Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Hi guys,Firstly, apologies for the long post. I wanted to be as detailed as possible in hopes that someone may be able to help with my issue. We appear to be having issues with ports being re-mapped during forwarding and for the last three days this has brought our phone system down.Current configuration has been working for a couple of years without issue but our VOIP provider has done a software update and now strictly only provides services on port 5060.I have forwarding rules which I think should work but for some reason they aren't. Firstly a bit about my network setup. We have the WAN link that connects via PPPoE to our ISP on a static IP of 10.100.X.X but our public IP is 45.124.X.X. The XG105 Appliance sits behind a D-Link router that is in bridge mode with the XG making the PPPoE connection. The Dlink is connected to Port 3 on our XG, Ports 4 and 2 are a Bridge and LAN zone.The internal IP address of our phone system is 172.16.16.138 and requires ports 5060 TCP/UDP to be forwarded to it along with some other ports such as 5090 etc. What appears to be happening though is that traffic from the PBX to the VOIP provider is continually changing ports and not entering/exiting via port 5060. I have spent a considerable amount of time on the phone to the Voip provider and they have confirmed with their logs that the connection keeps being made via different ports but not 5060, which is what it needs to be.Also just for the record, i have disabled SIP ALG by the Console with system system_modules sip unloadFirstly below is the screenshot of my Business Application Rules. I have the same rule for TCP also. Overwrite source address and MASQ on. Same for port 5090.
Next is a snapshot of the Log of some of the traffic 172.16.16.138 is the IP address of the 3CX systemNext is the result of the 3CX firewall checker, each time the test is run it comes back with different port mappings. This was confirmed by the voip provider who saw in their logs the same issues. Their guess is that its a NAT issue or incorrect port forwarding.I have very limited knowledge of NAT and what could be causing this issue, so i'd be super appreciative if anyone has any ideas as to what's going on. I've tried changing the use outbound address to my WAN IP of 45.124.X.X and even the IP the ISP Gives of 10.100.X.X but no luck. So what's happening is the PBX is not receiving an ACK from the Voip provider and the calls are just dropped after 30 seconds.The provider told me the essentially it has worked previously because they used to just match whatever port the traffic was sent out from back to but now they insist on 5060, they said they could make an exception but because the port changes every call there's nothing they can do to assist.
you do not seem to have an outgoing rule for the SIP traffic?
In reply to rfcat_vk:
I have reflexive rule enabled?
I wonder if it has something to do with this:
As I also have MASQ and Reflexive enabled
I can't see a way to make a "normal" rule because the protected server to destination would be WAN.
Perhaps there is an issue with DNAT and Reflexive rules?
I also note the guide says to leave MASQ unchecked, however if I do that, I can't even get the phone system to register with the voip provider, let alone on the correct port.
In reply to Shane Cook:
There is another thread on the same PABX covering the same subject.
I have searched through the community for other threads relating to 3CX and DNAT issues.I can find two other threads,https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/112096/connect-3cx-over-wanWhich links to this article https://community.sophos.com/kb/en-us/122976I have followed said article and still not working.There is another thread from another user who faces a very similar issuehttps://community.sophos.com/products/xg-firewall/f/firewall-and-policies/110450/sip-pbx-3cx-ack(I note you provided some answers here too rfcat_vk)This user seems to have fixed their issue by adding their WAN IP address to the 3CX trunk config page, I have tried this and it still doesn't work.I just cant seem to see why ports are being remapped and what is causing the issue.I just created another DNAT business application rule where Source: LANAllowed Networks: Any
Destination: WAN portServices: TCP/UDP TCP Source Port 1:65535 Destination 5060 UDP Source Port 1:65535 Destination 5060Protected Server: 3CX (172.16.16.138)Protected Zone: LANIPS: NoneHeartbeat: No RestrictionRewrite Source Address: MASQReflexive: CheckedStill the same behaviour occurs
As a test try unticking the reflexive and add a firewall where you can see what is happening with it.
Source LAN, 3CX, destination WAN, ISP PABX, SIP, Log, MASQ.
Alrighty,Unticked reflexive on the above pictured rules,Created a new rule based on your advice, (I have rule for TCP and UDP separately, but both rules created the same) Source 1:65535 Dest 5060Still not matching 5060 with 5060Port 4512 now.Im seriously banging my head against the wall. The port changes every time.
What did you see as the outgoing port? The returned external port will always be different and I suspect your SIP definition is back to front for your incoming rule?
Ok, to simplify things i deleted the rules, started fresh. I now have the following two rules (Placed at the top of the rules tree)Rule 1Name: 3CX LAN to WANSource: LANAllowed Networks: IP Host - 3CX 172.16.16.138Destination: Port 3 (WAN)Services: TCP/UDP 1:65535 -> 5060Protected Server: 3CX 172.16.16.138Protected Zone: LANMASQ: ONLOG: ONRule 2Name: WAN to 3CXSource: WANAllowed Networks: ANYDestination: Port 3 (WAN)Services: TCP/UDP 1:65535 -> 5060Protected Server: 3CX 172.16.16.138Protected Zone: LANMASQ: ONLOG: ON--
Ran the firewall checker again on 3CX - Results as follows from 3CX and Firewall Log
*Just for the record the IPs are a 3CX STUN Server and a Microsoft server neither are mine*
what i was asking to try is a network firewall rule - source LAN, 3CX, destination WAN, FQDN destination or any, SIP, log, MASQ