3CX Phone System and OPNSense

Started by laflamme79, February 14, 2018, 02:19:03 AM

Previous topic - Next topic
Good day,
Just wondering if anyone setup OPNSense and 3CX before?
I've tried doing NAT | Port Forwarding with no luck.
similar to the pfsense walkthrough https://www.3cx.com/docs/pfsense-firewall/ with no success.

Anyone set it up before? I switched over to a Watchguard to get the system operational.

Any assistance would be appreciated.

Thanks.

Hi,
I don't have 3CX but Elastix (old version) that runs Asterisk, and in escence is the same.
I didn't find mayor problems with the configuration provided in the pfSense site.
https://doc.pfsense.org/index.php/VoIP_Configuration
Check that the ports on the "how to" on 3CX site are the ones configured on your PBX.
The more important ports are SIP (TCP/UDP 5060) SIPS(TCP 5061) and RTP (UDP 9000-9500) in the example.
Check the port reservation part of the how to. It's important for SIP protocol.

Cheers..

Have you tried to enable the sip proxy plugin yet?

I had a similar situation and the answer is most likely this:

In Firewall: NAT: Outbound set the mode to "Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)"

Then add a rule:

Disabled: (unchecked)
Do not NAT: (unchecked)
Interface: WAN
TCP/IP Version: IPv4 (unless you are using IPv6 on your LAN)
Protocol: Any
Source invert: (unchecked)
Source address: The local LAN address of your 3CX server
Source port: Any
Destination invert: (unchecked)
Destination address: Any
Destination port: Any
Translation / target: interface address
Log: (unchecked unless you prefer logging)
Translation / port: (leave blank)
Static-port: (CHECKED - THIS IS THE MOST IMPORTANT SETTING!!!!!)
Pool Options: Default
Set local tag: (leave blank)
Match local tag: (leave blank)
No XMLRPC Sync: (unchecked)
Description: 3CX (or whatever you like)

Enabling the static-port option is the key to getting it to work.  Strangely, that is the only setting on the page for which no help is available.

There is one other thing, if you have a dynamic DNS host hame for your server (or a host name other than that used with OPNesnse), go to System: Settings: Administration and put it in the Alternate Hostnames field.
I'm a home user of OPNsense, not a networking expert.  I'd much appreciate it if you'd keep that in mind if replying to something I posted.  Many thanks!

Thanks a lot everyone for the assistance I'll have to review the configurations tips given.
The static NAT should be the key that I'm missing. The ports went out fine.. but the coming back in was always different.

I can confirm that the solution described by comet does indeed fix this problem.

Posting to add that you should flush your state table after adding the custom outbound NAT rule - just in case some other host is using any of the required ports.

Firewall > Diagnostics > States > "Actions" tab > "Reset state table" button.

This NAT outbound VOIP configuration doesn't require port forwarding?

Quote from: comet on February 14, 2018, 09:44:04 PM
I had a similar situation and the answer is most likely this:

In Firewall: NAT: Outbound set the mode to "Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)"

Then add a rule:

Disabled: (unchecked)
Do not NAT: (unchecked)
Interface: WAN
TCP/IP Version: IPv4 (unless you are using IPv6 on your LAN)
Protocol: Any
Source invert: (unchecked)
Source address: The local LAN address of your 3CX server
Source port: Any
Destination invert: (unchecked)
Destination address: Any
Destination port: Any
Translation / target: interface address
Log: (unchecked unless you prefer logging)
Translation / port: (leave blank)
Static-port: (CHECKED - THIS IS THE MOST IMPORTANT SETTING!!!!!)
Pool Options: Default
Set local tag: (leave blank)
Match local tag: (leave blank)
No XMLRPC Sync: (unchecked)
Description: 3CX (or whatever you like)

Enabling the static-port option is the key to getting it to work.  Strangely, that is the only setting on the page for which no help is available.

There is one other thing, if you have a dynamic DNS host hame for your server (or a host name other than that used with OPNesnse), go to System: Settings: Administration and put it in the Alternate Hostnames field.

Quote from: pes on March 11, 2024, 09:10:47 PM
This NAT outbound VOIP configuration doesn't require port forwarding?
Outbound NAT practically never involves any port forwarding. Port forwarding is to get from your WAN public IP address port X to some internal system with a private address and same or different port.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)