3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

Guide on How to Configure pfSense Firewall for Use With the 3CX Phone System

Guide on How to Configure pfSense Firewall for Use With the 3CX Phone System

On this topic

Guide on How to Configure pfSense Firewall for Use With the 3CX Phone System

Introduction

Status

Disclaimer

Configure NAT

Port Preservation

Optional Settings

Validation

Note

Introduction

This document describes the configuration of pfsense for the use with 3CX Phone System. This manual is based on version 2.0.

Status

In general pfSense is know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connection.

The status of this type of firewall is “Supported”.

Nat Type: IP and Port Restricted

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configure NAT

Start a web browser and open the web management console of the pfsense machine.

  1. Navigate to “Firewall > NAT”.

  1. Use the “+” symbol to add a new rule.
  2. To determine the ports needed for the setup, follow this link https://www.3cx.com/docs/manual/firewall-router-configuration/, as the ports may depend on the version you are using.

  1. This example shows how to create the NAT for the SIP port, default port 5060.
  1. Set the protocol type to TCP/UDP
  2. Select the Port/Port-Range for the NAT. If the Port is not predefined as shown for SIP enter the ports manually.
  3. Enter the internal IP address of the 3CX Phone System
  4. Enter the internal port (which commonly is the same as the external port)
  5. Label the rule for easier identification at a later stage
  6. Important: set this to “Add associated filter rule”
  1. Save/Apply the config and repeat this steps for each NAT required.

In case a port range for RTP must be entered use the following writing style:

A basic setup will look like this

Port Preservation

Many pfSense guides describe how to preserve the port in outbound connections while a backward NAT is created. This is a key MUST in VoIP which ensures that when data is send from port 5060 or 9000-9500 to an destination, the NATed Source Port is not altered by the firewall. Normally the option within the NAT rule for “Nat reflection” and the setting to “Pure NAT” should solve this. However trying every single combination we failed to do so and needed to create the mapping manually.

Navigate to “Firewall → NAT → Outbound” and set the type from automatic to manual and press “Save”. A list of pre-set outbound rules will be created. Find the rule “Auto created rule for XXX to WAN”, where XXX is the Name for your Lan interface and press the “+” to create a copy of it.

In the rule define the IP of the 3CX Phone System (e.g. 192.168.3.155) and set the Translation to “Static port: ON”

Move the rule to the first position inside your “outbound nat table” to ensure operation (shown in the first screenshot of this section”.

Optional Settings

If your remote phones or voip provider mostly work, but randomly disconnect, set “Firewall Optimization Options” to Conservative under System → Advanced to allow a bigger grace period in latency high connection. This option should not be set by default and only be changed if the issue can be seen. Some more options and information regarding Voip and pfSense can be found here: https://doc.pfsense.org/index.php/VoIP_Configuration.

Validation

Run the 3CX Firewall Checker to validate the setup from the “3CX Management Console Dashboard → Firewall Checker”. All tested ports must return a green done result.

Note

If you use this firewall in a remote location in front of an STUNed IP Phone, the appropriated NAT to the internal IP Phone MUST be made. Due to the NAT type, the audio port opened in the dynamic NAT will change, and won’t match the port resolved via ippbx:5060, that is sent in the invite to the 3CX Phone System.

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud