Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Firewall checker detects incorrect ext ip

Discussion in '3CX Phone System - General' started by aaronalfa, Sep 30, 2014.

Thread Status:
Not open for further replies.
  1. aaronalfa

    Sep 30, 2014
    Likes Received:
    I have a version 12 sp6.1 system I'm trying to setup and am having the following odd issues with the 3cx firewall checker:

    the firewall checker fails all test because it incorrectly detects my external IP address, and I can't understand why.

    -System has a public IP and hostname (pbx.company.com resolves to x.x.x.164)
    -Watchguard Firebox has appropriate rules for all ports and dynamic masquerading nat from x.x.x.164 to the PBX internal IP. When I go to 'what's my ip etc' it shows the correct ext x.x.x.164 IP address.
    -When I run the Firewall checker, it shows "resolved public IP x.x.x.166" The first part of the range is correct, but it should be 164 not 166.
    -Under settings/network/STUN server I have the pbx.company.com in the "static public IP field"

    I'm really stumped here. Any ideas what might be causing this incorrect resolution?
  2. leejor

    leejor Well-Known Member

    Jan 22, 2008
    Likes Received:
    Did you do a check to see who does have that IP? Could you company be making use of multiple IPs that are managed by the router?

    I would put your domain name in the Domain Name field and your static public IP in the Static Public IP field.
    You should be able to disable the use of STUN when using a static IP (in most cases).

    Do external extensions register correctly?
  3. way


    Feb 21, 2011
    Likes Received:
    I might be wrong when I say this, but I think a STUN server has to be used to check for 1-to-1 port mappings, meaning it will likely use your STUN server specified in the network settings even if a public IP address or domain name is used.

    Do you still get the wrong IP if you bind port 3478 to x.x.x.164?
  4. lneblett

    lneblett Well-Known Member

    Sep 7, 2010
    Likes Received:
    I do not think masquerading is needed. The settings within 3CX are setting up the STUN and SDP descriptors accordingly. As you have a fixed IP, I definitely agree with Leejor that the STUN setting in 3CX should not be needed. Set the firebox for 1 to 1 NAT and see. Also, if the SIP ALG is on, try with it off. Both functions - masquerading and ALG, have the ability to rewrite packets at the router.
Thread Status:
Not open for further replies.