Routers and Ports

Discussion in '3CX Phone System - General' started by Mark Pratt, Dec 15, 2016.

Thread Status:
Not open for further replies.
  1. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    1. Just installed new 3CX PBX behind my home router/firewall (Edgemax lite)
    2. I wanted to white list the IP address of my VOIP provider
    3. I created a destination NAT like this:
    source: ip address of the voip provider ports 5060 and 9000-9010
    destination: empty
    translation: my internal LAN IP

    I also opened the firewall to accept only packets from that source ip to the destination lan address only

    So, my question is, the calls seems to work even without these ports forwarded
    Is that normal, and if so why, is it because the sip connection originates inside the LAN and they are trusted packets?
     
  2. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    ok, an update, with the above firewall/ports the inbound calls do NOT work unless the firewall configuration is run...then inbound calls start working.
    Any ideas?
     
  3. ALuisPV

    Joined:
    Mar 7, 2016
    Messages:
    28
    Likes Received:
    1
    Hi Mark ,

    you need to open 5060/UDP and 9000-9255/UDP in order yo avoid problems with yours SIP Providers. You need to redirect the traffic arriving to these ports to the internal IP of your 3CX.

    Try to run the Firewall Checker and see if you get errors or everything is ok.

    Best Regards.
     
  4. andreasc

    Joined:
    May 19, 2014
    Messages:
    35
    Likes Received:
    3
    You need to open ports from 9000-9250.
    After you run the firewall test the service are restarted and is starting using the first port for some calls
    OR
    Some Firewalls need the option keep alive so navigate to Management Console -> Settings - > Network -> Firewall .
     
  5. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    so I closed down all my ports on my router
    the firewall checker of course fails.
    However, after running the checker, I no longer get an inbound busy signal and all works
    So, somehow this is negotiating a route/port

    So, I would woory then I would have to do this upon each reboot or power outage

    Any best practices here to lock down the 5060 port to 3cx?

    Or is the built in security ok if I leave 5060 open?
     
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,357
    Likes Received:
    224
    If you can white list your VoIP provider, and don't use external extensions (or anything else that might be coming from a different IP), then, great, only that IP, in theory, should be able to get to port 5060. You should still have port forwarding enabled. Even if you managed to get a call working without it, there is no guarantee that will continue.
     
  7. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    I am looking at the default iptables that come with 3cx

    Anyone have correct statements that would allow two ip addresses into the iptables on port 5060

    Not sure where to put the accept statement, above or below the ones allowing all sources access to 5060,5061,etc
     
  8. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,357
    Likes Received:
    224
    Normally you would block random attempts first, in your router or firewall so they never reach 3CX. If they get as far as 3CX, then they have followed the port forwarding (of port 5060),set in your router, to the 3CX server. At that point you have to block public IP's again. You can let 3CX do this (you might want to lower some of the trigger thresholds), then notify you so you can permanently block them. I suppose you could create a "rule" that blocked everything. then you would have to whitelist your provider. along with (I assume) your local network.
     
Thread Status:
Not open for further replies.