3CX Debian PBX behind pfSense Firewall

By Matthieu, 2017-10-21 22:18

Quick notes on some tweaks I had to do to get 3CX’s Firewall Check to pass behind my home pfSense firewall:

Allow PBX to access Google DNS (8.8.8.8): It seems like 3CX is hardcoded to use 8.8.8.8 at the license validation stage. I had blocked 8.8.8.8 on my end to prevent Android and Chromecast devices from preferring external DNS over my local DNS server and this caused the error License_Error httpsError in 3CX.
Create DHCP-Static mapping for 3CX server.

Configure NAT Port-forwarding rules: I used the list at https://www.3cx.com/ports-used-3cx-phone-system-v14-v15/ for reference. Table reproduced below.

Protocol	Port (Default)	Description	Port Forwarding Required
TCP	5001 or 443	v15: HTTPs port of Web Server. This port can be configured.	Yes – if you intend on using a 3CX client, Bridge Presence, Remote IP Phones from outside your LAN and 3CX WebMeeting functionality.
TCP	5015	V15: This port is used for the online Web-Based installer wizard (NOT 3CX config command line tool) only during the installation process.	Optional – During the installation process when the Web-Based installer is used from external source
UDP & TCP	5060	3CX Phone System (SIP)	Yes – if you intend on using VoIP Providers, WebRTC and Remote Extensions that are NOT using the 3CX Tunnel Protocol
TCP	5061	3CX Phone System (SecureSIP) TLS	Yes – if you intend on using Secure SIP remote extensions
UDP & TCP	5090	3CX Tunnel Protocol Service Listener	Yes -if you intend on using remote extensions using the 3CX Tunnel Protocol (within the 3CX clients for Windows / Android / iOS) or when using the 3CX Session Border Controller
UDP	9000-9500 (default)	3CX Media Server (RTP) – WAN audio/video/t38 streams	Yes – if you intend on using remote extensions or a VoIP Provider

Configure Outbound NAT Static rule for 3CX server: Automatic Outbound NAT (Default pfSense config) causes a random source port to be used for requests outbound to the Internet. 3CX doesn’t like this behaviour, so we need to add an Advanced Outbound NAT rule to force traffic coming from the 3CX server to use “Static Port” translation, as seen in the following screenshot. For Source, select “Network” and use the 3CX server IP with a mask of /32 (single host).

After completing these steps, the 3CX Firewall Check passes all green.

Software, Work

Archives
Archives
Other sites
- matthieu.pictures
Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
You are not opted out. Uncheck this box to opt-out.
The tracking opt-out feature requires cookies to be enabled.

3CX Debian PBX behind pfSense Firewall

Leave a Reply

Archives

Other sites