3cx full cone on XG 135

Hi,

you would only need a mask rule because the 3cx will setup the connections. What is firewall rule and please include detail port lidtings.

ian

Hi Ian,

thank you for the reply

Here we are:

3CX_TCP includes

3CX_UDP includes

Hi Stefano. I also run a VOIP PBX behind my Sophos XG.
One incoming NAT rule, one outgoing rule. 

Hi Peter thank you are you using a 3CX PBX? if yes your firewall check on the 3CX interface is all green?

No i do not use 3cx

No i do not use 3cx

Solved....

i have only a problem with the port 5060 but i think that is the FrtizBox modem the responsable...i have already open a support ticket.

Anyway, to solve the problem, i had to delete and rebuild the DNAT rule

You might like to review your port 5060 configuration, you have it twice TCP and UDP, the 5060 to 5060 is not required.

Ian

Hi Stefano,

i think I might be able to help you out with this one since I was having similar aswell as other issues with 3CX and FritzBox.

You first need to forward all the ports needed for the 3CX (or just the ports your enviroment needs) to the Sophos IP address of your WAN port (also port 5060 which is not on the screenshot from the 3CX website).

Please note that you should not activate "Independent Port Sharing" or "Exposed Host" (tried everything in my lab enviroment and they just don't do what is expected and most of the times don't work well with VOIP)

Is your FritzBox registering the SIP-Trunks? If that's the case, you will also have to create the "phone devices" or whatever they are called on the english UI of the FritzBox and some other stuff on the 3CX side, but this is out of the scope of what you are dealing with. You can skip this if your 3CX is registering the SIP-Trunks.

If your 3CX is registering the SIP-trunks, you have to remove anything phone related from the FritzBox, so that you can forward port 5060 to your firewall and then 3CX.

Your last step would be to create a static IPv4 route in the FritzBox:

IPv4-network

Sophos LAN Subnet (ex. 172.16.16.0)

Subnet mask

255.255.255.0

Gateway

Sophos WAN IP address (ex. 192.168.178.100)

I also like to create a 3CX Services group, that includes the needed ports, that I can put in the Firewall and NAT Rules.

Keeps everything clean and when I need to make changes, I add or remove services from the Services Group,

without having to touch any of the rules.

I hope the instructions I provided are clear enough and hopefully assist you on resolving the issue.

In any case, I am happy to assist you further if needed.

Sorry for the delay guys.

On the Fritzbox i have already the exposed host option activated, and the 5060 was locked from a sip service directly on the Fritz.

so i had to delete all the phones and numbers registered on the Frtizbox, than go to Telephony -> Telephone Numbers -> Line Settings -> scroll down and click on "Changing the Settings" -> Enable the option "Keep port sharing of the internet router enabled for telephony".

all is working now but i still have the same error on the 3cx test.....

Turn exposed host off on the FritzBox. It never does what the name implies or does not do it correctly and just create the port sharings like I wrote on my post above. It is a real headache but after 2 days, I got everythign working in my lab enviroment which I then did for a customer case. the exposed host on the FritzBox seems to alter the ports when forwarding them to your sophos, that's why your full cone test fails.