Configuring a pfSense Firewall with 3CX
This document describes the configuration of pfsense for the use with 3CX Phone System. This manual is based on version 2.0.
Step 1: Configure Port Forwarding (NAT)
Open the web management console of the pfsense machine.
- Navigate to “Firewall → NAT”.
- Use the “+” symbol on the right to add a new rule.
- Create NAT rules for all required ports. The list of ports that needs forwarding can be found here:
- Protocol: Set the protocol type depending on the port(s) you are forwarding
- Destination port range: Select the Port/Port-Range for the NAT. If the Port is not predefined as shown for SIP enter the ports manually.
- Redirect target IP: Enter the internal IP address of the 3CX Phone System
- Redirect target port: Enter the internal port (which commonly is the same as the external port)
- Description Label the rule for easier identification at a later stage
- NAT reflection: Add associated filter rule
- Save/Apply the config and repeat this steps for each NAT required.
- Repeat #3 for every port that needs forwarding.
- After adding all rules, they should look similar to the following:
Step 2: Port Preservation
- Navigate to “Firewall → NAT → Outbound”
- Set the type from automatic to manual and press “Save”
- A list of pre-set outbound rules will be created. Find the rule “Auto created rule for XXX to WAN”, where XXX is the Name for your Lan interface.
- Press the “+” to create a copy of it.
- In the rule define the:
- LAN IP of 3CX (e.g. 192.168.3.155)
- Translation to “Static port: ON”
- Move the rule to the first position inside your “outbound nat table” to ensure operation (shown in the first screenshot of this section”.
Step 3: Optional Settings
This option should not be set by default and only be changed if your remote phones or voip provider mostly work, but randomly disconnect then set the following option.
- Go to “System → Advanced”
- Set “Firewall Optimization Options” as “Conservative”.
Step 4: Validating Your Setup
Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX.
More information about the Firewall Checker can be found here.