Provisioning causes loss of local network connection

Discussion in '3CX Phone System - General' started by LouSmith, Jan 11, 2018.

Thread Status:
Not open for further replies.
  1. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    We set up on an OVH vps that works fine with Windows softphones as well as both android iphone clients.
    However, the 3 Yealink T42S deskphones (new but have current firmware installed) using STUN are a total bust.
    All are configured according to 3cx training videos but, after the phone is configured in the console and rebooted, the phone loses network connectivity.
    SIP ports are 5065, 5066 and 5057
    RTP port ranges follow the same process: 14000-14009 etc
    IPs are static assignments and work properly until provisioning is attempted.
    Internet is Spectrum cable;
    Router is Netgear R8000P;
    Switch is Netgear M4100-D12G and has been configured using their "Auto-Voice" VLAN as well as a manually configured voice VLAN based on their exact instructions. Neither have any effect on the provisioning problem so I have no idea which approach would be best.
    Defective cables have been ruled out and changing the phones made no difference.
    This is my first pbx even though I've been around technology for over 50 years. I would really appreciate some help. Experience in other areas tells me that I'm missing something very simple.
     
  2. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    Hi Lou - on the RTP ports phone 1 should be 14000-14009, phone two 14010-14019, phone three 14020-14029. You may have it that way now, but I wanted to make sure. You are also supposed to forward from your local firewall to each of the phones those RTP ports.

    That said, any time there is more than one phone at a location we do not use STUN. An old Windows PC or Raspberry Pi takes out all the issues of firewall configuration and NAT traversal.

    If you have a spare machine to use as your SBC life will be much easier. Make sure that machine is on your Voice VLAN (use NetGear switch to set that port), Install and configure the SBC, make a note of the extension and mac addresses, factory reset the phones and then watch them show up in the Phones tab. Assign them to an existing extension, set your desired configuration, and they will provision and reboot. Feel free to reach out if you have more questions.
     
  3. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    Thanks @accentlogic. Yes, all the settings are in accordance with 3cx recommendations.
    As for switching to SBC, I've been considering exactly that. My concern is that time is short to get this done and apparently SBC has its own limitations and drawbacks.
    Plus, as I understand it, the primary drawback to STUN is the amount of setup required and configuring 3 phones was nothing. The problem is not about the number of phones because I can't even get one to work. That suggest that something very basic is wrong and, if that is the case, there is no guarantee that SBC is going to solve it.
    Ward Mundy said on another forum that he had had this exact thing happen with a T42G but I've not gotten any details about how he resolved it.
    You could help me with one thing right now. My decades of experience is little help with this, my first software pbx.
    In setting up a phone(s) for STUN, are there any ports besides the SIP and RPT ranges that need to be forwarded at the remote location. I'm having difficulty separating all the port information furnished by 3cx as to which end of the system ports should be forwarded.
    Any assistance you could provide about that would be helpful and sincerely appreciated.
    Lou
     
  4. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    I would lean to a VLAN issue if the phone loses network when on the VLAN after provisioning. See if you can manually configure the phone for your voice VLAN before provisioning and still ping Google DNS from the phone. (I think Yealink added some tests for that.)

    You can try removing all but one phone, configure it with STUN, no VLAN, no port forwarding. Plain vanilla and simple. It should work. If it does, then you can try your VLAN again, or leave voice on the default LAN and move on to the SBC. (Using the SBC eliminates port forwarding and eliminates that risk. On a small network keeping it simple is sometimes best.)

    If it still does not work on VLAN1, then yes, there is something odd going on. I have several users with single locations using STUN and no port forwarding with zero issues - not supported, but if it can work without firewall changes (and the risks) I am all for it.

    If one phone with STUN still does not work you might try changing firmware.
     
  5. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    All good thoughts that are well worth trying @accentlogic
    However, would you might responding to the question about which ports have to be forwarded?
    Is there anything besides the SIP port and the RTP range that should be forwarded in order to meet 3cx guidelines?
     
  6. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    You had it correct, only the SIP port and RTP ports at the remote site for each phone need to be forwarded for STUN.

    SIP ports - TCP and UDP
    RTP ports - UDP

    https://www.3cx.com/docs/provisioning-remote-extension/

    Notes when using Remote Extension with STUN:
    1. Please make sure that your Remote Location has Static NAT implemented as well to the phones and that the SIP port and RTP port range for each phone as specified in Extension Settings >> Provisioning tab is correctly forwarded to the IP address of each phone
    2. If you have multiple IP Phones on the same remote network configured with the same SIP and RTP ports, you might have an audio problem caused by the way certain routers implement NAT. In this scenario, each phone must have a different SIP Port and a range of RTP ports must be configured per phone. To do this, click on the Provisioning tab, change the SIP and RTP ports and perform a re-provision of each phone from the Phones node.
    3. SIP ALG may interfere with the correct handling of audio and signaling. If you have audio issues, try to disable SIP ALG from the firewall. If you encounter such issues, you should check if your router has any known issues with SIP and VoIP. On most firewalls, SIP ALG needs to be turned off.
    4. If you are using 3CX Phone System as a Virtual PBX Server, you would need to allow access to the ports for the specific instance you are configuring. The default port list can be found in the Installing 3CX Phone System as a Virtual PBX Server admin guide.
    5. If you have a Thomson router, you MUST make sure that the SIP Port of the phone is NOT EQUAL to 5060. Read this post for more information https://www.3cx.com/blog/docs/disable-sip-alg-on-thomson/.
     
  7. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    Thanks @accentlogic
    I feel as though I'm close to memorizing that and other 3cx documents. Some of them refer to ports that have to be on the server end so I appreciate your confirmation that I've sorted it out correctly.
     
    accentlogic likes this.
  8. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,327
    Likes Received:
    73
    I think that the fact that after the reboot, meaning it pulled the provisioning file, it looses the network connectivity, is related to something you mentioned in your original post:
    "IPs are static assignments and work properly until provisioning is attempted."
    Does this mean you statically assigned an IP on the device itself, or that you have reserved them in the DHCP?

    If it's the first, then provisioning sets the phone to DHCP which may explain why its loosing the network.
     
  9. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    @NickD_3CX - The IPs are reserved in the router for the MAC of each phone.
    I was not aware until recently that the IP could be set in the phone.
    I tried to do that on one of the phones but the static IP did not survive a reboot.
    If you have any suggestions, I would be most happy to try whatever you suggest.

    Edit -
    If provisioning sets the phone to DHCP, why wouldn't it simply get the IP that is reserved for it from the router?
     
    #9 LouSmith, Jan 12, 2018
    Last edited: Jan 12, 2018
  10. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,327
    Likes Received:
    73
    I am a bit at a loss as well to be honest, but I think I am leaning towards what @accentlogic was as well, something with the VLANs.

    Specifically, I am assuming that this "Auto-Voice" VLAN you were referring to is probably LLDP-MED and the phone auto-joins on first boot. For this most likely the switch port is set to be an Access port.
    Then though from what I understand you move this to a custom Voice VLAN you have created. I suspect this might break it, because for this to work I think the port should be changed to a Trunk port. this may also conflict with the LLDP-MED.

    I would suggest either just sticking to the "Auto-Voice" VLAN (LLDP-MED) function to have the phone auto-assigned, or if you don't want that, disable this on that switch port and do tradinional VLAN tagging on the port.

    Then again, this is just a suspicion. By the time the IP Phone gets an IP on first boot, I would probably rule out anything being wrong with the phone, and 99.9% suspect something network-related.
     
  11. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    I did not mean to suggest that 2 VLANS were being used at the same time.
    To be clear, I tried the "Auto-Voice" VLAN with no joy.
    Then I created a customized voice VLAN in strict accordance with Netgear recommendations and also got no joy.
    I have currently switched back to using the "Auto-Voice" to insure that I've not injected any human errors into the configuration.
     
  12. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    get rid of the vlan.
    1. simplify your initial setup
    2. a vlan for 3 phones is unlikely to provide any benefit anyway in this small of a deployment.
     
  13. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    Agreed, at least to validate that the phones work properly. After that, make sure there is a DHCP server that is actually serving the VLAN. We have also had issues with NetGear LLDP in the past, and had to disable it. To disable DHCP or LLDP you will be forced to use a custom template. Another reason to just use the default LAN and an SBC to prevent inbound firewall rules.
     
  14. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    Thanks for all of your suggestions.
    I did isolate the problem by eliminating the vlan so that I could get a basic setup working. No big surprise that it worked.
    I'll begin testing tomorrow to try to find out what specifically about the vlan is causing the problem. I'm not willing to do without a voice vlan. I do not subscribe to the theory that small businesses don't need flawless communications.
     
  15. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    The choice of a VLAN is yours to make of course.

    A VLAN is typically used to segregate traffic by adding some form of tagging so that others that are not a member of the same VLAN are not able to access the same data. In effect, it is a virtual LAN; yet shares the same physical medium for transport. It does nothing with regard to insuring data flow or delivery by itself.

    Manufacturers of some networking equipment have automated VLAN generation for voice. They do this to ease the need for having to manually generate the same, but at the same time, they typically also set-up QoS.

    QoS is oftentimes perceived to be in use all the time, but in reality, its not. Packet acceleration/prioritization (QoS) is usually only employed when the switch or router senses (their queue algorithms) the need to do so. If the device is not congested, then usually the device is not going to start accelerating packets simply because they may be tagged with QoS. This unduly penalizes normal traffic for no reason. The packets will flow along with the other packets as though all were peer. Only when the device senses a congestion event will QoS come into play and even then, the device will most likely not dedicate 100% of its capability to the QoS tagged packets. So a VLAN does nothing with regard to insuring flow, only when using QoS and there is congestion on the LAN is there any benefit to getting packets to and fro.

    It has nothing to do with a notion that small businesses have a lesser need, but rather that a need to understand the network and how the aspects come together to best meet the need is the issue. If you want a VLAN, I take no issue. If you need a VLAN, that remains to be seen, but perhaps you do and again I have no issue. I only pointed out that given the size of the deployment, saturating a GB LAN, while possible, seems unlikely. If QoS were to be needed, I assume it would be at the router level more so.
     
    accentlogic likes this.
  16. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    Thank you Ineblett for helping me to better understand what I know too little about. For me, understanding provides clarity about moving forward and the time you invested here is greatly appreciated.
    Insuring voice quality is what I'm really focused on and I thought that the best way to do it would be with a vLAN that incorporated QoS.
    I could start over from scratch, including my probably unwise choice of equipment. If you were to design a 3cx installation for no more than 10 phones, what router and switch would you choose?
     
  17. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    @LouSmith, your NetGear switch should be fine. We are a NetGear partner and typically use the GS728TP or similar units.

    The firewall is a consumer version, and I am not sure it supports DHCP for VLAN scopes - if you have not found a way to configure this that may have been your issue.

    We avoid consumer type firewalls because they do not allow firewall rules to restrict inbound/outbound traffic based on the remote server address - among other things. However, it may work fine for you, but I would only recommend using it if you go with a 3CX SBC on your LAN (or VLAN if you can get networking worked out).

    Consumer units usually do not allow you to restrict incoming SIP and RTP traffic to your 3CX cloud PBX, so your phones would be exposed if you use STUN. They typically will not support a VPN to your cloud 3CX. It may not support "QoS" to the internet - or traffic shaping, since you really can't get QoS over the internet. (On the SonicWalls we use, and many other business class firewall/routers, there are bandwidth management rules that an reserve some bandwidth for your voice traffic or connections, among other features.)

    3CX does publish a list of recommended firewalls that is geared toward the server location, but it's a good list of units that mostly support these types of features. (Probably not the LinkSys). pfSense is free, and if you are a willing to put in a little time it works great. Many users here are big fans of the MikroTik units, and they are not very expensive.
     
  18. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    The switch is fine (I am also an authorized Netgear reseller). Certainly no issue there. As far as routers go, 3CX does not recommend routers per se. They will advise on certain models as to whether or not they are known to function correctly and will give advice on how to configure some of the more prevalent models. There are simply too many makes and model and firmware versions and in many cases, a client may be tied to a specific make due to certain security needs or even corporate policy.

    I have not used pfsense, but have heard nothing bad. I also use Mikrotik on occasion, but it can be a steep learning curve for some as it is extremely flexible and low cost (big bang for the buck) and they rely on a Wiki for guidance on how to configure. I try not to use them if I have a sense that the client is not very "techie" and may want or have a need to get into it later.

    I agree with Accentlogic. Most consumer based routers are geared for gaming and Wi-Fi performance and in so doing sacrifice in certain areas. He has enumerated a number of fetaures/functions that are desired. Nick Galea (head kahuna at 3CX) put out an article of what should be the base features in a router expected to work with 3CX. https://www.3cx.com/blog/voip-howto/router-firewall-features-requirements/
    Certainly other features can be added for various needs. I personally favor Draytek. They are relatively reasonable in cost, no on-going maintenance contracts required to get firmware updates, quite fully featured and have a relatively easy to understand GUI. Like your desire for a VLAN and QoS, Draytek can either be manually set for QoS or, they have an auto VoIP QoS function; depends on your need as you may need QoS on more than just VoIP. You simply define the SIP Port, and it will then deciphers the headers and applies QoS (of course, only when needed) to the associated RTP streams. If you want the same website security level as a SonicWall, you can subscribe to Cyren, which is the same as what SonicWall uses. SonicWall does offer added options for advanced threat detection/prevention and they are quite good at doing so. You might do a search of 3CX for "firewall configurations" and then see how difficult or friendly each is and then check out the pricing. The last piece of advise is that if you have a 100Mbs Internet connection, then do not get a 100Mbs router. Most routers that are advertised as being 100Mb are incapable of NAT'ting the full 100Mbs. They will usually achieve between 70 and 85% of the speed. This is because the router will be doing other tasks such as port forwarding. VPN, firewall protection and other functions. The same can be said for many GB routers in that they too will not be able to NAT at full rated speed. Look for the router throughput. As an example, the Draytek 2925 is a GB router, the WAN throughput is 300Mbs. Not many folks are blessed with such speeds, but at least check to see that the router of interest is able to handle you current and future needs. On the LAN side it is not so much of an issue, but in and out of the site is where it counts.
     
    #18 lneblett, Jan 13, 2018
    Last edited: Jan 13, 2018
    accentlogic likes this.
  19. LouSmith

    Joined:
    Dec 17, 2017
    Messages:
    10
    Likes Received:
    1
    Again, kudos for great assistance from both of you.
    Do you use the basic 2925 or one of the other models?
    I've already decided to ditch the existing router and, with only 3 phones, I don't see why I even need a managed switch.
    Am I missing something?
     
  20. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    While I don't think you really need a managed switch, you already have it and perhaps at some point you will. Also, what a great learning experience it offers. I use a variety of Draytek, It just depends on the needs and features. The 2925 is likely a good choice for you if your Internet connection is over 80Mbs; otherwise if not, look at the 2912N, Lower speed on NAT and LAN, but still a very featured router for the price, The 2926 is brand new and just came out. I have not looked at it yet as I still have 2925 in stock, but may be worth it as well. They all do VLans, VPNs, LAN DNS, QoS, etc.,
     
    accentlogic and datamerge like this.
Thread Status:
Not open for further replies.