Firewalling issues

Discussion in '3CX Phone System - General' started by robertcroucher, Feb 27, 2008.

  1. robertcroucher

    Joined:
    Feb 27, 2008
    Messages:
    4
    Likes Received:
    0
    I have a fresh installaton of 5.1 sitting behind a firewall with a static IP. I have the firewall configured as follows :

    Rule Type | Source | Destination | Options | QOS Type

    11 Allow and Forward WAN (Internet) This Gateway:9000 - 9015 (UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
    12 Allow and Forward WAN (Internet) This Gateway:5060 - 5070 (TCP/UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
    13 Allow and Forward WAN (Internet) This Gateway:5090 (TCP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
    14 Allow and Forward WAN (Internet) This Gateway:3478 (TCP/UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP

    To my mind this seems to follow the guidelines laid out in the manual, statically mapping traffic to the ports above on my public IP through to my work laptop for testing. The laptop is XP sp2 with the integral firewall turned off.

    Whenever I run the firewall checker I get the following error results on all the ports.

    1 9000 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 84.xx.xx.137:10206
    2 9000 Error (6) An incompatible NAT configuration has been detected. Please check FAQ for further information. addrFromAgent = 84.xx.xx.137:10225addrFromSTUN = 84.xx.xx.137:10206
    3 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside.
    4 9000 Warning (10) Port is open, but port number has been changed. In many cases, this will present a problem and cause one way audio or no inbound calls. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 84.xx.xx.137:10206

    I don't really understand why this is happening and I don't have any real knowledge of how STUN works so I cannot intepret the data into something useful so that I can modify the firewall or 3cx to make things better. The net result is unreliable audio issues.....

    If anyone can advise on what I need to do here that would be really useful.

    Thanks in advance

    Rob
     
  2. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    242
    Likes Received:
    0
    Did you only open it in the firewall or also opened it in NAT, did you forward those ports to the 3CX server?
    What modem router do you use? Some Modem/Routers have phoneports of their own and block the 5060 for them selves, and you can only open them by telnet.
     
  3. robertcroucher

    Joined:
    Feb 27, 2008
    Messages:
    4
    Likes Received:
    0
    Hi,

    Currently I have two NAT rules in place. Pretty simple really for testing...

    Original Source | Destination | Service Target Source | Destination | Service | Name

    WAN (Internet) This Gateway Any Service original Work-Laptop (Network Object) original All Inbound
    Work-Laptop (Network Object) WAN (Internet) Any Service This Gateway original original All Outbound

    Strangely enough I used Sipgate to provide a UK number and this seems to work ok, I can leave a VM and other than it being quiet it works. But I use ipkall for a US number and this rings but then seems to go to vm but I never hear it.
     
  4. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    242
    Likes Received:
    0
    thats strange but also normal. Sipgate is an easy provider, who always seems to find its way through. I had the same with the german sipgate. everything wasn't working except for sipgate. *lol*

    But I am interested in your modem/router. Is it a normal modem router or a special one with phoneports.
    Otherwise you have to unbind those ports form the 5060 port. a very common irritating problem with a lot of modern modem/routers with ATA phone ports, and you should have more NAT rules I think
     
  5. robertcroucher

    Joined:
    Feb 27, 2008
    Messages:
    4
    Likes Received:
    0
    ooops I forgot to mention what it was.

    Its a checkpoint safe@office 500 WP ADSL

    It does not have any phone ports for built in voip support like say a draytek firewall. The checkpoint does have a specific SIP traffic handler that is supposed to work out all the port issues dynamically so that everything just works.... it doesnt so I turn that off and have to complete static PAT.

    Thanks

    Rob
     
  6. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    242
    Likes Received:
    0
    Put your 3CX in a DMZ and see what happens. ( put port 80 to nowhereland otherwise people can see your 3CX system )

    Or, Use your soft/hardphone directly with the provider without 3CX and see if it works.
    When it doesnt work it is almost sure that your router is giving probs with NAT
    Otherwise we have to search and seek.

    What ports did you forward in NAT?
    5060-5080
    9000-9015
    3487
    5481-5483
    10000-20000 ?
     
  7. robertcroucher

    Joined:
    Feb 27, 2008
    Messages:
    4
    Likes Received:
    0
    I can have a go at putting the node into the DMZ to see what happens. As for ports I have forwarded the following :

    5060-5070
    9000-9015
    3487
    5090

    Are there any others that I should be forwarding as well ?
     
  8. William400

    William400 Well-Known Member

    Joined:
    Aug 21, 2006
    Messages:
    1,005
    Likes Received:
    0
    Hi

    Thanks for your post.

    The ports you list should cover all requirments.

    Ensure that 5060 is both UDP and TCP and 5090 is TCP. All the rest should be UDP.
     
  9. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    242
    Likes Received:
    0
    When you put it into DMZ, just take port 80 out and send it into nowhereland. Otherwise in a lot of cases people can see your 3CX from the outside.
    Sometimes 3CX also uses ports between 10000-20000 so in a case you have the 3CX NOT in a DMZ, and when it's possible and your internet surfing is not slowing down, you might forward those ports too.
     
  10. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    See if mapping each port individually changes things (i.e. not in a port range), as port-ranges are sometimes interpreted by firewall software as a mini cone-NAT as opposed to a 1:1 PAT relationship.
     
  11. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    242
    Likes Received:
    0
    Pentangel you are right, but it's a lot of work when you have to open those and a lot of times your rules are limited to 10 or 11 rules. Take the most important ones like the 9000 serie.
     
  12. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    Well, if you don't do the work, you don't get the results Edwin.
     

Share This Page