Configuring a Draytek 2820 Firewall with 3CX
This document describes the configuration of a Draytek 2820 for use with 3CX Phone System. We will look into the NAT configuration necessary for 3CX Phone System and the QoS configuration to prioritize SIP and RTP traffic. This guide is based on firmware version 3.3.3, dated 23 October 2009.
Note: We cannot assist you in the configuration of your firewall.
Step 1: Disable SIP ALG
You first need to disable SIP ALG on your Draytek Router by following the steps outlined below:
- Open a Command Prompt and telnet to the Draytek router by typing the following command:
- Enter the following two commands to disable the SIP ALG Handler on the device:
- If you are using model Vigor2750 or Vigor2130, instead use the following commands:
Step 2: Configure Port Forwarding (NAT)
- Browse to the Router’s Web Interface (default IP address is 192.168.1.1).
- Go to the “NAT” > “Open Ports” menu item.
- Go to the first free position in the “Open Port” menu, and configure as follows:
- Ensure the “Enable Open Ports” checkbox is enabled
- Set the “Comment” field value to “3CX”
- Set the “WAN Interface” field to “WAN1”
- Set the “Local Computer” field to the assigned IP address of the 3CX machine (in this example 192.168.1.200)
- Each line is used to open a single port or port range and set the protocol. Open all ports required by 3CX. For an up to date list of the ports required to be open check here.
- Click on the “OK” button at the bottom of the page. This will send you back to the “Open Ports” summary page.
Step 3: QOS Configuration - Bandwidth Management
- Browse to the Router’s Web Interface (the device’s default IP address is 192.168.1.1).
- Go to the “Bandwidth Management” > “Quality of Service” menu item.
- Click the “Edit” link in the “Service Type” column.
- For each port and port range your 3CX installation uses, fill in the following fields. Add:
- “Service Name”: use a suitable name to denote what this port is used for.
- “Service Type”: TCP and/or UDP depending on the port you are opening.
- “Type”: Single or Range
- “Port Number”: the service port number or range to add
- Repeat step 4 for all ports used by your 3CX installation.
Note: An updated list of the default ports used by 3CX can be found here:
Step 4: Creating a Class Rule
- Click on the “Edit” link in the “Class 1” row in the “Rule” column
- Set the “Name” field to “3CX VoIP”
- Click on the “Add” button
- Set the:
- “ACT” field to enabled
- “Local Address” field to the IP address of the PBX machine (in this example 192.168.1.200)
- Ensure the “Remote Address” field is set to “Any”
- Ensure the “DiffServ CodePoint” field is set to “Any”
- In “Service Type” add one of the service types you created in Step 3.
- Click the “OK” button
- Repeat steps 1-5 for all services created in Step 3.
- When finished click on the “OK” button to save the Class Rule.
Step 5: Assign a Priority Level
Now we need to instruct the router to assign a priority level to traffic of class “3CX VOIP”.
- In “Bandwidth Management” → “Quality of Service” click on the “Setup” link on the “WAN1” row.
- Check the “Enable the QoS Control” checkbox, and set the traffic direction to “BOTH”
- Set the “Reserved_bandwidth Ratio” field for traffic of class “3CX VOIP” to 70%
- Set the “Reserved_bandwidth Ratio” field for traffic of Class 2 and Class 3 to 10%
- Click on the “OK” button to complete the configuration
Note: The “Reserved_bandwidth Ratio” percentage does not reserve bandwidth at all times, but only when other traffic types are competing with the “3CX VOIP” class traffic for bandwidth.
Step 6:Validating Your Setup
Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX.
More information about the Firewall Checker can be found here.
Users of Draytek VoIP Models
If you have a Draytek VoIP model you also need to perform the following steps in addition to the steps described above to enable it to work with 3CX Phone System:
- Log in to your Draytek Router’s Web Interface
- Select “VoIP” and then click on “SIP Accounts” in the Draytek Management Console
- Select “Change the SIP port in VoIP” to something else other than 5060
Note: All SIP account ports should be changed.
- Press “OK” to save your changes.
When you finish modifying all your accounts, restart your Draytek Router.