Kerio Winroute Firewall RTP Problem

Discussion in '3CX Phone System - General' started by menace8000, Jan 9, 2011.

Thread Status:
Not open for further replies.
  1. menace8000

    Joined:
    Apr 16, 2009
    Messages:
    3
    Likes Received:
    0
    Hi Guys,

    I have been playing with 3CX for some time now, had some issues with the firewall and getting the correct ports opened, so moved the VOIP server to outside my Kerio Winroute Firewall.

    Subsequently, I got nailed by some hacker who managed to upload 6GB in an afternoon and crash my service for the rest of the month, so I have decided to try get my port forwarding correct.

    I currently have the following rules in place

    Source - LAN -> Destination - WAN
    TCP/UDP 5060 - NAT - SIP
    TCP/UDP 5090 - NAT - Tunnel
    TCP 3478 - NAT - STUN
    UDP 9000-9015 - RTP

    The Server logs on to all VOIP providers with no problem, Phones all online, but when I make a call I get no audio, in my filter I see the following report

    DROP "Def rule" packet from LAN, proto:UDP, len:200, ip/port:192.168.8.49:9014 -> 202.85.241.126:17898, udplen:172
    DROP "Def rule" packet from WAN, proto:UDP, len:200, ip/port:202.85.241.126:17898 -> 192.168.123.124:9014, udplen:172

    From what I understand, 9014 is the RTP port, why is this being translated to 17898 from LAN and back again, if I open this 17898 port audio starts to work, but each time this port is different??

    Can anyone help me here, all phones are down till I can sort this,

    Cheers
    Dennis :oops:
     
  2. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Please update your rules to reflect UDP 9000-9050 or as indicated withing your 3CX settings. We will need some logs and/or wireshark capture.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    763
    Likes Received:
    39
    I think that you should look in your Kerio Winroute Firewall settings, because some defence rule in the firewall blocks UDP traffic to and from the WAN.
    I don’t know if you can disable e.g. the DoS Defence, because this setting(s) can block a lot of different traffic through your router, and then start from here till the problem is back again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. menace8000

    Joined:
    Apr 16, 2009
    Messages:
    3
    Likes Received:
    0
    Thanks Guys,

    What I havedone to make it work so far is to open RTP ports 16384 - 25000, this seems to work, but in my opinion are a lot of open ports??

    What I am trying to work out is that even though in 3CX i have set it up to use RTP on ports 163834 - 16410, in the initial kerio log, the port seems to get changed to another port on the other side??

    DROP "Def rule" packet from LAN, proto:UDP, len:200, ip/port:192.168.8.49:16384 -> 202.85.241.126:17898, udplen:172
    DROP "Def rule" packet from WAN, proto:UDP, len:200, ip/port:202.85.241.126:17898 -> 192.168.123.124:16384, udplen:172

    I am not sure if it is the kerio firewall that is making this change or 3CX, but if I do not have both ports open in the firewall, I have to RTP audio. I have tracked these ports, and they range from about 16500 to 25000 so far, so hence having to open so many ports in the firewall outbound rule.

    I have the 3CX software on a PC, this is in the LAN behind the Firewall dual NIC PC, then they go through a modem, so there is NAT in the modem as well, I have put the Firewall PC in the DNZ to avoid having to open more ports again??

    Thanks for your help here, it has been driving me crazy!!!! :cry:
     
  5. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    IP1:port1(PBX Host)<->IP2:port2(NAT translation)<->...internet...<->IP3:port3(remote party)

    192.168.8.49:16384 is IP1:port1(PBX Host)

    What is 202.85.241.126:17898? Is it"IP2:port2(NAT translation)"? Is it "IP3:port3(remote party)"?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. menace8000

    Joined:
    Apr 16, 2009
    Messages:
    3
    Likes Received:
    0
    Hi Sy,

    IP Port 1 - 192.168.8.49 - VOIP Server (PBX Host)
    IP Port 2 - 192.168.8.254 Inside / 192.168.123.124 outside the Firewall (NAT)
    IP Port 3 - 202.85.241.126 - Remote party

    Does this make sense??


    Thanks
    Dennis
     
  7. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    763
    Likes Received:
    39
    Somewhat.

    As I understand, after searching the internet, is the Kerio Winroute Firewall a software application running on a dedicated computer. (this explains IP Port 2)
    If so, is it possible for you to use a router instead the Kerio? Maybe this may resolve your problem.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.