• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

v15 Firewall Checker failing - 1 potential solution

Status
Not open for further replies.

Ian Carson

Customer
Joined
Mar 23, 2017
Messages
18
Reaction score
2
Hi Guys

I know this is a common discussion on the boards at the moment but I thought I would add in my experiences and the eventual solution which may prove useful to someone.

Our set up is CableModem -> SonicWall -> ||(External subnet) W2k8r2 RRAS/NAT (Internal subnet) || -> Internal network

The SonicWall runs a DHCP Server for the External subnet side and there is a Domain Controller managing the internal side.

My initial (unsuccessful) setup was to have the 3CX PBX machine set up on the internal subnet. It was possible to do this setup but the firewall checker simply would not pass no matter what steps I took. NAT appeared to be working properly across the RRAS. Packet inspection (WireShark) showed that the outbound and inbound packets across the two interfaces of the RRAS machine were being correctly ported but a deeper inspection showed that the MAPPED_ADDRESS field of the returning packet was given as the public external IP on the ISP side of the Cable Modem and was ported with the same number that was showing as the failed mapping in the firewall checker. I did try manually port forwarding via the Properties of the External subnet interface on the RRAS but that had no material effect on the problem. I suspect that this older version of Windows Server did not envisage this particular use case. :)

After sleeping on it I tested the PBX machine directly to the internet (checker passed no problem) however there was no protection for the PBX at all under this arrangement. I needed to bring the SonicWall back into the arrangement so I connected the PBX machine to the External subnet side via the X2 PortShield interface on the SonicWall and tested again. The access rule and NAT Policies I setup from the previous day now worked perfectly and the firewall checker passed. (N.B. ensure you have "disable port remap" checked on the Advanced tab of the outbound policy - Firmware SonicOS Enhanced 5.9.1.7-2o).

I then setup the SonicWall to manage DHCP Option 66 for provisioning and moved all the phones onto a dedicated switch for the External subnet and configured Bandwidth Management.

This solution is neat and tidy for our needs but does preclude the use of AD for contact information (at least until I can think of a solution for that problem). BTW if anyone has a solution to the Port remapping problem across RRAS/NAT in W2k8R2 please let me know.

I hope this is of help to someone

Regards
Ian Carson
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.