Settings rules in WinRoute firewall

Discussion in '3CX Phone System - General' started by rdevrede, Jan 29, 2008.

Thread Status:
Not open for further replies.
  1. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    I can't get the correct settings rules in WinRoute firewall. I tried some different things but I can't get the firewall test working.

    I read the manual correctly:

    Port 5060 (UDP) for SIP communications (send & receive)
    3CX Phone System for Windows System for Windows http://www.3cx.com
    Page 20
    · Port 3478 (UDP) for communication with the STUN server (send & receive)
    · Port 9000-9003 (or higher) (UDP) (send & receive) for RTP communications, which
    contain the actual call. Each call requires 2 RTP ports, one to control to call and one
    for the call data. Therefore, you must open twice as many ports as you wish to
    support simultaneous calls via the VOIP provider. For example, if you want to allow
    4 people to make calls via the VOIP provider simultaneously, you must open port
    9000 to 9007.

    I made seperate rules for this VOIP and also I entered them in my NAT and Firewall rules. I tried to port map everything to the ip of the local machine. Nothing is working. What am I missing?

    BTW Nick great to see you here. A long time ago, my company sold pop2exchange several times... Great product, nice to see you are in VOIP now.

    Best regards,
    ADINETS
    Ramond de Vrede
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    Raimond,

    What I have found on several firewall manufacturers' firewalls is that if you open a range of ports for a firewall rule it sometimes gets treated as a 2-way cone NAT rather than a PAT 1:1 translation for port numbers on the inside:eek:utside.

    To get around this, i've had to include one rule for each port, as this makes sure it's PAT.

    i.e. for 9000-9007 I would have had 8 rules, one for each port, rather than 1 rule covering 8 ports.

    Give it a try?

    Cheers,
    Mike.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,934
    Likes Received:
    250
    Hi Ramond,

    Thanks for your nice comments :)

    I suggest running the firewall checker and then maybe posting the output? That will give us an idea of what is going on
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    Hi.... I will try that in a minute.

    Here is the result of the firewallchecker :

    The firewall test allows you to check that your firewall is allowing traffic to pass to and from your VOIP provider. More >If you pass the firewall test, you will be able to use the VOIP provider without problems. If you fail the firewall test, review the errors and warnings and adjust your firewall configuration accordingly. You will not be able to make or receive calls via your VOIP provider until you pass the test. < Less

    Parameters

    Stun Server to test
    Stun Port to test
    Port Range to be tested




    Test is in progress


    Result: Firewall check failed! Hide details <<<

    # Port Status Description Parameters
    1 Error (11) The server side of the firewall checker service is unavailable. Please try again later. agentAddr = 87.230.29.162:4200
    2 9000 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49511
    3 9001 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49512
    4 9002 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49514
    5 9003 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49515
    6 9004 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49530
    7 9005 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49531
    8 9006 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49532
    9 9007 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49533
    10 9008 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49534
    11 9009 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49535
    12 9010 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49536
    13 9011 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49537
    14 9012 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49538
    15 9013 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49539
    16 9014 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49494
    17 9015 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:49495

    I will remove the 9000-9015 range and made some individual rules in my firewall.

    At the moment the VOIP Line is GREEN. I can actually call to a PSTN line. They pick it up and we can't speak. So I feel we are close.

    Thanks all for helping me out. When this is working fine I think I can make a lot of customers happy.

    ADINETS
    Ramond.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    Here is an update.

    Like Mike told me. I made LAN -> WAN and Firewall -> WAN rules from 9000, 9001, 9002 and 9003 individually. When I add an extra line for UDP 3478 I get a STUN server not found error. So I removed that one again.

    Here is the result, firewall test still fails, from the firewall checker :

    Firewall Test
    HOME | LOGOUT
    The firewall test allows you to check that your firewall is allowing traffic to pass to and from your VOIP provider. More >If you pass the firewall test, you will be able to use the VOIP provider without problems. If you fail the firewall test, review the errors and warnings and adjust your firewall configuration accordingly. You will not be able to make or receive calls via your VOIP provider until you pass the test. < Less

    Parameters

    Stun Server to test
    Stun Port to test
    Port Range to be tested




    Test is in progress


    Result: Firewall check failed! Hide details <<<

    # Port Status Description Parameters
    1 Error (11) The server side of the firewall checker service is unavailable. Please try again later. agentAddr = 87.230.29.162:4200
    2 9000 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:50194
    3 9001 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:50195
    4 9002 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:50196
    5 9003 Warning (10) Port is open, but port number has been changed. In general this should not present any problems. externalAddress = 84.30.153.145:50197


    I tested 9000 - 9003 because I had those ports in my firewall. Thanks in advance for any suggestions. The weird thing is that VOIP Line is GREEN and I can initiate a call.

    ADINETS
    Ramond de Vrede
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. landfiets

    landfiets New Member

    Joined:
    Jul 17, 2007
    Messages:
    243
    Likes Received:
    0
    hi. it is not strange that you can make calls, because the router itself changed the ports and uses them as said in the log.
    The only thing is that it shouldnt be like that. I learned that maybe the coming update from next week will help allready a lot and turn the firewall of your router off. Let just NAT do the things and turn the firewall off. Most of the people allready have firewalls in their computer so double walling is useless. Did you also forward ports on your computer firewall where the 3CX software is running? Because it is also there. or did you switch that one off.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    I'm curious for the next release ofcourse.

    I can't turn off the firewall in the router. On the machine I'm running 3CX there is no firewall running (yep, I double checked, it's not running).

    When the new release is available I will portmap via NAT directly to the 3CX machine and will not make a firewall rule. Maybe that's the solution for me. I will keep you guys updated here. Thanks in advance.

    ADINETS
    Ramond de Vrede
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    Set this on hold please.

    I installed 3CX on another PC with another router and the firewall settings are tested ok.

    When the new version of 3CX will come out I will test it again and post my results here. At the moment the priority is let it run and see if this is a solution for us and our customers. Cheers.

    ADINETS
    Ramond de Vrede
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    Extra information about this issue.

    The newer WinRoute does support Full Cone NAT while the used version doesn't. When the version is upgraded I will post additional information here.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,934
    Likes Received:
    250
    Hi Ramond,

    Do you know if your versino of Winroute supports STATIC port mapping? This is important. More info on this issue

    http://www.3cx.com/support/nat-firewalls.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Pentangle

    Pentangle Member

    Joined:
    Dec 6, 2007
    Messages:
    261
    Likes Received:
    0
    Umm, Nick, calling it "full cone NAT" is not what you want. Cone NAT implies there's a cone of ports being translated through to a single port/address number and then being translated back out again on the other side of the firewall, hence source/destination port numbers may get transposed, which is the problem you're seeing with some firewalls. I know the Wiki is misleading BTW.

    This is why I advocated (in the much earlier post in this thread) that each port is individually mapped.

    I know what you're trying to say, but it needs to be a little clearer IMHO (as the firewall manuf. are terribly shoddy in this area).

    Mike.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    Not yet Nick. The customer asked me to upgrade to the latest version : 6.4.2. (I found in their technical manual stating how to configure port mapping in terms of Full Cone NAT).

    I will check which version they currently use. So you know than that version < 6.4.2. will not work and version >= 6.4.2. will (maybe).

    I keep you updated. Tommorow I can tell you the version number that doesn't work. Maybe the next day if the upgrade is solving those problems. If so I will post the settings here.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. rdevrede

    Joined:
    Jan 28, 2008
    Messages:
    13
    Likes Received:
    0
    The current, not working version, is 6.2.1.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.