[Dev:sip:999@127.0.0.1:40600;rinstance=aece7bff687e2640]
    19:06:46.328 [MS210004] C:5.3:Offer provided. Connection(proxy mode): 127.0.0.1:7026(7027)
    19:06:46.281 [CM503005]: Call(5): Forwarding: Ext:Ext.999@[Dev:sip:999@127.0.0.1:40600;rinstance=aece7bff687e2640]
    19:06:36.375 [CM505001]: Ext.408: Device info: Device Identified: [Man: Polycom;Mod: SoundPoint IP Series;Rev: General] Capabilities:[reinvite, replaces, unable-no-sdp, no-recvonly] UserAgent: [PolycomSoundPointIP-SPIP_331-UA/3.3.1.0933] PBX contact: [sip:408@192.168.48.70:5060]
    19:06:36.359 [CM503002]: Call(5): Alerting sip:408@192.168.48.233:5060
    19:06:36.265 [CM503025]: Call(5): Calling Ext:Ext.408@[Dev:sip:408@192.168.48.233:5060]
    19:06:36.265 [MS210006] C:5.2:Offer provided. Connection(by pass mode): 192.168.1.111:9004(9005)
    19:06:36.218 [MS210000] C:5.1:Offer received. RTP connection: 192.168.1.111:9004(9005)
    19:06:36.218 [CM503004]: Call(5): Route 1: Ext:Ext.408@[Dev:sip:408@192.168.48.233:5060]
    19:06:36.218 [CM503010]: Making route(s) to <sip:408@75.145.173.12;user=phone>
    19:06:36.218 Remote SDP is set for legC:5.1
    19:06:36.218 [CM505001]: Ext.703: Device info: Device Identified: [Man: Grandstream;Mod: GXP Series;Rev: General] Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [Grandstream GXP1450 1.0.1.66] PBX contact: [sip:703@192.168.48.70:5060]
    19:06:36.218 [CM503001]: Call(5): Incoming call from Ext.703 to <sip:408@75.145.173.12;user=phone>
    19:06:36.203 [CM500002]: Info on incoming INVITE:
    INVITE sip:408@75.145.173.12;user=phone SIP/2.0
    Via: SIP/2.0/UDP 192.168.1.111:5060;branch=z9hG4bK917037307;rport=5060;received=67.186.100.108
    Max-Forwards: 70
    Contact: "Joe Cernik"<sip:703@192.168.1.111:5060;user=phone>
    To: <sip:408@75.145.173.12;user=phone>
    From: "Joe Cernik"<sip:703@75.145.173.12;user=phone>;tag=1480280065
    Call-ID: 959306411-5060-198@BJC.BGI.B.BBB
    CSeq: 31 INVITE
    Accept: application/sdp, application/dtmf-relay
    Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
    Proxy-Authorization: Digest username="703",realm="3CXPhoneSystem",nonce="414d535c04467f0c04:a83e96bcf99d1facd13ba0b5ea6c7118",uri="sip:408@75.145.173.12;user=phone",response="b9696685179bf471e7685a8db31dd205",algorithm=MD5
    Supported: replaces, path, timer
    User-Agent: Grandstream GXP1450 1.0.1.66
    Privacy: none
    P-Preferred-Identity: "Joe XXXXX" <sip:703@75.145.173.12;user=phone>
    Content-Length: 0

    19:06:15.546 Currently active calls [none]
    19:05:45.531 Currently active calls [none]
    19:05:13.531 Currently active calls [none]
     
  12. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    There is an issue also with external address of extension -- in the last post there is an address 0.0.0.0 which should not appear. This usually means the public address of remote extension is not resolved properly. Check in 'Phones' what is the registered address of remote extension - it should be a public one.

    Also changing NAT configuration (ports, etc.) may require rebooting the router, i.e. killing current connections.
    Try running wireshark and capturing the traffic. Also if this router support SIP ALG (or SIP NAT) try disabling it.
    Have you run the firewall checker on 3cx server ?
    Try also forcing 'PBX delivers audio' for remote extensions.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Following procedure should fix this issue.
    Management console.
    page: Settings->Advanced
    Tab: Custom Parameters
    search for the parameter named ALLOWSOURCEASOUTBOUND.
    Check point: you should see that this parameter value is 0
    Change value to 1
    Press Apply.
    Ask remote user to reboot phone.

    if problem still persist please provide new log.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. jerry0503222

    Joined:
    Aug 3, 2011
    Messages:
    4
    Likes Received:
    0
    The table that I provided is a list of all the ports that we configured for use with 3CX.

    We also have an inbound policy that points the public ip to the private ip of the #CX server using the ports in that grid.

    I tried changing the client ports to match but that does not help either.






    ____________________________________________
    microsoft office professional 2010,outlook 2010
     
Thread Status:
Not open for further replies.