Firewall & Router Configuration
On this topic
If you plan to use remote extensions or a VoIP Provider, you need to make changes to your firewall configuration, in order for the 3CX Phone System to communicate successfully with your SIP trunks and remote IP Phones. This guide gives you a generic overview of the ports that need to be opened/statically forwarded on your firewall. We also have detailed guides for popular firewalls that take you step by step to the correct configuration of your firewall. You can learn more in Routers, NAT, VoIP and Firewalls.
Step 1: Configure the Ports for your SIP Trunk / VoIP Provider
Open the following ports to allow 3CX Phone System to communicate with the VoIP Provider/SIP Trunk and WebRTC:
- Port 5060 (inbound, UDP) for SIP communications.
- Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, which contain the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data. Therefore, you must open twice as many ports if you wish to support simultaneous calls.
Note that the above port ranges are the default ports in the 3CX Phone System. You can adjust these ports from the 3CX Management Console, in the “Settings” > “Network” > “Ports” function.
Step 2: Configure the Ports for Remote 3CX Apps
To allow users to use their 3CX apps remotely, on Android, iOS, Mac or Windows, you must open the following ports:
- Port 5090 (inbound, UDP and TCP) for the 3CX tunnel
- Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning (Unless you have chosen custom ports).
- Port 443 (outbound, TCP) for Google Android Push.
- Port 2195, 2196 (outbound, TCP) for Apple iOS Push.
PUSH messages are sent by the 3CX Phone System to Extensions using smartphones in order to wake up the devices to take calls. This greatly enhances the usability of the smartphone apps.
Step 3: Port Configuration for Remote IP Phones / Bridges via Direct SIP
For remote IP Phones and bridges you have the choice of using the 3CX SBC (Tunnel) or Direct SIP. The 3CX SBC service bundles all VoIP traffic over a single port and vastly simplify firewall configuration and improve reliability. No additional configuration is required because the 3CX SBC uses the same ports as the 3CX apps use. More information on SBC can be found here.
If you wish to connect remote extensions via direct SIP, you must open the following ports (most of them are already opened if you use a SIP trunk):
- Port 5060 (inbound, UDP and TCP), Port 5061 (inbound, TCP) (if using secure SIP) - already open if using SIP Trunks.
- Port 9000-10999 (inbound, UDP) for RTP - already open if using SIP Trunks.
- Port 443 or 5001 (inbound, TCP) HTTPs for provisioning. (Unless you have chosen custom ports).
Step 4: Port Configuration for 3CX WebMeeting, SMTP & Activation
In order to be able to create and participate in web based meetings the 3CX hosted cloud service must be able to communicate with the 3CX PBX and vice versa. In order to do so the following ports need to be forwarded and outbound traffic needs to be allowed to:
- Port 443 (outbound, TCP) to webmeeting.3cx.net (the ip may changes and it is recommended to allow traffic to the fqdn rather than to the ip address when possible).
- Port 443 or 5001 (inbound, TCP unless you have chosen custom ports) to notify users of incoming web meetings.
- Open the port you selected for HTTPS inbound TCP on your firewall inbound TCP. The default is 443 but if you changed it to 5001 or another custom port, open that port.
- To be able to send emails using 3CX SMTP the machine needs to allow outbound TCP:2528
Step 5: Disable SIP ALG
To maximize your chances of success, make sure you choose a device that does not implement a SIP Helper or SIP ALG (Application Layer Gateway), or choose a device on which SIP ALG can be disabled. The following links are examples of how to switch off ALG on popular routers:
- How to Disable SIP ALG on Fortinet / FortiGate
- How to Disable SIP ALG on Netgear Routers
- How to Disable SIP ALG on Thomson Routers
Step 6: Run the Firewall Checker
After configuring your firewall, run the 3CX Firewall Checker to ensure that configuration is correct!
Step by Step Instructions for Popular Firewalls
Example configurations for popular firewalls:
- Configuring a Lancom Firewall for 3CX
- Configuring a Sonicwall Firewall for 3CX
- Configuring a Draytek 2820 Router for 3CX with QoS configuration
- Configuring a Zyxel P-662H-D1 Router with 3CX
- Configuring AVM FritzBox as a Firewall with 3CX
- Configuring a CISCO router to allow connection to a VOIP provider
- Configuring FortiGate 80C for 3CX
- Configuring a WatchGuard XTM Firewall for 3CX
- Configuring a pfSense Firewall for 3CX
- Configuring a pfSense Firewall for 3CX as a Virtual PBX Server
- Configuring a Kerio Control Appliance for 3CX
- Configuring MikroTik Firewall