3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

Configuring MikroTik with 3CX

Configuring MikroTik with 3CX

On this topic                  

Configuring MikroTik with 3CX

Introduction

Disclaimer

Step 1: Disable SIP ALG

Step 2: Port Forwarding (NAT)

Presence and Webaccess

SIP and RTP Ports

Tunnel ports

Step 3: Inbound Access List

TIPS

Introduction

This document describes the configuration of MikroTik RB951 devices for use with 3CX and should be compatible with any device of this series. Although settings can be done via ssh or the web interface, it is recommended to follow the guide via the GUI and past certain Commands into the device. The commands below need to be pasted in the router/firewall console (ssh).

Disclaimer

Configuration of the firewall will never be carried out by 3CX at any point and must be done by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information. The provided guide is based on the best known way to configure MikroTik devices. 3CX is not liable for any misguidance that may occur when going through this guide. This guide must be used as an example and not as a guideline, for step by step configuration, since the UI may vary (based on the model and firmware version) and/or the described steps might need to be adjusted to fit the existing MikroTik configuration.

Step 1: Disable SIP ALG

Within the GUI of MikroTik navigate to IP → Firewall → Service Ports → disable SIP rule.

(By using a command: ip firewall service-port disable sip”)

Step 2: Port Forwarding (NAT)

The following commands will enable the port forwarding from your WAN interface to 3CX. We assume that there is a static IP on the WAN interface. However, if the router deals with a dynamic public IP then you must omit in each of the following commands the part dst-address=1.2.3.4 which will be highlighted in bold.

Presence and Webaccess

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5001 protocol=tcp dst-address=1.2.3.4” dst-port=5001 comment="3CX Presence and Provisioning HTTPS"

SIP and RTP Ports

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5060 protocol=udp dst-address=1.2.3.4” dst-port=5060 comment="3CX SIP UDP"

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5060 protocol=tcp dst-address=1.2.3.4” dst-port=5060 comment="3CX SIP TCP"

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5061 protocol=tcp dst-address=1.2.3.4” dst-port=5061 comment="3CX SIP TLS"

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=9000-9500 protocol=udp dst-address=1.2.3.4” dst-port=9000-9500 comment="3CX Media UDP"

Tunnel ports

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5090 protocol=tcp dst-address=1.2.3.4” dst-port=5090 comment="3CX Tunnel TCP"

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5090 protocol=udp dst-address=1.2.3.4” dst-port=5090 comment="3CX Tunnel UDP"

Step 3: Inbound Access List

When creating port forwarding rules the router adds the filter rule behind the scenes and do not have to be created as ACL. However, you might need to validate the general firewall filters. The following commands will DROP all the traffic getting to the Internet interface of the router. Keep in mind, that the additional rules allow traffic from connections already established like traffic coming back from a connections initialized by a local computer.

ip firewall filter add chain=input action=accept connection-state=established

ip firewall filter add chain=input action=accept connection-state=related

ip firewall filter add chain=forward action=accept connection-state=established

ip firewall filter add chain=forward action=accept connection-state=related

ip firewall filter add chain=forward action=drop connection-state=invalid

ip firewall filter add chain=input action=drop in-interface=ether1

TIPS

If you want to check your rules you can use these commands:

ip firewall nat print

ip firewall filter print

If you want to check the ip addresses you can use this command:

ip address print

You might also be interested in:

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud