NAT issues in Version 5

Discussion in '3CX Phone System - General' started by zensoftware, Dec 13, 2007.

  1. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    We have a customer that is having problems with Version 5 and registrations. Version 3 has no problems.

    If they setup the server with No NAT in a DMZ of there firewall then the registrations fail on all sip accounts. They also notice that the Firewall check fails, I guess because there is no NAT and STUN fails? Is this related, do SIP registrations fail if the firewall checks fail?

    On version 3 the 3CX server would register without issues in the DMZ

    I also have a separate customer who is seeing problems if their firewall check fails this time because of the “Allow non sequential RTP ports” setting.
    If they use it the firewall check fails and so they cannot register, if they don’t use that setting the firewall check is fine and they can register ok.
    (Confirming this with the customer)

    Any ideas?


    Cheers

    Neil
     
  2. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    Hi Neil,

    Definitely sounds firewall config related, and possibly a nuance of v5 over v3 that we (the userbase) are yet to still understand fully.

    However, the firewall check does provide an output log which could be useful in troubleshooting further. Is there any chance of you posting either log here?

    Cheers,
    Mike.
     
  3. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    Hi Mike,

    Here is an example of my test server. Just one VoIp-Unlimited account setup . The server is behind a Watchguard firewall in Transparent mode so the 3CX server has a public IP of '85.25.654.36', no NAT.

    1 Error (13) The machine is on a public IP. Please check the FAQ for more information. agentAddr = 87.230.29.162:4200

    2 9000 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9000 isNATAddr = 0
    3 9001 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9001 isNATAddr = 0
    4 9002 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9002 isNATAddr = 0
    5 9003 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9003 isNATAddr = 0
    6 9004 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9004 isNATAddr = 0
    7 9005 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9005 isNATAddr = 0
    8 9006 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9006 isNATAddr = 0
    9 9007 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9007 isNATAddr = 0
    10 9008 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9008 isNATAddr = 0
    11 9009 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9009 isNATAddr = 0
    12 9010 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9010 isNATAddr = 0
    13 9011 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9011 isNATAddr = 0
    14 9012 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9012 isNATAddr = 0
    15 9013 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9013 isNATAddr = 0
    16 9014 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9014 isNATAddr = 0
    17 9015 Information (9) Port is open and can be used for calls. externalAddress = 85.25.654.36:9015 isNATAddr = 0

    You can see the first error (in 3cx this is red and the firewall check fails)

    ps , see you next wednesday in Manchester ;)
     
  4. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    And this is an example of the “Allow non sequential RTP ports” option being used and failing.

    1 9000 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9000 isNATAddr = 1
    2 9001 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 65.57.8.235:9001
    3 9001 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9001 isNATAddr = 1
    4 9002 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9002 isNATAddr = 1
    5 9003 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9003 isNATAddr = 1
    6 9004 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9004 isNATAddr = 1
    7 9005 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9005 isNATAddr = 1
    8 9006 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9006 isNATAddr = 1
    9 9007 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9007 isNATAddr = 1
    10 9008 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9008 isNATAddr = 1
    11 9009 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9009 isNATAddr = 1
    12 9010 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9010 isNATAddr = 1
    13 9011 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9011 isNATAddr = 1
    14 9012 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9012 isNATAddr = 1
    15 9013 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9013 isNATAddr = 1
    16 9014 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9014 isNATAddr = 1
    17 9015 Information (9) Port is open and can be used for calls. externalAddress = 65.57.8.235:9015 isNATAddr = 1
     
  5. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    You'll be seeing Azlan only i'm afraid as i'm down in Lymington on Wed :( - be nice to him, he's not had a play with 3CX yet!

    Anyway, you say the Watchguard is being used in transparent mode - what are the functions of this mode? I assume it's traditional routing and port monitoring as opposed to port blocking since it's not NATed?

    Cheers,
    Mike.
     
  6. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    Transparent mode in the Watchguard allows the Firewall to act a bit like a Layer 2 switch. All interfaces share the same single IP (for management) but the logical IP gateway is on the upstream router on the wan port. Packets are allowed to pass between interfaces based on firewall rules. The firewall uses MAC address spoofing to pretend that its interfaces are the MAC address that respond for all the IP's in use on the connected networks.

    You effectively are cutting the Ethernet cable between the server and the router and putting a box in-between but without re-configuring any IP settings.

    Its nice as you don’t need separate routed subnets or need to use NAT but you do need multiple Public IP address.

    I hope that makes sense :)
     
  7. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    So if your packets are allowed to pass because of firewall rules, what happens when you relax those rules (for the period of time for a test call)??
     
  8. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    I dont think the issue is due to the firewall rules. The rules allow the following ports to flow.

    UDP 5060
    UDP 3478
    UDP 9000-9015

    It does work fine if i switch to 3CX version 3 which uses the same ports.
    Im sure the issue is in version 3 3CX does not care if it is or is not behind NAT but in version 5 if it gets an error during the firewall test it fails registration.
     
  9. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    Strangely though, I get registration fine on Sipgate without opening any firewall ports and simply using NAT (but on a Netgear DGFV338).
     
  10. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    Ah.. Now I have it working correctly. I Can confirn I have one Voip-unlimited sip account working on my test server behind the watchguard (not in NAT mode).
    so its not the firewall test issue. still dont know why the other customers don't work though??
     
  11. Mori

    Mori New Member

    Joined:
    Mar 23, 2007
    Messages:
    223
    Likes Received:
    0
    If its in DMZ ports should not be an issue.
    However, 3cx support tells med that it currently is a problem working in DMZ for the moment.
    They are working on a fix.
     
  12. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    That depends upon your DMZ's functionality!!
     
  13. Mori

    Mori New Member

    Joined:
    Mar 23, 2007
    Messages:
    223
    Likes Received:
    0
    Probably thats why i wrote "should" instead of "will".. :wink:
     
  14. zensoftware

    zensoftware New Member

    Joined:
    Aug 23, 2007
    Messages:
    225
    Likes Received:
    0
    When you say DMZ are they specifically referring to a separated routed Subnet on a firewall? DMZ is quite a generic term..

    i.e.


    WAN
    1.1.1.1/29
    |
    |
    FIREWALL----DMZ(routed)-- 2.2.2.2/29-------3CX Server
    |
    LAN (NAT)
    192.168.0.1/24
     

Share This Page