Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

NAT Problems with pf.conf and also phantom calls.

Discussion in '3CX Phone System - General' started by BlueIce, Dec 13, 2009.

Thread Status:
Not open for further replies.
  1. BlueIce

    Joined:
    Dec 13, 2009
    Messages:
    1
    Likes Received:
    0
    I am having problims with getting the firewall configured correctly. I use FreeBSD with pf as my router without any luck from that. I then tried WinRoute Pro (30 day eval) I still have the same problems. Can someone please elighten me on what the proper config would be for pf. Also a second problem I think I'm experencing this problem because of the firewall issues however I may as well throw it out. When making an outboud call from an extension from the inside lan thru a VoIP provider on a sip trunk. When I have been testing and I call my cell phone and then hangup on the extension it will call back my cellphone about 2 minutes later without me making a second call.


    Here is my pf.conf file:

    # $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
    #
    # See pf.conf(5) for syntax and examples.
    # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
    # in /etc/sysctl.conf if packets are to be forwarded between interfaces.

    ext_if="xl0"
    int_if="dc0"

    3CX = "192.168.0.100"
    PHONE1 = "192.168.0.101"
    PHONE2 = "192.168.0.102"
    PHONE3 = "192.168.0.103"

    table <spamd-white> persist

    set skip on lo

    scrub in

    nat-anchor "ftp-proxy/*"
    rdr-anchor "ftp-proxy/*"
    rdr-anchor "relayd/*"
    nat on $ext_if from !($ext_if) -> ($ext_if:0)
    rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
    no rdr on $ext_if proto tcp from <spamd-white> to any port smtp


    #############################################################################
    # 3CX Port Redirect to Phone Switch
    #############################################################################

    rdr on $ext_if proto udp from any to any port 3478 -> $3CX
    rdr on $ext_if proto { tcp udp } from any to any port 5060 -> $3CX
    rdr on $ext_if proto { tcp udp } from any to any port 5090 -> $3CX
    rdr on $ext_if proto tcp from any to any port 5000 -> $3CX
    rdr on $ext_if proto tcp from any to any port 5481 -> $3CX
    rdr on $ext_if proto udp from any to any port 9000:9049 -> $3CX

    ############################################################################

    anchor "ftp-proxy/*"
    anchor "relayd/*"
    block in
    pass out

    pass quick on $int_if no state
    antispoof quick for { lo $int_if }

    pass in on $ext_if proto icmp to ($ext_if)
    pass in on $ext_if proto tcp to ($ext_if) port ssh
    pass in log on $ext_if proto tcp to ($ext_if) port smtp
    pass out log on $ext_if proto tcp from ($ext_if) to port smtp

    pass out log on $ext_if proto tcp all modulate state flags S/SA
    pass out log on $ext_if proto { udp, icmp } all keep state

    #############################################################################
    # 3CX Ports Pass to Phone Switch
    #############################################################################

    pass in quick on $ext_if proto udp from any to $3CX port 3478 keep state
    pass in quick on $ext_if proto udp from any to $3CX port 5060 keep state
    pass in quick on $ext_if proto tcp from any to $3CX port 5060 keep state flags S/SA
    pass in quick on $ext_if proto udp from any to $3CX port 5090 keep state
    pass in quick on $ext_if proto tcp from any to $3CX port 5090 keep state flags S/SA
    pass in quick on $ext_if proto tcp from any to $3CX port 5000 keep state flags S/SA
    pass in quick on $ext_if proto tcp from any to $3CX port 5481 keep state flags S/SA
    pass in quick on $ext_if proto udp from any to $3CX port 9000:9049 keep state
    nat on $ext_if proto udp from $3CX to any -> ($ext_if) static-port
    pass out quick on $ext_if proto udp from any to any port 3478 keep state
    pass out quick on $ext_if proto udp from any to any port 5060 keep state
    pass out quick on $ext_if proto tcp from any to any port 5060 keep state flags S/SA
    pass out quick on $ext_if proto udp from any to any port 5090 keep state
    pass out quick on $ext_if proto udp from any to any port 9000:9049 keep state

    #EOF



    Here is what I get when I conduct a firewall check:


    3CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.

    <02:04:31>: Phase 1, checking servers connection, please wait...
    <02:04:31>: Stun Checker service is reachable. Phase 1 check passed.

    <02:04:31>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
    <02:04:32>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 60340::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED.
    <02:04:32>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
    <02:04:32>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 60340::5060. Phase 2b check passed with WARNINGS. Some functionality will be LIMITED.

    <02:04:32>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
    <02:04:32>: TCP TUNNEL Port is set to 5090. Response received WITH TRANSLATION 62269::5090. Phase 3 check passed with WARNINGS. Some functionality will be LIMITED.

    <02:04:32>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
    <02:04:37>: UDP RTP Port 9000. Response received WITH TRANSLATION 59035::9000. Phase 4-01 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9001. Response received WITH TRANSLATION 34894::9001. Phase 4-02 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9002. Response received WITH TRANSLATION 42184::9002. Phase 4-03 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9003. Response received WITH TRANSLATION 60109::9003. Phase 4-04 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9004. Response received WITH TRANSLATION 51856::9004. Phase 4-05 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9005. Response received WITH TRANSLATION 45596::9005. Phase 4-06 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9006. Response received WITH TRANSLATION 40527::9006. Phase 4-07 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9007. Response received WITH TRANSLATION 54496::9007. Phase 4-08 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9008. Response received WITH TRANSLATION 40669::9008. Phase 4-09 check passed with WARNINGS. Some functionality may be IMPAIRED.
    <02:04:37>: UDP RTP Port 9009. Response received WITH TRANSLATION 58019::9009. Phase 4-10 check passed with WARNINGS. Some functionality may be IMPAIRED.

    Application exit code is 53
     
Thread Status:
Not open for further replies.