3cx full cone on XG 135

Hi,

you would only need a mask rule because the 3cx will setup the connections. What is firewall rule and please include detail port lidtings.

ian

Hi Ian,

thank you for the reply

Here we are:

3CX_TCP includes

3CX_UDP includes

No i do not use 3cx

Solved....

i have only a problem with the port 5060 but i think that is the FrtizBox modem the responsable...i have already open a support ticket.

Anyway, to solve the problem, i had to delete and rebuild the DNAT rule

You might like to review your port 5060 configuration, you have it twice TCP and UDP, the 5060 to 5060 is not required.

Ian

Hi Stefano,

i think I might be able to help you out with this one since I was having similar aswell as other issues with 3CX and FritzBox.

You first need to forward all the ports needed for the 3CX (or just the ports your enviroment needs) to the Sophos IP address of your WAN port (also port 5060 which is not on the screenshot from the 3CX website).

Please note that you should not activate "Independent Port Sharing" or "Exposed Host" (tried everything in my lab enviroment and they just don't do what is expected and most of the times don't work well with VOIP)

Is your FritzBox registering the SIP-Trunks? If that's the case, you will also have to create the "phone devices" or whatever they are called on the english UI of the FritzBox and some other stuff on the 3CX side, but this is out of the scope of what you are dealing with. You can skip this if your 3CX is registering the SIP-Trunks.

If your 3CX is registering the SIP-trunks, you have to remove anything phone related from the FritzBox, so that you can forward port 5060 to your firewall and then 3CX.

Your last step would be to create a static IPv4 route in the FritzBox:

IPv4-network

Sophos LAN Subnet (ex. 172.16.16.0)

Subnet mask

255.255.255.0

Gateway

Sophos WAN IP address (ex. 192.168.178.100)

I also like to create a 3CX Services group, that includes the needed ports, that I can put in the Firewall and NAT Rules.

Keeps everything clean and when I need to make changes, I add or remove services from the Services Group,

without having to touch any of the rules.

I hope the instructions I provided are clear enough and hopefully assist you on resolving the issue.

In any case, I am happy to assist you further if needed.

Sorry for the delay guys.

On the Fritzbox i have already the exposed host option activated, and the 5060 was locked from a sip service directly on the Fritz.

so i had to delete all the phones and numbers registered on the Frtizbox, than go to Telephony -> Telephone Numbers -> Line Settings -> scroll down and click on "Changing the Settings" -> Enable the option "Keep port sharing of the internet router enabled for telephony".

all is working now but i still have the same error on the 3cx test.....

Turn exposed host off on the FritzBox. It never does what the name implies or does not do it correctly and just create the port sharings like I wrote on my post above. It is a real headache but after 2 days, I got everythign working in my lab enviroment which I then did for a customer case. the exposed host on the FritzBox seems to alter the ports when forwarding them to your sophos, that's why your full cone test fails.

Hello Community,

i'm right now also configuring a 3CX behind a ShophsXG 18 SFVH (SFOS 18.5.2 MR-2-Build380) and i got a SIP port error during the firewall check form 3CX.

Configuration

- Sophos XG is direct attached to a Modem and has the public IP at #Port1

- 3CX is running the test except the test of the port 5060 (shown below in my graphic).

IN/OUT bound rule or POrt 5060/UDP is configure

IN/OUT for Media, STUN is working well.

INBOUND calls are working.

Here my Output with the one and only issue Port 5060. All other results are green and "done:

Any SNAT/DNAT is based on the XG v18. No double NAT in place.

Any Idea what's wrong with Port 5060 ?

Regards
Chris

Hi Chris,

can you post a screenshot of your firewall and NAT Rules?

Hi Dvaid,

thanks for you quick response. I was on the verge of despair, because I could not resolve the error.
But after the twanzist Wireshark recording I saw it (ok sometimes you can not see the forest for the trees) and fices the port 5060 error as above shown.

The Issue was in the INBOUND Rule #115 in my screenshot.

I forgot the last entry to allow the revers route from STUN 3478-3479/udp to port 5060/udp at 3CX behind the XG.

After i updated the enty.

Now the 3CX is free of erros in the firewall check.

Thanks again

Regards

Chris

Good to see you got it working!

Sometimes going through everything we set up, results in locating errors.

Something that caught my eye, in your S_SIP_IN you only have UDP and the 5060 according to the 3CX Ports list, also requires TCP. I did some more reading on the 3CX STUN-Server and it only uses UDP just like you have it set up... Am I going crazy or is something not right in the documentation scattered around the 3CX articles? Go figure..

Good to see you got it working!

Sometimes going through everything we set up, results in locating errors.

Something that caught my eye, in your S_SIP_IN you only have UDP and the 5060 according to the 3CX Ports list, also requires TCP. I did some more reading on the 3CX STUN-Server and it only uses UDP just like you have it set up... Am I going crazy or is something not right in the documentation scattered around the 3CX articles? Go figure..

I will create an internal configuration document to get not confused about the minimum requirements for IN/OUT Sevices (Protocol/Ports) to save time in the future

TCP is for TLS communication, but for the first step, the 3CX is running and in step two i had to check about Certifikate Update process without port 80/tcp in the inbound rule.

Regards

Chris