3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

Configuring MikroTik with 3CX

Configuring MikroTik with 3CX

Configuring MikroTik with 3CX

Step 1: Disable SIP ALG

Step 2: Configure Port Forwarding (NAT)

Step 3: Inbound Access List (PAT configuration only)

Step 4:Validating Your Setup

Introduction

This document describes the configuration of MikroTik RB951 devices for use with 3CX and should be compatible with other devices in this series. Although settings can be configured via the GUI (winbox.exe) or web interface, this guide provides configuration through SSH. Please note that we cannot assist you in the configuration of your firewall.

Step 1: Disable SIP ALG

  1. Log into the firewall. In the command line enter:
    ip firewall service-port disable sip

Step 2: Configure Port Forwarding (NAT)

You now need to port forward the following ports in order to support configuration of SBCs, Remote Extensions and VoIP Providers. The full list of default ports required can be found here.

While still logged into the firewall, enter the following commands:

  1. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[HTTPS Port] protocol=tcp dst-port=[HTTPS Port] comment="3CX Presence and Provisioning HTTPS"
  2. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=udp dst-port=[SIP Port] comment="3CX SIP UDP"
  3. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=tcp dst-port=[SIP Port] comment="3CX SIP TCP"
  4. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port + 1] protocol=tcp dst-port=[SIP Port + 1] comment="3CX SIP TLS"
  5. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=9000-10999 protocol=udp dst-port=9000-10999 comment="3CX Media UDP"
  6. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=tcp dst-port=[Tunnel Port] comment="3CX Tunnel TCP"
  7. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=udp dst-port=[Tunnel Port] comment="3CX Tunnel UDP"

Note that in the above commands you must replace the underlined sections with the correct port for your setup.

Step 3: Inbound Access List (PAT configuration only)

If you have a 1 to 1 NAT, you can skip this step. If you have a PAT configuration you must create the following access rules using these commands:

  1. ip firewall filter add chain=input action=accept connection-state=established
  2. ip firewall filter add chain=input action=accept connection-state=related
  3. ip firewall filter add chain=forward action=accept connection-state=established
  4. ip firewall filter add chain=forward action=accept connection-state=related
  5. ip firewall filter add chain=forward action=drop connection-state=invalid
  6. ip firewall filter add chain=input action=drop in-interface=[Interface Name]

Note that in step 6, you are required to enter the “in-interface” name you are using for 3CX. All interface names can be listed using the following command:

/interface print

Step 4:Validating Your Setup

  1. Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX.
    More information about the Firewall Checker can be found
    here.
  2. Check the Firewall configuration using the following commands:


  1. > ip address print


  2. > ip firewall nat print


  3. > ip firewall filter print

You might also be interested in:

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud