What is magic about Firewall checker?

Discussion in '3CX Phone System - General' started by Mark Pratt, Dec 20, 2016.

Thread Status:
Not open for further replies.
  1. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    1. I am very perplexed. I have closed all ports on my router (Ubiquiti edgemax)
    2. Sip registers fine with 3CX to VOIP provider
    3. first call on either of my SIP trunks goes to busy signal
    4. As soon as I run the port checker, and services are restarted, all calls start to succeed.

    Is it ok to leave the ports closed?
    what is magic about the port checker?
    Is this success related to the STUN server pinging #CX behind the NAT (and it succeeds because the 3CX originates the request?)

    Just trying to learn...
     
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,501
    Likes Received:
    359
    Hello there,

    Please note that the PBX requires certain ports to be open for it to work correctly with external entities like providers or remote extensions.
    A list of ports can be found here http://www.3cx.com/docs/3cx-phone-system-v14-ports/
    Do you pass the firewall checker when you run it?

    Also if you want to know how the firewall checker works these articles contain all the info you need.
    http://www.3cx.com/blog/docs/firewall-checker/
    http://www.3cx.com/blog/docs/firewall-voip-rules-check/
     
  3. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    only part of the firewall checker that passes is the STUN resolution
    and yes, I understand about the ports, I am just wondering how its working without the ports open
    and why just RUNNING the port checker causes the incoming calls to start working
     
  4. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,210
    Likes Received:
    85
    simple, you make an outbound connect causing in your firewall to open a dynamic nat port to be opened (first issue port preservation is gone). Now the implementation of your firewall vednor in NAT seams to be only port restricted but not IP, so once the outbound call been made everyone knowing your dyn. port can talk to you (cant say if this is good or bad, up to the vendor).

    Issue as the port is dyn. it will be closed at a time and then all goes dead again. Same for RTP (audio) if we send the first autio stream to the provider it will work, but if the provider will send the first commonly firewalls set this port to reject and you will have one way audio.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Mark Pratt

    Joined:
    Dec 15, 2016
    Messages:
    11
    Likes Received:
    1
    but how does the STUN server play into this, I thought that was why the purpose of the stun server, to find the external facing IP
     
  6. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,210
    Likes Received:
    85
    it does but also the port mapping your firewall creates and this (given your pbx runs in STUN mode) will be use with the IP in the "contact" which is send in Registrations and Calls to your provider...


    Check this here: http://www.3cx.com/3cxacademy/videos/basic/nat-port-forwarding/
    Slide 7 is dynamic nat

    In short, the setup your are running the pbx on should not be used as it is based on good will when and when not it will work
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.