Guide on How to Configure pfSense Firewall for Use With the 3CX Phone System
On this topic
This document describes the configuration of pfsense for the use with 3CX Phone System. This manual is based on version 2.0.
In general pfSense is know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connection.
The status of this type of firewall is “Supported”.
Nat Type: IP and Port Restricted
Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.
Start a web browser and open the web management console of the pfsense machine.
- Navigate to “Firewall > NAT”.
- Use the “+” symbol to add a new rule.
- To determine the ports needed for the setup, follow this link https://www.3cx.com/docs/firewall-router-configuration-voip/, as the ports may depend on the version you are using.
- This example shows how to create the NAT for the SIP port, default port 5060.
- Set the protocol type to TCP/UDP
- Select the Port/Port-Range for the NAT. If the Port is not predefined as shown for SIP enter the ports manually.
- Enter the internal IP address of the 3CX Phone System
- Enter the internal port (which commonly is the same as the external port)
- Label the rule for easier identification at a later stage
- Important: set this to “Add associated filter rule”
- Save/Apply the config and repeat this steps for each NAT required.
In case a port range for RTP must be entered use the following writing style:
A basic setup will look like this
Many pfSense guides describe how to preserve the port in outbound connections while a backward NAT is created. This is a key MUST in VoIP which ensures that when data is send from port 5060 or 9000-9500 to an destination, the NATed Source Port is not altered by the firewall. Normally the option within the NAT rule for “Nat reflection” and the setting to “Pure NAT” should solve this. However trying every single combination we failed to do so and needed to create the mapping manually.
Navigate to “Firewall → NAT → Outbound” and set the type from automatic to manual and press “Save”. A list of pre-set outbound rules will be created. Find the rule “Auto created rule for XXX to WAN”, where XXX is the Name for your Lan interface and press the “+” to create a copy of it.
In the rule define the IP of the 3CX Phone System (e.g. 192.168.3.155) and set the Translation to “Static port: ON”
Move the rule to the first position inside your “outbound nat table” to ensure operation (shown in the first screenshot of this section”.
If your remote phones or voip provider mostly work, but randomly disconnect, set “Firewall Optimization Options” to Conservative under System → Advanced to allow a bigger grace period in latency high connection. This option should not be set by default and only be changed if the issue can be seen. Some more options and information regarding Voip and pfSense can be found here: https://doc.pfsense.org/index.php/VoIP_Configuration.
Run the 3CX Firewall Checker to validate the setup from the “3CX Management Console Dashboard → Firewall Checker”. All tested ports must return a green “done” result.
If you use this firewall in a remote location in front of an STUNed IP Phone, the appropriated NAT to the internal IP Phone MUST be made. Due to the NAT type, the audio port opened in the dynamic NAT will change, and won’t match the port resolved via ippbx:5060, that is sent in the invite to the 3CX Phone System.