Sonicwall and Disable Source Port Remapping

Discussion in '3CX Phone System - General' started by Rod P, Jan 27, 2017.

Thread Status:
Not open for further replies.
  1. Rod P

    Joined:
    Jan 27, 2017
    Messages:
    5
    Likes Received:
    1
    Have a quick question.
    In the configuration guide https://www.3cx.com/blog/voip-howto/sonicwall-firewall-configuration/
    it says "Edit the Advanced TAB and make sure that “Disable Source Port Remap” is disabled." but then shows it checked. Should the Disabled Source Port Remap be checked "enabled" or unchecked "disabled"?? All of our remote phones seem to be working fine but the firewall checker is red across the board....
     
  2. dan_tx

    dan_tx New Member

    Joined:
    Nov 3, 2016
    Messages:
    100
    Likes Received:
    27
    We have a sonicwall and green/pass firewall checker, we have the box Unchecked and no apparent phone issues. I think the photo is showing how it should not be, which is unusual and confusing.

    I think the line
    "Edit the Advanced TAB and make sure that “Disable Source Part Remap” is disabled."
    would be translated
    Edit the Advanced TAB and make sure that “Disable Source Part Remap” is disabled(unchecked).
     
    Rod P likes this.
  3. Rod P

    Joined:
    Jan 27, 2017
    Messages:
    5
    Likes Received:
    1
    Thank you! Just wanted to make sure, that is how ours is setup too. Wish they would change the picture to show it unchecked as well. Well, on to look for other causes.....
     
  4. dan_tx

    dan_tx New Member

    Joined:
    Nov 3, 2016
    Messages:
    100
    Likes Received:
    27
    What's failing on the firewall checker?
    You should have 3 NAT rules: inbound, outbound, and loopback. If you have multiple external IP's and/or WAN connections create a static route to use the correct interface for outbound traffic from the PBX (not mentioned in guide) and then inbound access rule for PBX and 3cx ports. (Outbound access rule if you limit outbound). If you do any geo-ip blocking on the sonicwall, you'll need to allow 3cx sites and services since they are probably outside your country. Same thing with phones you buy.

    One difference we have between the guide is the guide says at the bottom to Disable Consistent NAT under VOIP settings. We have it enabled due to having another PBX behind the sonicwall that needs this. We haven't had issues with it being turned on.
     
  5. Rod P

    Joined:
    Jan 27, 2017
    Messages:
    5
    Likes Received:
    1
    Pretty much everything failed except stun server resolution. Now I don't think I created a loopback.... Now outbound gets weird in my opinion. If we are calling a standard phone number that is going over SIP which is provided on the local LAN via Comcast to an ESG so that never touches any router or NAT device. Outbound calls to remote extensions go through the premade 3CX tunnels that the phones make ahead of time. All of these things seem to test out ok just that the firewall checker throws up unmatched mapping on everything. How everything can work and be failing at the same time leaves me grasping for straws. I will probably have to run wireshark during the firewall check to see what is happening. Just hoping for something simple. Is there a list of 3cx sites and services since we are using geo-ip? I haven't seen anything in the log that shows we are blocking.
     
  6. dan_tx

    dan_tx New Member

    Joined:
    Nov 3, 2016
    Messages:
    100
    Likes Received:
    27
    Some IP's that geo will block you might need. I know there are probably ranges, just didnt look for them, only allowed as needed.


    3cx.com 151.80.125.71 UK
    download.3cx.com 151.80.125.73 UK
    3cx.us 158.69.11.3 Canada

    fanvil.com 103.243.182.36 HK
    fanvil.com 98.126.147.236
    fanvil.hk 103.11.103.102
    xsrv.fanvil.com 119.28.67.228
    xsrv.fanvil.com 223.26.68.205


    support.yealink.com 121.12.89.16 China
    yealink.com download 121.12.89.165
    yealink.com download2 39.130.133.36
    yealink.com download3 39.130.133.34
    yealink.com support1 39.130.133.38
    yealink.com support2 121.12.89.163

    snom.com 188.40.66.22 Germany
    snom.com 52.29.20.105
     
  7. pcepbx

    Joined:
    Apr 7, 2016
    Messages:
    19
    Likes Received:
    2
    Rod, are you using Firewall Rules to limit WAN->LAN access from only your SIP provider's IP addresses to the 3cx server's private IP? If so, this will explain why the firewall checker is showing mostly red. When the firewall checker communicates with 3cx's STUN servers, those STUN servers attempt to open connections with your server (WAN->LAN), which unless you explicity allow traffic from any WAN source, will fail. As part of the STUN process, those STUN servers will attempt to initiate WAN->LAN connections from a different IP than the original request (by design), which is why the normal NAT process doesn't allow that traffic back in.

    If you're curious, temporarily add a WAN->LAN rule as the highlited below, then run your firewall checker again. Be sure to turn this OFF when done testing!

    upload_2017-1-27_14-53-42.png
     
  8. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    Or opposite?:confused:
    https://www.3cx.com/community/threads/dell-sonicwall-woes-unmatched-mapping.45853/
    STUN 1 and 3:*.125.93 and *.125.97
    STUN 2: *.11.6
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 Sopock, Jan 28, 2017
    Last edited: Jan 28, 2017
  9. DavidWebb

    Joined:
    Jul 22, 2016
    Messages:
    18
    Likes Received:
    1
    *Edit* Never mind, found the other thread where they talk about 5.9.1.7-2o. Have it running now.

    May I ask a related question? I'm still on an older 5.8 firmware, but there is the "general release" version at 5.9.1.7-2o. I haven't upgraded because the 5.9 versions I have tried used to not have the option for "Disable Source Port remap". So is anyone using the version 5.9.1.7-2o firmware?
     
    #9 DavidWebb, Feb 3, 2017
    Last edited: Feb 8, 2017
  10. hogan71088

    Joined:
    Nov 30, 2015
    Messages:
    61
    Likes Received:
    3
    Hi,

    How did you resolve this in the end?
     
  11. Rod P

    Joined:
    Jan 27, 2017
    Messages:
    5
    Likes Received:
    1
    Never really did because it is working just the firewall checker saying it isn't. I just upgraded the firmware last week due to another issue with content filtering so I can maybe run the check again to see. Are you running into the same thing with the firewall checker showing red but it working?
     
Thread Status:
Not open for further replies.