{"id":19756,"date":"2020-03-30T16:01:10","date_gmt":"2020-03-30T16:01:10","guid":{"rendered":"http:\/\/www.firewallhardware.it\/3cx-configurazione-pfsense-con-il-port-forwarding\/"},"modified":"2020-04-01T19:22:37","modified_gmt":"2020-04-01T19:22:37","slug":"3cx-pfsense-configuration-with-port-forwarding","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/pfsense\/3cx-pfsense-configuration-with-port-forwarding\/","title":{"rendered":"3CX: pfSense\u00ae configuration with Port Forwarding"},"content":{"rendered":"

[vc_row css=”.vc_custom_1567441651052{margin-top: 30px !important;}”]<\/p>\n

Objective of the guide:<\/h3>\n

[vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]To use the remote extensions of the VoIP provider, allow WebMeeting<\/strong>, use the smartphone APP, it is necessary to make changes to the firewall configuration, so that 3CX<\/strong> communicates correctly with the SIP trunks and remote IP phones. This guide provides the necessary information on how the ports to be opened \/ forwarded on the firewall as well as the necessary configurations on pfSense\u00ae<\/strong> for correct operation of the 3CX PBX.JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVE<\/p>\n

Used Hardware:<\/h3>\n

[vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]This guide can be applied to all hardware certified by us of the 3CX line that you can find here: https:\/\/www.miniserver.it\/appliance\/3cx-appliance<\/a><\/p>\n

Software environment:<\/h3>\n

[vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]3cx<\/strong> Standard ed. free version that allows 8 simultaneous calls to be made both in and out and allows access to the WebMeeting <\/strong>of n. 25 concurrent users.<\/p>\n

    \n
  • 3cx Standard ver.16.0.XXX<\/li>\n
  • pfSense\u00ae 2.4.x<\/li>\n<\/ul>\n

    Step 1: Configure Port Forwarding (NAT):<\/h3>\n

    [vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]Log in to the pfSense web management console and:<\/p>\n

      \n
    1. Pass to\u00a0“Firewall”<\/strong>\u00a0>\u00a0“NAT”<\/strong>.<\/li>\n
    2. Press\u00a0“Add”<\/strong>\u00a0right to add a new rule.<\/li>\n<\/ol>\n

      [vc_single_image image=”19720″ img_size=”full” onclick=”link_image”]3. Create NAT rules for all necessary ports. The list of ports that needs forwarding is available below::<\/p>\n

        \n
      • Protocol: Set the protocol type based on the ports being forwarded<\/li>\n
      • Destination port range: select the port \/ port range for NAT. If the port is not predefined as shown for SIP, enter the ports manually.<\/li>\n
      • Destination IP address redirection: enter the internal IP address of the 3CX telephone system in our case \u201c192.168.2.50\u201d<\/li>\n
      • Redirect destination port: enter the internal port (which is generally the same as the external port)<\/li>\n
      • Description Label the rule to facilitate identification at a later stage<\/li>\n
      • NAT reflection: add associated filter rule<\/li>\n
      • Save \/ apply the configuration and repeat this procedure for each NAT required.<\/li>\n<\/ul>\n

        4. Repeat step # 3 for each port that needs to be forwarded.:[vc_single_image image=”19722″ img_size=”full” onclick=”link_image”]<\/p>\n

        Ports used:<\/h3>\n

        [vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]ports for SIP trunk \/ VoIP provider:<\/strong><\/p>\n

          \n
        • Port 5060 (incoming, UDP) for SIP communications.<\/li>\n
        • Port 9000-10999 (incoming, UDP) for RTP (Audio) communications, ie actual call. Each call requires 2 RTP ports, one to control the call and one for the call data, so the number of ports that need to be opened is double the number of simultaneous calls.<\/li>\n<\/ul>\n

          Configure ports for remote 3CX apps:<\/strong><\/p>\n

            \n
          • Port 5090 (incoming, UDP and TCP) for the 3CX tunnel.<\/li>\n
          • Port 443 or 5001 (incoming, TCP) HTTPS for presence and provisioning of the specified custom HTTPS port.<\/li>\n
          • Port 443 (outgoing, TCP) for Google Android Push.<\/li>\n
          • Port 2195, 2196 (outgoing, TCP) for Apple iOS Push.<\/li>\n<\/ul>\n

            Port configuration for remote IP phones \/ bridges via direct SIP:<\/strong><\/p>\n

              \n
            • Port 5060 (incoming, UDP and TCP), Port 5061 (incoming, TCP if using secure SIP) – already open if using SIP trunks.<\/li>\n
            • Port 9000-10999 (incoming, UDP) for RTP – already open if SIP trunks are used.<\/li>\n
            • HTTPS port 443 or 5001 (incoming, TCP) for provisioning, unless custom PBX ports have been specified.<\/li>\n<\/ul>\n

              Port configuration for 3CX WebMeeting, SMTP and activation:<\/strong><\/p>\n

                \n
              • Port 443 (outgoing, TCP) to webmeeting.3cx.net – allows traffic to the fully qualified domain name instead of to the IP address whenever possible, as the IP can change.<\/li>\n
              • Forward port 443 or 5001 (inbound, TCP) or the specified custom HTTPS port, to notify users of incoming web meetings.<\/li>\n
              • To send e-mail messages using 3CX SMTP, the network must allow outgoing TCP: 2528 for the 3CX host computer.<\/li>\n<\/ul>\n

                Step 2: Port Preservation<\/h3>\n

                [vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”][vc_single_image image=”19724″ img_size=”full” onclick=”link_image”]1. Go to\u00a0“Firewall”<\/strong>\u00a0>\u00a0“NAT”<\/strong>\u00a0>\u00a0“Outbound”<\/strong>.
                \n2. Set the type from “Automatic” to “Hybrid” and press “Save”<\/strong>.
                \n3. Press the “Add”<\/strong> button to create a new mapping rule.[vc_single_image image=”19726″ img_size=”full” onclick=”link_image”]5. Modify the rule to define:<\/p>\n

                  \n
                • LAN IP of the 3CX host, for example 192.168.2.50.<\/li>\n
                • In the “Translation” section under “Port of Range”<\/strong> select “Static Port”<\/strong>.<\/li>\n<\/ul>\n

                  6. Move the rule to the first position in the “Mapping”<\/strong> to ensure the operation, as illustrated in the first screen of this section.<\/p>\n

                  Step 3: Optional settings<\/h3>\n

                  [vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]If the remote phones or VoIP provider work primarily but log off randomly, the following change may be appropriate.
                  \n1. Under “System”\u00a0>\u00a0“Advanced” >\u00a0“Firewall & NAT”<\/strong>
                  \n2. Set\u00a0“Firewall Optimization Options”\u00a0<\/strong>on\u00a0“Conservative”<\/strong>.[vc_single_image image=”19728″ img_size=”full” onclick=”link_image”]<\/p>\n

                  Step 4: Validate the configuration<\/h3>\n

                  [vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]Log in to the 3CX management console and go to “Dashboard”<\/strong> > “Firewall”<\/strong> to run 3CX Firewall Checker to check if the firewall is properly configured for use with 3CX.<\/p>\n

                  At this point the test should test all the ports one by one and return the relative feedback.<\/p>\n","protected":false},"excerpt":{"rendered":"

                  To use the remote extensions of the VoIP provider, allow webmeeting, use the smartphone APP it is necessary to make changes to the firewall configuration<\/p>\n","protected":false},"author":11,"featured_media":25073,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[154,124],"tags":[158,138],"class_list":["post-19756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-3cx","category-pfsense","tag-3cx-en","tag-pfsense-en"],"_links":{"self":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/19756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/comments?post=19756"}],"version-history":[{"count":3,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/19756\/revisions"}],"predecessor-version":[{"id":19759,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/19756\/revisions\/19759"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media\/25073"}],"wp:attachment":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media?parent=19756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/categories?post=19756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/tags?post=19756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}