V15 - Full Cone Failed

Discussion in '3CX Phone System - General' started by AHAutomation, Oct 25, 2016.

Thread Status:
Not open for further replies.
  1. AHAutomation

    Joined:
    Mar 31, 2016
    Messages:
    31
    Likes Received:
    1
    I am searching for a week now what the problem could be why my firewall test failed. 8|

    Example:
    testing port 5060... full cone test failed

    I find out that because we use a white list (for remote locations connecting to our VPS with 3cx) the Full Cone test failed. When i open the port 5060 for the whole world the firewall test runs OK.

    testing port 5060... done

    The result of the Firewall Checker is FALLS!
    It should have stated, cannot verify ports with 3cx test server??? or something???
    Please 3cx, :arrow: look into it!
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,754
    Likes Received:
    286
    What firewall hardware, are you using?
     
  3. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    I'm going to trace the host(s) it tests that against when the checker runs.
    I found the only option I could use was to simply turn off Windows Firewall before I run the test, then enable it again.
    You know darn well it's just asking somebody to send a SIP message and listen for a response.. then report that.

    Indeed, shoring up inbound SIP connectivity to.. I don't know.. LIMIT YOUR ATTACK SURFACE.. isn't a bad thing.
    Some would argue that such a test should "pass" with flying colors!... but I digress. Stay tuned.. news at 11.
     
  4. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    Looking at this: http://www.3cx.com/blog/docs/firewall-voip-rules-check/

    Indeed a tcpdump showed me where the first STUN host configured (vanilla stun.3cx.com) had passed the flags on Test 2.. and with the port forward unrestricted (iptables was open..) I saw the inbound increment both address and port.. so the CHANGE-REQUEST is tested on the primary STUN host you have configured.

    It also checked the other two (stun2 and stun3).. and legit STUN servers should honor the CHANGE-REQUEST to test that.

    So.. you can/should allow inbound SIP from your STUN hosts.. and at minimum from your primary STUN's IP address +1.
    The latter can get messy.. given you "want" to use host names but IP+1 kinda breaks that..

    Put another way.. you "may" want to leave it open for the test "then" close it off.. but I am also aware that for some this simply would not be an option to do.
     
  5. AHAutomation

    Joined:
    Mar 31, 2016
    Messages:
    31
    Likes Received:
    1
    We use PFSense 2.3.2, (no windows Firewall)
    We have configured all inbound rules, configured "Hybrid Outbound NAT" with the 3cx Server as source with static port.
     
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,754
    Likes Received:
    286
Thread Status:
Not open for further replies.