Configuring MikroTik with 3CX
On this topic
This document describes the configuration of MikroTik RB951 devices for use with 3CX and should be compatible with any device of this series. Although settings can be done via ssh or the web interface, it is recommended to follow the guide via the GUI and past certain Commands into the device. The commands below need to be pasted in the router/firewall console (ssh).
Configuration of the firewall will never be carried out by 3CX at any point and must be done by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information. The provided guide is based on the best known way to configure MikroTik devices. 3CX is not liable for any misguidance that may occur when going through this guide. This guide must be used as an example and not as a guideline, for step by step configuration, since the UI may vary (based on the model and firmware version) and/or the described steps might need to be adjusted to fit the existing MikroTik configuration.
Step 1: Disable SIP ALG
Within the GUI of MikroTik navigate to IP → Firewall → Service Ports → disable SIP rule.
(By using a command: “ip firewall service-port disable sip”)
Step 2: Port Forwarding (NAT)
The following commands will enable the port forwarding from your WAN interface to 3CX. We assume that there is a static IP on the WAN interface. However, if the router deals with a dynamic public IP then you must omit in each of the following commands the part “dst-address=220.127.116.11” which will be highlighted in bold.
Presence and Webaccess
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5001 protocol=tcp “dst-address=18.104.22.168” dst-port=5001 comment="3CX Presence and Provisioning HTTPS"
SIP and RTP Ports
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5060 protocol=udp “dst-address=22.214.171.124” dst-port=5060 comment="3CX SIP UDP"
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5060 protocol=tcp “dst-address=126.96.36.199” dst-port=5060 comment="3CX SIP TCP"
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5061 protocol=tcp “dst-address=188.8.131.52” dst-port=5061 comment="3CX SIP TLS"
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=9000-9500 protocol=udp “dst-address=184.108.40.206” dst-port=9000-9500 comment="3CX Media UDP"
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5090 protocol=tcp “dst-address=220.127.116.11” dst-port=5090 comment="3CX Tunnel TCP"
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.7.7.2 to-ports=5090 protocol=udp “dst-address=18.104.22.168” dst-port=5090 comment="3CX Tunnel UDP"
Step 3: Inbound Access List
When creating port forwarding rules the router adds the filter rule behind the scenes and do not have to be created as ACL. However, you might need to validate the general firewall filters. The following commands will DROP all the traffic getting to the Internet interface of the router. Keep in mind, that the additional rules allow traffic from connections already established like traffic coming back from a connections initialized by a local computer.
ip firewall filter add chain=input action=accept connection-state=established
ip firewall filter add chain=input action=accept connection-state=related
ip firewall filter add chain=forward action=accept connection-state=established
ip firewall filter add chain=forward action=accept connection-state=related
ip firewall filter add chain=forward action=drop connection-state=invalid
ip firewall filter add chain=input action=drop in-interface=ether1
If you want to check your rules you can use these commands:
ip firewall nat print
ip firewall filter print
If you want to check the ip addresses you can use this command:
ip address print