Ports being re-mapped - NAT Issues

Hi guys,

Firstly, apologies for the long post. I wanted to be as detailed as possible in hopes that someone may be able to help with my issue. 

We appear to be having issues with ports being re-mapped during forwarding and for the last three days this has brought our phone system down.

Current configuration has been working for a couple of years without issue but our VOIP provider has done a software update and now strictly only provides services on port 5060.

I have forwarding rules which I think should work but for some reason they aren't. 

Firstly a bit about my network setup. 

We have the WAN link that connects via PPPoE to our ISP on a static IP of 10.100.X.X but our public IP is 45.124.X.X. The XG105 Appliance sits behind a D-Link router that is in bridge mode with the XG making the PPPoE connection. The Dlink is connected to Port 3 on our XG, Ports 4 and 2 are a Bridge and LAN zone.

The internal IP address of our phone system is and requires ports 5060 TCP/UDP to be forwarded to it along with some other ports such as 5090 etc. What appears to be happening though is that traffic from the PBX to the VOIP provider is continually changing ports and not entering/exiting via port 5060. 

I have spent a considerable amount of time on the phone to the Voip provider and they have confirmed with their logs that the connection keeps being made via different ports but not 5060, which is what it needs to be.

Also just for the record, i have disabled SIP ALG by the Console with system system_modules sip unload

Firstly below is the screenshot of my Business Application Rules. I have the same rule for TCP also. Overwrite source address and MASQ on. Same for port 5090.


Next is a snapshot of the Log of some of the traffic is the IP address of the 3CX system

Next is the result of the 3CX firewall checker, each time the test is run it comes back with different port mappings. This was confirmed by the voip provider who saw in their logs the same issues. Their guess is that its a NAT issue or incorrect port forwarding.

I have very limited knowledge of NAT and what could be causing this issue, so i'd be super appreciative if anyone has any ideas as to what's going on. I've tried changing the use outbound address to my WAN IP of 45.124.X.X and even the IP the ISP Gives of 10.100.X.X but no luck. So what's happening is the PBX is not receiving an ACK from the Voip provider and the calls are just dropped after 30 seconds.

The provider told me the essentially it has worked previously because they used to just match whatever port the traffic was sent out from back to but now they insist on 5060, they said they could make an exception but because the port changes every call there's nothing they can do to assist. 

  • Hi,

    you do not seem to have an outgoing rule for the SIP traffic?


  • In reply to rfcat_vk:

    I have reflexive rule enabled?

  • I wonder if it has something to do with this:

    As I also have MASQ and Reflexive enabled

    I can't see a way to make a "normal" rule because the protected server to destination would be WAN.

    Perhaps there is an issue with DNAT and Reflexive rules?

  • I also note the guide says to leave MASQ unchecked, however if I do that, I can't even get the phone system to register with the voip provider, let alone on the correct port.


  • In reply to Shane Cook:

    There is another thread on the same PABX covering the same subject.


  • In reply to rfcat_vk:

    I have searched through the community for other threads relating to 3CX and DNAT issues.

    I can find two other threads,


    Which links to this article https://community.sophos.com/kb/en-us/122976

    I have followed said article and still not working.

    There is another thread from another user who faces a very similar issue


    (I note you provided some answers here too rfcat_vk)

    This user seems to have fixed their issue by adding their WAN IP address to the 3CX trunk config page, I have tried this and it still doesn't work.

    I just cant seem to see why ports are being remapped and what is causing the issue.

    I just created another DNAT business application rule where 

    Source: LAN
    Allowed Networks: Any

    Destination: WAN port
    Services: TCP/UDP  TCP Source Port 1:65535 Destination 5060   UDP Source Port 1:65535  Destination 5060

    Protected Server: 3CX (
    Protected Zone: LAN

    IPS: None
    Heartbeat: No Restriction
    Rewrite Source Address: MASQ
    Reflexive: Checked

    Still the same behaviour occurs

  • In reply to Shane Cook:

    As a test try unticking the reflexive and add a firewall where you can see what is happening with it.

    Source LAN, 3CX, destination WAN, ISP PABX, SIP, Log, MASQ.


  • In reply to rfcat_vk:


    Unticked reflexive on the above pictured rules,

    Created a new rule based on your advice, (I have rule for TCP and UDP separately, but both rules created the same) Source 1:65535 Dest 5060

    Still not matching 5060 with 5060

    Port 4512 now.

    Im seriously banging my head against the wall. The port changes every time.

  • In reply to Shane Cook:

    What did you see as the outgoing port? The returned external port will always be different and I suspect your SIP definition is back to front for your incoming rule?


  • In reply to rfcat_vk:

    Ok, to simplify things i deleted the rules, started fresh. I now have the following two rules (Placed at the top of the rules tree)

    Rule 1

    Name: 3CX LAN to WAN

    Source: LAN
    Allowed Networks: IP Host - 3CX
    Destination: Port 3 (WAN)
    Services: TCP/UDP 1:65535 -> 5060

    Protected Server: 3CX
    Protected Zone: LAN
    MASQ:  ON
    LOG: ON

    Rule 2

    Name: WAN to 3CX

    Source: WAN
    Allowed Networks: ANY
    Destination: Port 3 (WAN)
    Services: TCP/UDP 1:65535 -> 5060

    Protected Server: 3CX
    Protected Zone: LAN
    MASQ:  ON
    LOG: ON



    Ran the firewall checker again on 3CX - Results as follows from 3CX and Firewall Log

    *Just for the record the IPs are a 3CX STUN Server and a Microsoft server neither are mine*

  • In reply to Shane Cook:

    Hi Shane,

    what i was asking to try is a network firewall rule - source LAN, 3CX, destination WAN, FQDN destination or any, SIP, log, MASQ