• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

No incoming voice - 3CX PBX behind 2 routers

Status
Not open for further replies.

lextar

Joined
Aug 25, 2011
Messages
6
Reaction score
0
Hi to all!
I'm using the 3CX PBX since 2 years behind a ISP router, and it works perfectly,
Now I added a load balance router behind the ISP router in my office network and opened all the ports needed by 3CX on the router.

The problem is now that I can't hear the incoming voice from the phones!!
This is the log of the firewall checker, as you can see there is a warning on the port translation.
How can I disable the port trasnlation? I can't see no option in the routers!!

Code:
3CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.

<20:11:20>: Phase 1, checking servers connection, please wait...
<20:11:20>: Stun Checker service is reachable. Phase 1 check passed.
<20:11:20>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
<20:11:20>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 6369::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

<20:11:20>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
<20:11:20>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 6369::5060. Phase 2b check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

<20:11:20>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
<20:11:20>: TCP TUNNEL Port is set to 5090. Response received WITH TRANSLATION 6401::5090. Phase 3 check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/

<20:11:20>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
<20:11:39>: UDP RTP Port 9000. Response received WITH TRANSLATION 6433::9000. Phase 4-01 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<20:11:39>: UDP RTP Port 9001. Response received WITH TRANSLATION 6465::9001. Phase 4-02 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<20:11:39>: UDP RTP Port 9002. Response received WITH TRANSLATION 6497::9002. Phase 4-03 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<20:11:39>: UDP RTP Port 9003. Response received WITH TRANSLATION 6529::9003. Phase 4-04 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit

I also found this problem in the 3cx log:
19:42:30.846 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun3.3cx.com:3478'

Actually the router are set in this way:
DSL router 1 (main DSL line, Static IP)-> all the ports opened to the Load balance router
DSL router 2 (backup DSL line, dynamic IP)-> all the ports opened to the Load balance router

Load balance router -> 3CX server (Win 2K8 enterprise) opened ports: 5060,5061,5090,5000 and the range between 9000 and 9050.
I also set on the load balance router that the whole traffic generated by these ports should pass through DSL router 1, that has a static IP.

How can I resolve this?
 
I forgot to say that the load balance router I'm using is a TP-Link TL-R470T+.
 
Double "NATing" is going to give you a lot of headaches, some, you may not be able to get around. Is there any way to connect the new load balancing router in front of the other router, to allow it to pick up it's own public IP? Some providers allow you a couple of dynamic IP's. It requires that you are using a stand-alone modem so that you can insert a switch, then split to both routers.
 
Man! ... Not only double NAT but load balancing ... wow! You are in deep!!

Double-NAT will kill VoIP easily just because there are too many addresses in the chain. To simplify, your device registration packets reference the local network address of the phone, and the Public IP of the system, so that a call coming in from outside knows where the system is, and the system knows what extension / device the call has to be passed to. Normally, if for some reason you have to chain routers, it is best to do it using routed IP's with NAT turned off ... in other words, with a public IP address on either side of the router.

In regard to load-sharing ... I've never got this to work with a 3CX, again because the registration packet sent out by the 3CX will reference only one of the load-balanced DSL connections. At best you'll get traffic down only one path - but it is more usual to experience one-way audio! STUN server connects don't help because they just confuse the 3CX by giving it changing public IP addresses.

About the only thing that I have got working is a load-balancing fail-over, where one DSL is dormant until the other fails. This needs a bit of careful configuration because regular STUN server interrogation, and short-timeout SIP Provider re-registration is required to re-align your connection to your provider to get the incoming calls back on target.

Choose your ISP & router wisely is my advice - and go for one good quality DSL feed. Back it up with analogue or ISDN fail-over if you are nervous about loosing the DSL.
 
If you opened the ports and still no voice you may want to remove the additional router and go another route if at all possible. Though I"m sure your business cannot operate without voice so I'd definitely always think twice about using SIP behind two routers.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.