• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Firewall configuration help

Status
Not open for further replies.

JClark28

Joined
Feb 25, 2008
Messages
10
Reaction score
0
Okay, I have been working on getting 3cx working for the past week and am still having one major issue. I am not able to get remote softphones to connect and I am receiving an error on the firewall test that seems odd. I'll start by giving you the basic configs.

3cx phone system installed on PC behind Belkin router with static ip
Static WAN ip is 76.252.xx.xxx
3cx phone system ip = 192.168.2.2
All ports needed are forwarded to 192.168.2.2 including tunnel 5090
I have also tried the firewall test with the PC set as DMZ on the router

Here is the main error I keep getting on the router test.

Error 13: This Machine is on a public IP - agentAddr = 87.230.29.xxx:4200
This is really throwing me off because I have no clue where this ip is coming from or what it is.
I get this firewall error everytime regardless, yet when first installed I thought I had gotten a "Router Test PASSES" but I may be wrong.

I have been able to get the softphones to connect once or twice, not sure what settings I was using, but the phones would register. Although the phones would register, they could not make or recieve calls from the other extensions, and thier status would never change on the "Line Status" page.

I am completely stuck at this point. I have also tried the tunneling option, and think I had the settings correct but still had no luck. I may be a little confused on what exactly the ip address of the "Proxy Server" is supposed to be. Is this just supposed to the local machine running the PBX System. PLEASE HELP. I'm losin it.

I am more then happy to provide server logs, or even give an address for anyone who wishes to log into the web based admin, or my router, heck, I'll give you a VNC address and let you remote right in if it will help. Anything you need. Thanks alot.
P.S. On a positive note, I am switching from Axon to 3cx because of how much nicer the web admin and setup is, as well as its the first one to work correctly with some dtmf issues we were having. If I can get it working I think Im going to love it.
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

UPDATE,
I dont know if this helps or not, but I just notice something while looking over the log. I have a remote user trying to connect and he is attempting to use the tunnel and the stun option. The tunnel option does nothing for us. On the stun option, I show him as a registered extension, but it says that he is an unknown contact and it reports his ip back as the local ip of the pc he is on at the remote location. If I understand correctly, this would mean the Stun option is not working so he is reporting back his local ip, which mean the phone server doesn't know the correct ip to route his calls back and forth to. Curious why he isn't able to call out to one of the extensions since it shows he is attempting the call on the server log. I am just guessing there may be some type of verification the phone server does when a call is initiated to ensure traffic from both ends. Hope this gives a little insight into the problem. Thanks Again
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Okay, a little more information,
Just to make sure everything is correct here are the exact ip's and settings that I can confirm and maybe someone can tell me exactly what to put in what fields for the tunneling option

Static WAN IP: 76.252.36.155
Phone System Lan IP: 192.168.2.2
(Im not sure if this is relavent or not) But the "localhost" ip of the machine running the phone system is = 127.0.0.1
Local host or Lan ip of machine running 3cx works for accessing services such as web interface for 3cx
Firewall is temporarily turned off on 3cx machine, as well as was DMZ'd at one point
Remote Machine LAN ip = 192.168.0.9
Using a Belkin Router
Internet Service is provided by a DSL PPOE provider

Is there a way to verify the port number the 3cx tunnel is using?

Remote phones will not even show as registered or show any indication of trying as far as the server log shows when trying to use the tunnel option. ?????

Any suggestions??
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

What softphones are you using?

The outbound proxy server address should the the WAN IP of your server
Thanks
Stephen
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Portnumber for tunnel is 5090. Read the manual there you find all about it.
Some questions, do I see 2 different WAN Ip's ? The one you gave where the error came and the one you speak about which starts with 72. That really looks strange.
The 127.0.0.1 is always the local IP number so that's normal.
Put in the softphone (when it is internal) the local IP adress of your 3CX system, and add the extension number and password. It must run then. When the phone is external, put the WAN which your Belkin router gives you, in the softphone with the right extension and password and it will also run when all ports are rightly forwarded and firewall rules are made.
Read the manual about port forwarding or find some postings here on the forum. I just wrote to someone else about it.
The first Error about port 4200......I wouldn't bother. I had the same on a VM Server which I rented. There were no problems with that.

Are you running two subnets? The local IP adresses are different. Maybe you need to change that. You can read about that in the manual to add more subnets to your phonesystem, so it will include that subnet and act like it is internally.
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Thanks Everyone for the help. I think I need to clarify the settings I currently have.

The computer running 3cx phone system is the one behind the router with the WAN IP of 76.252.36.155. All pcs on this net work have the lan ip of 192.168.2.x

Port number 5090 is forwarded to the proper lan ip. The second wan ip that the 3cx firewall check is giving me is the one that driving me up a wall. No clue were its coming from. I have done ipconfig /all, checked all settings, I have no clue whats going on. I am using the 3cx voip softphones and they do work on the local network fine. Its only from outside the network. They still have the issue of partially connecting when I try using the stun option. But no communication actually works, and absolutely nothing happens when trying the tunnel method. Once again, if any one wants to take a crack at this, considering Ive gone through the manual about 10x and can't find what Im missing, Im more then willing to give you full acces to the webadmin, router admin, vnc remote connect, what ever u need. A matter of fact feel free to try and tunnel with your own softphone if you want. Just use extension 250, Pass 250, ID 250, Tunnel Port 5090, 3cx port is 5060, Tunnel pass 111, Local Lan 192.168.2.2. If theres anything else I can provide just let me know!!

UPDATE!!! My service provider just changed to our new Static IP, Here it is: 99.130.219.181
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

P.S... If someone does actually get through......

Make a phone call to extension 110. Im going to set it up so that when a call finally rings on this extension, Every light in my house and outside my house starts flashing on and off, the whole house audio is turned up to MAX and Mission Impossible starts playing at high volumes. I'll even patch the softphone audio through the Whole House Audio and you can have the pleasure of yelling obsenities at me about how ignorant I am for missing the setting that I did.

Although it may be tempting, don't let this super cool perk pursuade you to wait untill 4 in the morning to dial the extension, just so that the house wakes up in terror in the middle of the night. This doesn't mean don't do it at 4 in the mornin, feel free, Im just sayin it will be just as cool at 7 in the afternoon.

What a horrible ploy to pursuade you all to help, about as bad as "I bet you cant do it"
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

One Last Bit of Informatio:
Heres the tunnel ini files for the phonesystem and the softphones, these seem off to me, what should I change??

PhoneSystemServer Tunnel INI:
Code:
[3CXTunnel\Logger\Outputs\LogFile]
Severity=Log Error Critical Trace
File=3CXTunnel.log
MaxFileSizeKB=2048
Format=$FileLine : [$ShortDT]($Severity$Level):
KeepBackup=1
Level=10
[Conn1]
TunnelPort=5090
ID=123456
Password=111
Secure=0
SipInterfaces=Iface1
Name=ClientSide
TunnelAddr=0.0.0.0
DoesConnect=0
[3CXTunnel\logger\outputs\debug]
severity=Debug Dump Critical
file=dbg:
format=$FileLine : ($Subsystem::$Method):
level=20
[Bridge]
Name=ServerSide
Password=incoming_psw
Bridges=Conn1
ListenIP=0.0.0.0
ListenPort=5090
[123456\Iface1]
SipDomain=test.3cx.local
SipProxyIP=0.0.0.0
SipProxyPort=5080
[3CXTunnel\Logger\Outputs\]
debug=1
LogFile=1

VoipSoftPhone Tunnel INI:
Code:
[3CXTunnel\Logger\Outputs\LogFile]
Level=10
File=3CXBridge.log
KeepBackup=1
Severity=Log Error Critical Trace
MaxFileSizeKB=2048
Format=$FileLine : {$ShortDT}($Severity$Level):
[Conn1]
TunnelPort=5090
ID=123456
SipInterfaces=Iface1
Name=ServerSide
TunnelAddr= 
Password=abc
DoesConnect=0
Secure=0
[3CXTunnel\logger\outputs\debug]
severity=Debug Dump Critical
file=dbg:
level=20
format=$FileLine : ($Subsystem::$Method):
[Bridge]
Name=ClientSide
Password=incoming_psw
Bridges=Conn1
ListenPort=5090
JustInstalled=1
ListenIP= 0.0.0.0
[3CXTunnel\Logger\Outputs\]
LogFile=1
debug=1
path=.\
[123456\Iface1]
SipProxyPort=5080
SipDomain=test.3cx.local
SipProxyIP=
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Heres the tunnel ini files for the phonesystem and the softphones, these seem off to me, what should I change??

The immediate difference between your 3cx client .ini file and mine is that my entry for TunnelAddr = xxx.xxx.xxx.xxx actually has an IP address (xxx is my public IP for my 3cx server).
This IP was entered in the softphone client in the 'remote end of tunnel' box. I don't know how or under what circumstances this gets written to the .ini file, but you should be seeing it.

Also check on your 3cx server tunnel log [C:\Program Files\3CX PhoneSystem\Data\Logs\3cxTunnel.log] and see what is reported. This will tell you if the tunnel is trying to connect or reason for connection failure.

Cjay
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

A couple more points that may help:
- You can run the tunnel from the 3cx client to 3cx server even if both devices are on the same LAN subnet (avoids firewall/router/port forwarding related issues)
- Restarting 3cxTunnel.exe after making config changes seems to help (this runs at both ends of the tunnel and seems to pick up its parameters from the .ini file only on startup).

Cjay
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

**HERES AN UPDATE**

I may have made some progress but not all the way there yet. I have changed some settings in the log files, and have been able to get the phones to logon and register. BUT..... now they are operating the same way they were when they would try to log on using the stun option. 3CX shows the phone as registered, the softphone shows LOGGED IN, and AVAILABLE, but any attempt to dial an extension returns the ERROR: Login Failed-Invalid Extension???? Does this give any insight to the problem. I know when I review the server log, it shows the contact as registered but when a call is made it shows
Incoming Call Rejected: Caller Unknown, and it shows the caller as extension:127.0.0.1. Does the fact that this is showing 127.0.0.1 have something to do with the call not going through??. Thanks Again Everyone
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Can you post relevant entries from 3cxTunnel.log?
Do 3cx voipclient and server have a router in between or are they on same subnet as suggested?
If all else fails run Wireshark on the 3cx server and do some packet analysis - this is a great way of getting to grips with a problem!
Note - I would expect to see 127.0.0.1 in the log files.
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

JClark28 said:
**HERES AN UPDATE**

I may have made some progress but not all the way there yet. I have changed some settings in the log files, and have been able to get the phones to logon and register. BUT..... now they are operating the same way they were when they would try to log on using the stun option. 3CX shows the phone as registered, the softphone shows LOGGED IN, and AVAILABLE, but any attempt to dial an extension returns the ERROR: Login Failed-Invalid Extension???? Does this give any insight to the problem. I know when I review the server log, it shows the contact as registered but when a call is made it shows
Incoming Call Rejected: Caller Unknown, and it shows the caller as extension:127.0.0.1. Does the fact that this is showing 127.0.0.1 have something to do with the call not going through??. Thanks Again Everyone

You're going to need to visualise the data paths and ensure the ports are opened correctly at the remote end as well.

Remember, someone with a softphone at a remote extension will need the ports opening INTO it, otherwise their firewall is going to be blocking any request originating from the outside and terminating at them.

One of the most useful ideas i've had is split DNS for my 3CX implementations. Where I have an internet domain purely registered for my 3CX servers' internet addresses, and inside the local 3CX site I create a DNS zone for the local address of the 3CX server, so that everyone can have "server.3cxdomain.com" as their config, and the lookup differs whether you're on the local site or the internet/remote site.
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Hmmmm..... I have ports 5090 open on the remote ends... I thought if I was using the tunneling method that was the only port I needed to have open on the 3cx client side, am I wrong??
As far as the split DNS stuff, that went straight over my head, is there a good link to some resources on learning more about the type of setup you were mentioning?? Thanks
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Well I also cannot get the tunnel working even though we have 10 VOIP clients connected locally and 5 remote not using tunnelling.

The point here is that you SHOULD NOT have to open anything on the clients, its TCP after all.

I have tried all combinations and no connection, logs have no entries, IP traces show connections to the server.

Since the documenetation is so clearly out of sync with the latest releases (I don't have any fields in my Server "other" lines) might I suggest another Beta is in order
and some better documentation.

Locally the client is about as good as they get, not quite a good as a SNOM 360 but close.

Les
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

JClark28 said:
As far as the split DNS stuff, that went straight over my head, is there a good link to some resources on learning more about the type of setup you were mentioning?? Thanks
http://articles.techrepublic.com.com/5100-10879-6097830.html
 
Last edited by a moderator:
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

There is no need to touch any INI files manually

Mmmm..... I have also just had a 'tearing my hair out' moment despite having had the tunnel working fine previously. This came about because I initially set up the 3cx Voip client on my laptop at my office (remote from the 3cx server) - and it worked fine. Then took the laptop home (where my 3cx server runs, so on same subnet ), messed around a bit and it still worked. Then this morning back in my office the tunnel just would not work again despite the visible settings being EXACTLY the same as before.

So here is my tunnel tip of the day: If you get to the point where nothing makes sense any more, delete the phone.ini file located on my machine in: C:\Documents and Settings\user_name\Local Settings\Application Data\3CX VoIP Client
[user_name is your current windows logon user name, don't delete the phone.ini in 'All Users'].
Then terminate the 3cxTunnel.exe process in task manager. When you restart the 3cxVoip client you can start afresh and re-enter all parameters. Worked for me straight away!

Cjay
 
Re: Wacky IPs, Remotes wont Connect, Tunneling Problems. HELP!!

Hi

Better still....create a profile in the client for each location.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.