Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Firewall Stumblings [SOLVED]

Discussion in '3CX Phone System - General' started by craigreilly, May 3, 2012.

Thread Status:
Not open for further replies.
  1. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    On incoming VOIP - We have audio
    On outgoing VOIP - We do not have Audio

    Firewall -
    5060 UDP - Outbound
    5060, 5061 TCP/UDP - Inbound
    9000-9049 UDP - Inbound

    Also using a STATIC IP that is not 1-to1 NAT - but each inbound port is mapped from external traffic pointed to the Static IP to the pbx internal ip of 10.0.0.12

    Run firewall checker:
    3CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.

    <13:53:37>: Phase 1, checking servers connection, please wait...
    <13:53:37>: Stun Checker service is reachable. Phase 1 check passed.
    <13:53:37>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
    <13:53:41>: UDP SIP Port is set to 5060. NO RESPONSE received. Phase 2a check FAILED.


    Application exit code is -2


    In my firewall, I see port 3478 is blocked when I try to run firewall checker. I do not see 3478 listed anywhere that I need to open.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Re: Firwall Stumblings

    How about 5060 inbound?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    Re: Firwall Stumblings

    oops - mistype. fixed it.
    I opened 3478 UDP Out and now the firewall checker seems to run A-ok.

    Moving on - outbound calls. I see different UDP Ports listed as BLOCKED on outbound calls in my firewall monitor.

    63766, 62164, 65298, etc.

    I've revised my firewall rules a bit.

    For OUTBOUND I now have
    Any Ports, from Internal.PBX.IP to Any External

    For INBOUND I have
    5060 UDP/TVP, 5061 UDP/TCP, 9000-9049 UDP from Any External to SNAT (External.PBX.IP to Internal.PBX.IP)

    On inbound calls: Audio Both Ways
    On Outbound calls: Inbound Audio only - no outbound audio

    Argh!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Re: Firwall Stumblings

    Brand/model of firewall please
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    Re: Firwall Stumblings

    Watchguard 550EX
    I just saw the network setting for STUN and it was disabled. I turned it on - and audio worked both ways.
    Should I have the need to use STUN ?
    I have a PUBLIC IP Available...

    Ah - so much information out there.

    I think the correct solution is near. Turn off STUN and add a 1 to 1 NAT in the Watchguard. ?? I'll wait before I fiddle.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Re: Firwall Stumblings

    You will need STUN to help with the random ports
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    Re: Firwall Stumblings

    Ok - I will turn STUN ON.

    Final config:
    OUT - All Ports - from Internal.PBX.IP to Any External
    IN - 5060 tcp/udp, 5061 tcp/udp, 9000-9049 UDP
    STUN ON


    Audio is working both directions.

    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Re: Firwall Stumblings

    Why 5061?

    Also:

    5090 UDP/TCP for the Tunnel
    And 10000 UDP if you plan on using FoIP

    Keep in mind that if you use SIP trunks, you will need to adjust the 9000-9049 range to accommodate the call volume. Each call uses up 2 ports. If you end up with a 64SC for example, make sure you use a 9000-9129 range and adjust both the router and the 3CX server settings.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    Re: Firwall Stumblings

    Someone told me at one point during setup to do 5060 and 5061. I can remove it certainly.
    We are not going to be doing FoIP - everything I have read it can not take internal fax's from analog fax machines. ??
    We may add tunnel. Not sure about remote users.

    I will be sure to adjust 9000 range as needed.

    thanks again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Re: Firwall Stumblings

    will you use SIP trunks?

    If you use SIP trunks, you could possibly get an HT701 (FXS adapter) and configure it for both G711 or T38 for a traditional FAX machine and 3CX can handle all incoming faxes via T38.

    If you don't use SIP trunks, it's that much easier as most POTS (FXO) and PRI gateways will feed T38 on the SIP side so any FXS adapter with T38 and analog FAX will do.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. cpontus

    Joined:
    Feb 17, 2012
    Messages:
    42
    Likes Received:
    0
    Re: Firwall Stumblings

    I am using a WatchGuard firewall and have audio both ways.

    On the firewall I have incoming and outgoing traffic denied unless I specifically allow it. I have STUN disabled in 3CX.

    Here is how I set it up:

    1. Create a static NAT entry to point to the 3CX internal IP
    2. Create a rule that allows UDP 5060 and UDP 9000:9049 incoming from my VoIP provider's IP to the static NAT entry
    3. Create a rule that allows UDP 5060 and UDP 9000:9049 outgoing to my VoIP provider's IP

    That's it! If you use other features like the tunnel you will need to forward more ports. The key is to use a SNAT entry and stay away from the SIP proxy in the firewall
     
  12. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    Re: Firewall Stumblings

    I tried your setup - and ports are getting blocked outbound in the 60000 range.

    I did change the STUN Off and add the 1-to-1 NAT and it seems the same. So I'll stick with my config for now.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.