Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

v15 Firewall Checker failing - 1 potential solution

Discussion in '3CX Phone System - General' started by Ian Carson, Mar 24, 2017.

Thread Status:
Not open for further replies.
  1. Ian Carson

    Mar 23, 2017
    Likes Received:
    Hi Guys

    I know this is a common discussion on the boards at the moment but I thought I would add in my experiences and the eventual solution which may prove useful to someone.

    Our set up is CableModem -> SonicWall -> ||(External subnet) W2k8r2 RRAS/NAT (Internal subnet) || -> Internal network

    The SonicWall runs a DHCP Server for the External subnet side and there is a Domain Controller managing the internal side.

    My initial (unsuccessful) setup was to have the 3CX PBX machine set up on the internal subnet. It was possible to do this setup but the firewall checker simply would not pass no matter what steps I took. NAT appeared to be working properly across the RRAS. Packet inspection (WireShark) showed that the outbound and inbound packets across the two interfaces of the RRAS machine were being correctly ported but a deeper inspection showed that the MAPPED_ADDRESS field of the returning packet was given as the public external IP on the ISP side of the Cable Modem and was ported with the same number that was showing as the failed mapping in the firewall checker. I did try manually port forwarding via the Properties of the External subnet interface on the RRAS but that had no material effect on the problem. I suspect that this older version of Windows Server did not envisage this particular use case. :)

    After sleeping on it I tested the PBX machine directly to the internet (checker passed no problem) however there was no protection for the PBX at all under this arrangement. I needed to bring the SonicWall back into the arrangement so I connected the PBX machine to the External subnet side via the X2 PortShield interface on the SonicWall and tested again. The access rule and NAT Policies I setup from the previous day now worked perfectly and the firewall checker passed. (N.B. ensure you have "disable port remap" checked on the Advanced tab of the outbound policy - Firmware SonicOS Enhanced

    I then setup the SonicWall to manage DHCP Option 66 for provisioning and moved all the phones onto a dedicated switch for the External subnet and configured Bandwidth Management.

    This solution is neat and tidy for our needs but does preclude the use of AD for contact information (at least until I can think of a solution for that problem). BTW if anyone has a solution to the Port remapping problem across RRAS/NAT in W2k8R2 please let me know.

    I hope this is of help to someone

    Ian Carson
Thread Status:
Not open for further replies.