3CX on premise behind XG 125

Hi,

I suspect you will need an outgoing firewall rule -> Source LAN network PABX destination WAN network phone provider FQDN port 5060 allow, log, MASQ. This I believe can also be achieved in a business rule setup as SNAT but I am not sure about that setup.

The incoming business rule (DNAT) will depend on how your external customers connect to your XG?

Ian

Hi,

Thanks for your reply. I added an outgoing rule, but it didnt have any effect.

I have a little update. As I have two WAN lines, I forced all outgoing traffic of the PBX through the same WAN port as I expect traffic to come in. Stupid me.

The firewall checker now detects port 5060 as good, but all other ports are worse now. (e.g. no more remapping as in my initial post)

• resolving 'stun-eu.3cx.com'... done
• resolving 'stun2.3cx.com'... done
• resolving 'stun3.3cx.com'... done
• resolving 'sip-alg-detector.3cx.com'... done
• testing 3CX SIP Server... done
  • stopping service... done
  • detecting SIP ALG... not detected
  • testing port 5060... done
  • starting service... done
• testing 3CX Tunneling Proxy... failed (How to resolve?)
  • stopping service... done
  • testing port 5090... full cone test failed (How to resolve?)
  • starting service... done
• testing 3CX Media Server... canceled
  • stopping service... done
  • testing ports [9000..9398]... canceled
    • testing port 9000... full cone test failed (How to resolve?)
    • testing port 9002... full cone test failed (How to resolve?)

Best

Marcus

Assuming the tunnelling proxy is used for outgoing, you could add port 5090 to the outgoing rule.

The media server is for incoming traffic?

Also do a search of the knowledge base. from memory there is an article on the subject.

Ian

So... It seems I have solved the rest.

In the services configuration I had to change the source ports.

For example for 5060 it has to be 1:65535 -> 5060, which is the default anyhow.

This might have to do with the firewall in the LANCOM modem, as you cant configure it as an exposed host, but need NAT there as well. I forwarded the ports to the internal IP of the XG on that WAN port.

So in basic I have an incoming rule from ANY, ANY using one of my WAN Ports and all the services, such as SIP, SIPS, Tunnel, RDP... (all are explained in the 3CX firewall config. Make sure to allow 1:65535 as source ports, i grouped them in a service group) and the target LAN, with the IP of your PBX. I did not check MASQ, nor reflective rule.

In addition I have an outgoing rule to force the traffic of my PBX over one specific WAN port, the same I use for the incoming rule. This might not be neccessary, if you only have one WAN line. I checked MASQ and chose the proper gateway.

It works like a charm.

i nice day at all

i have the same issues, can you make a screenshot of the rule have created? 

tnx

Hi Daniele,

what is your exact issue, as it isn't just one simple rule.

It is a mixture of 3CX, XG and your router(s).

Can you provide some more details?

Best

Marcus

Sevgili Daniele,

Cihazımda çalışan 3CX FW ve Sample NAT kuralını ekliyorum.

i have issues that 3cx  firewall test pass sometime ramdom ports, sometime no

I had a persistent error - First two ports (9000-9002) will never pass test.

I changed to have 8000 onwards, then 8000-8002 will never pass test. Whatever port I set in 3CX, first 2 ports will fail.

For an unrelated issues, I changed my admin port of XG from 4444 to 4446.

Magically, all ports pass.

So, you may try this.

I had a persistent error - First two ports (9000-9002) will never pass test.

I changed to have 8000 onwards, then 8000-8002 will never pass test. Whatever port I set in 3CX, first 2 ports will fail.

For an unrelated issues, I changed my admin port of XG from 4444 to 4446.

Magically, all ports pass.

So, you may try this.