• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Firewalling issues

Status
Not open for further replies.

robertcroucher

Joined
Feb 27, 2008
Messages
4
Reaction score
0
I have a fresh installaton of 5.1 sitting behind a firewall with a static IP. I have the firewall configured as follows :

Rule Type | Source | Destination | Options | QOS Type

11 Allow and Forward WAN (Internet) This Gateway:9000 - 9015 (UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
12 Allow and Forward WAN (Internet) This Gateway:5060 - 5070 (TCP/UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
13 Allow and Forward WAN (Internet) This Gateway:5090 (TCP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP
14 Allow and Forward WAN (Internet) This Gateway:3478 (TCP/UDP) Forward To : Work-Laptop (Network Object) QoS Class : VOIP

To my mind this seems to follow the guidelines laid out in the manual, statically mapping traffic to the ports above on my public IP through to my work laptop for testing. The laptop is XP sp2 with the integral firewall turned off.

Whenever I run the firewall checker I get the following error results on all the ports.

1 9000 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 84.xx.xx.137:10206
2 9000 Error (6) An incompatible NAT configuration has been detected. Please check FAQ for further information. addrFromAgent = 84.xx.xx.137:10225addrFromSTUN = 84.xx.xx.137:10206
3 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside.
4 9000 Warning (10) Port is open, but port number has been changed. In many cases, this will present a problem and cause one way audio or no inbound calls. See this FAQ: http://www.3cx.com/support/firewal-checker.html externalAddress = 84.xx.xx.137:10206

I don't really understand why this is happening and I don't have any real knowledge of how STUN works so I cannot intepret the data into something useful so that I can modify the firewall or 3cx to make things better. The net result is unreliable audio issues.....

If anyone can advise on what I need to do here that would be really useful.

Thanks in advance

Rob
 
Did you only open it in the firewall or also opened it in NAT, did you forward those ports to the 3CX server?
What modem router do you use? Some Modem/Routers have phoneports of their own and block the 5060 for them selves, and you can only open them by telnet.
 
Hi,

Currently I have two NAT rules in place. Pretty simple really for testing...

Original Source | Destination | Service Target Source | Destination | Service | Name

WAN (Internet) This Gateway Any Service original Work-Laptop (Network Object) original All Inbound
Work-Laptop (Network Object) WAN (Internet) Any Service This Gateway original original All Outbound

Strangely enough I used Sipgate to provide a UK number and this seems to work ok, I can leave a VM and other than it being quiet it works. But I use ipkall for a US number and this rings but then seems to go to vm but I never hear it.
 
thats strange but also normal. Sipgate is an easy provider, who always seems to find its way through. I had the same with the german sipgate. everything wasn't working except for sipgate. *lol*

But I am interested in your modem/router. Is it a normal modem router or a special one with phoneports.
Otherwise you have to unbind those ports form the 5060 port. a very common irritating problem with a lot of modern modem/routers with ATA phone ports, and you should have more NAT rules I think
 
ooops I forgot to mention what it was.

Its a checkpoint safe@office 500 WP ADSL

It does not have any phone ports for built in voip support like say a draytek firewall. The checkpoint does have a specific SIP traffic handler that is supposed to work out all the port issues dynamically so that everything just works.... it doesnt so I turn that off and have to complete static PAT.

Thanks

Rob
 
Put your 3CX in a DMZ and see what happens. ( put port 80 to nowhereland otherwise people can see your 3CX system )

Or, Use your soft/hardphone directly with the provider without 3CX and see if it works.
When it doesnt work it is almost sure that your router is giving probs with NAT
Otherwise we have to search and seek.

What ports did you forward in NAT?
5060-5080
9000-9015
3487
5481-5483
10000-20000 ?
 
I can have a go at putting the node into the DMZ to see what happens. As for ports I have forwarded the following :

5060-5070
9000-9015
3487
5090

Are there any others that I should be forwarding as well ?
 
Hi

Thanks for your post.

The ports you list should cover all requirments.

Ensure that 5060 is both UDP and TCP and 5090 is TCP. All the rest should be UDP.
 
When you put it into DMZ, just take port 80 out and send it into nowhereland. Otherwise in a lot of cases people can see your 3CX from the outside.
Sometimes 3CX also uses ports between 10000-20000 so in a case you have the 3CX NOT in a DMZ, and when it's possible and your internet surfing is not slowing down, you might forward those ports too.
 
See if mapping each port individually changes things (i.e. not in a port range), as port-ranges are sometimes interpreted by firewall software as a mini cone-NAT as opposed to a 1:1 PAT relationship.
 
Pentangel you are right, but it's a lot of work when you have to open those and a lot of times your rules are limited to 10 or 11 rules. Take the most important ones like the 9000 serie.
 
landfiets said:
Pentangel you are right, but it's a lot of work when you have to open those and a lot of times your rules are limited to 10 or 11 rules. Take the most important ones like the 9000 serie.

Well, if you don't do the work, you don't get the results Edwin.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,635
Messages
749,000
Members
144,754
Latest member
deanhbs
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.