SBC Required Ports

Discussion in '3CX Phone System - General' started by knollwood, Jun 8, 2017.

Thread Status:
Not open for further replies.
  1. knollwood

    Joined:
    Mar 21, 2017
    Messages:
    5
    Likes Received:
    0
    Just put the SBC on a Windows machine. The installer created Windows firewall rules to open port 5060.

    I can get the SBC to communicate with the cloud server, but only when I turn off Windows Firewall completely. With it on, phones connecting through the SBC won't connect to the cloud server.

    I ran logging on the Windows Firewall. When it's turned on, it's blocking port 5353 that seems to be part of the SBC functionality. The installation docs say only 5060 needs to be opened.

    Amy I missing something? What is port 5353 and why is it affecting me?

    Thanks!
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,582
    Likes Received:
    250
  3. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    160
    Likes Received:
    46
    i would not recommend using a windows SBC if these phones are used for a business, they crash - constantly. The windows service is a joke. We've used it, in quantity, on windows 7, 8, 10 boxes, server os 03, 08, 12, and 16. If you have a relationship with your customer it will quickly degrade it when their phones just suddenly stop working several times per month.

    Try it on a raspberry pi, we just recently switched to those and are having better luck , but not much data behind it yet. If those dont work reliably we will unfortunately be switching from 3cx. We have exhausted every other solution, including support.

    We do about 1 or 2 systems per day, so we have medium volume.

    To address your question, make sure 5060, 5353, and 5090 are open.

    Ensure your tunnel password is set correctly on the PBX and the SBC also. The SBC does have some logs look for them in the in installation directory, sometimes they are helpful in pointing to the issue of why it wont hit the PBX.
     
  4. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    171
    Likes Received:
    60
    The PI SBC's can be rock solid, but there area few things that really matter: Make certain to complete the /etc/3cxsbc.conf file. The LocalSipAddr and LocalSipPort parameters are commented out as if they don't matter. They do. Uncomment the lines and put in the correct values.

    A quick check to see if its working is to do netstat | grep 5090 which will show you if it's connected. Its tempting to turn on the SBC log, but the disk space will fill up on you and the SBC will mysteriously fail in a week or so.

    No changes in the firewall are necessary so long as you allow all outgoing traffic. I certainly would not allow 5060 inbound, unless you want to be best friends with Sip Vicious.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 DSXDATA, Jun 13, 2017
    Last edited: Jun 13, 2017
  5. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,210
    Likes Received:
    85

    Can you tell me the support ticket IDs you have with us to follow up with them? The Windows SBC service is stable and if this is not the case in your installes we like to follow up. PIs are the most limited devices and the biggest issue is the LAN interface is connected via USB...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    160
    Likes Received:
    46
    Stefan i can PM those to you. We have just shy of 50 windows SBC's in the field. Everyday we can expect atleast 1 of them to be offline due to the service randomly shutting off. Most of these are dedicated computers just for the SBC. Some are shared servers, but only very few.

    What do you mean by pi's are the most limited? Can you elaborate on the biggest issue is the LAN is connected via USB? this doesnt make sense, what problems does this cause that you see with the PI?
     
  7. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    171
    Likes Received:
    60
    Stefan might be confused about the PI. I'm talking about the Raspberry PI 3 with the V15 SBC service. The PI used to have a limit because the SBC service was single threaded, but now that it supports multi-threading - the PI can handle upwards of 20 extensions. Note that it is the BLF signalling that puts the load on the SBC. Older models had an internal USB network port but the PI 3 has a standard 1GB NIC. We have more than 80 of them in the field and have not had to reset or otherwise maintain any of them except when the local site has power or severe network issues.

    At some time Sip Vicious like entities can invade the network resulting in a crash of the tunnel. That's the been the main cause of instability and we have been able to mitigate thru the use of dedicated VLANS and tight firewalls.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    agp and OCWI like this.
  8. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    160
    Likes Received:
    46
    That is really, really, good to hear the stability you are seeing with a data set of 80. Thanks for shaing that. May i ask, are the SIP attacks effecting the sbc's that are using encrypted connections? (I think like step 3 or 4 in the sbc installation it asks "encryption" or "no encryption")?
     
  9. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    171
    Likes Received:
    60
    The SIP attacks have been from infected "nodes" inside the network that look for open 5060 (the SBC) and then try 101 ways to connect. So the encryption has no impact. Also, on the PI, I'd suggest you become comfortable with the 'nano" editor and directly edit the /etc/3cxsbc.conf file. Over time, you'll want to be able to adjust things and its easier to spot typo's when you're used to the conf file contents.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    OCWI likes this.
  10. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    160
    Likes Received:
    46
    Excellent advice, i really appreciate the replies Kirk!

    I will certainly do everything you are mentioning here!
     
    DSXDATA likes this.
Thread Status:
Not open for further replies.