TryLearn More

Use SIP trunks, WebRTC & Apps

Slash your Phone Bill by 80%

Configuring a MikroTik with 3CX

Configuring MikroTik with 3CX

Step 1: Disable SIP ALG

Step 2: Configure Port Forwarding (NAT)

Step 3: Inbound Access List (PAT configuration only)

Step 4:Validating Your Setup

Introduction

This document describes the configuration of MikroTik RB951 devices for use with 3CX and should be compatible with other devices in this series. Although settings can be configured via the GUI (winbox.exe) or web interface, this guide provides configuration through SSH. Please note that we cannot assist you in the configuration of your firewall.

Step 1: Disable SIP ALG

  1. Log into the firewall. In the command line enter:
    ip firewall service-port disable sip

Step 2: Configure Port Forwarding (NAT)

You now need to port forward the following ports in order to support configuration of SBCs, Remote Extensions and VoIP Providers. The full list of default ports required can be found here.

While still logged into the firewall, enter the following commands:

  1. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[HTTPS Port] protocol=tcp dst-port=[HTTPS Port] comment="3CX Presence and Provisioning HTTPS"
  2. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=udp dst-port=[SIP Port] comment="3CX SIP UDP"
  3. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=tcp dst-port=[SIP Port] comment="3CX SIP TCP"
  4. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port + 1] protocol=tcp dst-port=[SIP Port + 1] comment="3CX SIP TLS"
  5. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=9000-10999 protocol=udp dst-port=9000-10999 comment="3CX Media UDP"
  6. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=tcp dst-port=[Tunnel Port] comment="3CX Tunnel TCP"
  7. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=udp dst-port=[Tunnel Port] comment="3CX Tunnel UDP"

Note that in the above commands you must replace the section in the brackets with the correct port for your setup.

Step 3: Inbound Access List (PAT configuration only)

If you have a 1 to 1 NAT, you can skip this step. If you have a PAT configuration you must create the following access rules using these commands:

  1. ip firewall filter add chain=input action=accept connection-state=established
  2. ip firewall filter add chain=input action=accept connection-state=related
  3. ip firewall filter add chain=forward action=accept connection-state=established
  4. ip firewall filter add chain=forward action=accept connection-state=related
  5. ip firewall filter add chain=forward action=drop connection-state=invalid
  6. ip firewall filter add chain=input action=drop in-interface=[Interface Name]
  7. ip firewall nat add chain=srcnat action=masquerade out-interface=[Interface Name]

Note that in steps 6 and 7, you are required to enter the “in-interface” name you are using for 3CX (the one with the public ip address). All interface names can be listed using the following command:

/interface print

Step 4:Validating Your Setup

  1. Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX.
    More information about the Firewall Checker can be found
    here.
  2. Check the Firewall configuration using the following commands:


  1. > ip address print


  2. > ip firewall nat print


  3. > ip firewall filter print

Free for up to 1 year! Select preferred deployment:

On-Premise

for Linux on a $200 appliance or as a VM

Get the ISO

On-Premise

for Windows as a VM

Download the setup file

On the cloud

In your Google, Amazon, Azure account

Take the PBX Express