Configuring a pfSense Firewall with 3CX

Introduction

This document describes the configuration of pfSense v2.5.2+ for use with 3CX. This guide is written for PBX administrators on networks with a single WAN IP, or who are using their primary WAN IP for 3CX. We assume the 3CX Server in our example has an internal IP address of 192.168.3.155 and pfSense is listening on 192.168.3.1. We also use a public IP address of 1.2.3.4 and an FQDN of “service.tigunia.com” in the screenshots of the Split Brain DNS example.

Step 1: Configure Port Forwarding (NAT)

Login to the pfSense web management console and:

1. Navigate to “Firewall” > “NAT”.
2. Use the “Add” button on the right to add a new rule.

3. Create NAT rules for all required ports that need to be forwarded, based on this list.

1. “Protocol”: Set the protocol type depending on the port(s) you are forwarding.
2. “Destination port range”: Select the port / port range for the NAT entry. If the port is not predefined as shown for SIP, enter the custom port number(s).
3. “Redirect target IP”: Enter the internal IP address of the 3CX Phone System.
4. “Redirect target port”: Enter the internal port, commonly the same as the external port.
5. “Description”: Label the rule for easier identification.
6. “NAT reflection”: Use system default.
7. “Filter rule association”: Add associated filter rule.
8. Click on “Save” and then “Apply” to activate the configuration and repeat these steps for each required NAT entry.

4. Repeat step #3 for every forwarded port.
5. After adding all port forward rules, they should look similar to the example below.

Step 2: Port Preservation (Full Cone NAT)

1. Navigate to “Firewall” > “NAT” > “Outbound”.
2. Set the type from automatic to “Hybrid” and press “Save”.

3. Now create a new “Mapping Rule” as in the example above to set:

1. “Source” for the 3CX host LAN IP, e.g. 192.168.3.155.
2. “Port or Range” - enable “Static Port”.

4. Move the rule to the first position in your “Mappings NAT table” to ensure operation, as shown in the first screenshot in this section.
5. Make sure you have now applied settings on both the “Port Forward” and “Outbound” pages.

Step 3: FQDN Management

In the next step of this guide, you need to choose how you want to handle 3CX FQDN management inside your network. There are 2 options - Split Brain DNS or Hairpin NAT. Split Brain DNS has the advantage of keeping your 3CX network traffic internal to your network and not sending it out the WAN interface, but has a more complicated setup. Hairpin NAT is easier to configure but will consume more WAN traffic and may result in poor call quality in some situations. We recommend using Split Brain DNS whenever possible.

Option 1: Configuring Split Brain DNS

1. Navigate to “Services” > “DNS Resolver”.
   
2. Under General Settings tab, ensure that DNS Resolver is enabled
   
3. Ensure that “All” is selected under “Network Interfaces” (or any specific interfaces you want DNS Resolver to listen on - Typically LAN)
   
4. Ensure DNS Query Forwarding is enabled
   
5. At the bottom of the page, under the Host Overrides section, click “Add”
   
6. Add the host, domain, IP address as required, then click “Save”. The host will be the first part of your 3CX FQDN and the domain will be the last part of your 3CX FQDN. The IP Address will be the internal IP address of the 3CX Phone System
   
7. Ensure your devices are using pfSense for DNS resolution (or using a device that does forwarding to pfSense for unknown queries). This configuration is usually handled by your DHCP server and the DNS servers it hands out

Option 2: Configuring Hairpin NAT

1. Navigate to “System” > “Advanced”.
2. Change “NAT Reflection mode for port forwards” to “Pure NAT”, activate the “Enable NAT Reflection for 1:1 NAT” checkbox and activate the “Enable automatic outbound NAT for Reflection” checkbox.
   
   

Step 4: Validating Your Setup

To validate your NAT / Port Forwarding setup, Go to “Dashboard” > “Firewall” in 3CX Management Console to run the 3CX Firewall Checker to validate if your firewall is correctly configured for use with 3CX. See more info about the Firewall Checker.

To validate your Split Brain DNS setup, you can use the nslookup tool (inside the network / behind your pfSense firewall) to validate how DNS is resolved. Simply type “nslookup <fqdn> <dns-server>” where <fqdn> is your 3CX FQDN and <dns-server> is the IP of the DNS server you wish to query. When querying an external DNS server you should see your WAN IP returned and when querying your internal pfSense DNS Resolver you should see the internal IP address of the 3CX Phone System returned.

1. The below example shows checking the external IP resolution of FQDN “service.tigunia.com” against Google’s public DNS servers (8.8.8.8):
   
2. The below example shows checking the internal IP resolution of FQDN “service.tigunia.com” against your internal pfSense Resolver (192.168.3.1):
   

To validate your Hairpin NAT setup, try accessing your 3CX FQDN from a computer inside the network by FQDN. If you are able to load the webclient, NAT Hairpinning should be working.

In some cases you might have to reboot the firewall for the changes to take effect.

If your remote phones or VoIP provider mostly work but randomly disconnect, then consider changing this option.

1. Go to “System” > “Advanced”.
2. Set “Firewall Optimization Options” to “Conservative”.
3. Click on “Save”.

Special thanks to 3CX Titanium Partner, Managed IT & Document Technologies of Arizona and Brentt Graeb for the NAT/Port Forwarding and Port Preservation sections of this guide. Special thanks to 3CX Gold Partner, Tigunia, and Martin Twerski for the Split Brain DNS and Hairpin NAT sections of this guide.

See Also

• The Firewall & Router Configuration Guide explains how to configure your firewall.

Last Updated

This document was last updated on 20 June 2023

https://www.3cx.com/docs/pfsense-firewall/