Author Topic: 3CX behind OPNsense registering on Fritzbox (Read 1580 times)

sipdude · « **on:** October 21, 2023, 05:38:46 pm »

Hi all.

I have the following setup:
Fritzbox with registered SIP-lines > OPNsense > 3CX PBX
The VoIP-Provider needs this setup with the Fritzbox.
I've set the OPNsense WAN on Fritzbox as exposed host.
I've opened the relevant ports to 3CX as usual in NAT.
For the outgoing NAT, I've configured Hybrid outbound NAT and set a manual rule for static ports.
the 3CX firewall checker goes through with only a problem on port 5060. This port has been configured as well on the firewall/NAT.
The SIP-trunk on the 3CX registered successfully. I can place calls, but can't hear anything (both ways). Incoming calls are not ringing.
The SIP-line works fine, if I configure the 3CX directly on the Fritzbox with no firewall in between.
Does anyone has an Idea how to fix this?
Thank you.

Monviech (Cedrik) · « **Reply #1 on:** October 21, 2023, 06:10:25 pm »

What is the goal of this setup with the OPNsense at this spot?
Also a small network diagram would help (with IP addresses). And the technology of your ISP (for example if you have DS-Lite or CGNAT, or a proper Dual-Stack connection)

It's probably a NAT problem.

sipdude · « **Reply #2 on:** October 21, 2023, 08:33:01 pm »

Thank you for your answer.
The problem is, I need internam DNS and vLANs, which works fine with the OPNsense.
On the other side, I need ot connect to this weird setup to get onto the SIP line, which is autoprovisioned from the provider to the Fritzbox. They don't want to direct connect to their environment.
Please find attached some overviews..

Monviech (Cedrik) · « **Reply #3 on:** October 21, 2023, 08:52:39 pm »

Why are you NATing on the OPNsense?

You can probably solve your woes with SIP by turning the Outbound NAT on manual, deactivate all Port Forward and Outbound NAT rules.

Then you create static routes on the fritzbox. All your internal networks behind the OPNsense get a static route like this:

IP Network 192.168.1.0 Subnetmask 255.255.255.0 Gateway 192.168.178.2

https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-7170/581_Statische-IP-Route-in-FRITZ-Box-einrichten/
With that setup, your OPNsense is a firewall router, and all the NAT is handled by the Fritzbox.

Edit: Also on the WAN interface of the opnsense "block private" and "block bogon" has to be unchecked. And you need rules on the WAN and LAN ports allowing the traffic you want.

Heres a guide how to get the IPv6 Network routed to your OPNsense: https://docs.opnsense.org/manual/how-tos/ipv6_fb.html

---------------------------------------------------------------
If that doesn't help, and you only plan on having one internal Network, you can also put the OPNsense in transparent filtering Bridge mode:
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

sipdude · « **Reply #4 on:** October 22, 2023, 09:43:17 am »

Thanks again for your reply.
As I'm a beginner with OPNsense (coming from Sonicwall), I haven't realized a "transparent mode" with OPNsense yet.
However, this would still be possible. I could change the IP range on the Fritzbox to the internal LAN.
But, as there is a 2nd vLAN on the firewall, I'm not sure how to set this up correctly.
Is this the right way to go?
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Monviech (Cedrik) · « **Reply #5 on:** October 22, 2023, 10:13:15 am »

I would only use the transparent filtering mode if you have two networks, WAN and LAN. If you have another VLAN (that is connected on the same OPNsense), I wouldn't use it anymore.

I would rather use the routed approach without NAT on the OPNsense, as explained above.
For each LAN and VLAN you set a static route on the Fritzbox.

If you're german, here's another user I helped with that a while ago: https://forum.opnsense.org/index.php?topic=36141.0

You might have to enable "Allow registration from the Internet" for the SIP Telefonie on the Fritzbox, cause your SIP Registration now comes from 192.168.1.0/24 and not from 192.168.178.0/24.

sipdude · « **Reply #6 on:** October 22, 2023, 01:46:12 pm »

Thanks again for your help.
When removing the NAT outgoing rules, this should not affect the Wireguard VPN, right?
As I'm connected remotely at the moment..

Monviech (Cedrik) · « **Reply #7 on:** October 22, 2023, 03:00:22 pm »

It depends on how you have configured the wireguard tunnel.

Such a big change might be better to do on site and not remotely.

sipdude · « **Reply #8 on:** October 23, 2023, 09:11:23 pm »

Thank you for your reply.
I've now reconfured the whole story..
Now the PBX and the phones are on the Network of the Fritzbox. This network is shared over vLAN ober all Switches. DNS queries are going through the firewall to unboundDNS. This way I have all I need.
I think over the firewall it would make problems in this constellation.
However, many thanks for your efforts in this, learned some new things again

Author Topic: 3CX behind OPNsense registering on Fritzbox (Read 1580 times)

sipdude

3CX behind OPNsense registering on Fritzbox

Monviech (Cedrik)

Re: 3CX behind OPNsense registering on Fritzbox

sipdude

Re: 3CX behind OPNsense registering on Fritzbox

Monviech (Cedrik)

Re: 3CX behind OPNsense registering on Fritzbox

sipdude

Re: 3CX behind OPNsense registering on Fritzbox

Monviech (Cedrik)

Re: 3CX behind OPNsense registering on Fritzbox

sipdude

Re: 3CX behind OPNsense registering on Fritzbox

Monviech (Cedrik)

Re: 3CX behind OPNsense registering on Fritzbox

sipdude

Re: 3CX behind OPNsense registering on Fritzbox