Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    3CX & NAT (Again)

    Scheduled Pinned Locked Moved NAT
    25 Posts 5 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alek @Patch
      last edited by

      @patch Yes it's checked

      UnoptanioU 1 Reply Last reply Reply Quote 0
      • UnoptanioU
        Unoptanio @Alek
        last edited by Unoptanio

        @Alek

        Hello

        i have the same problem with pfsense 2.7.2 CE on baremetal (no provider router)

        3CX ver20 on premise
        IP Server 3CX in the LAN 192.168.1.137

        Have you resolved?

        I also followed this guide

        ENG:
        https://www.3cx.com/docs/pfsense-firewall/

        ITA:
        https://www.3cx.it/doc/configurazione-firewall-pfsense/

        1102f4bb-40e1-423c-ba6e-4e7817754b9a-image.png

        83bb6f41-41c8-4f3e-b0e5-02b956c16f07-image.png

        System Advanced Firewall & NAT :
        2c8e11a8-24eb-4cc0-aa56-c7b79c466ae1-image.png

        4191b52b-c471-4dc6-9a9e-b8c98088d3f3-image.png

        f614d4e6-664c-4396-b3b0-d9f437df70d7-image.png

        pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
        CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
        n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

        A 1 Reply Last reply Reply Quote 0
        • A
          Alek @Unoptanio
          last edited by

          @Unoptanio
          Hi o/

          Yes resolved. Started everything from scratch and it worked.

          My outbound rule is :

          b528a321-b831-4624-834f-758b5f33e731-image.png

          My inbound rules :

          428a21ba-b126-4f2b-9709-c5da2ae0f626-image.png

          PBX_Ports_WAN contains :

          f4959393-3994-48c7-aaf5-ae7d9498b3f1-image.png

          NAT is in Pure Nat too.

          Verify the your 3CX server is using the correct WAN if you have multiple WAN/VIP.

          UnoptanioU 1 Reply Last reply Reply Quote 1
          • UnoptanioU
            Unoptanio @Alek
            last edited by

            @Alek

            i have one WAN only

            the doors seem the same to me
            I'm testing with 3cx version 20 on premise

            pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
            CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
            n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @Unoptanio
              last edited by

              @Unoptanio I don't think pfSense even has SIP ALG, check your ISP router for SIP ALG and disable it there.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              A 1 Reply Last reply Reply Quote 1
              • A
                albgen @SteveITS
                last edited by

                The problem in your case is for sure that you have to change some parameters on 3cx.
                From the web UI of 3cx go to Advanced->Parameters. Search with the local ip address value. It will find many entries. Change them to the public ip address. There should be only one left with the local ip.
                Once you do this it will work and the firewall test will pass but there is still another problem with the port forwarding i think. Forx example i cant chat. Can't change the status on yhr 3cx client..

                UnoptanioU 1 Reply Last reply Reply Quote 0
                • UnoptanioU
                  Unoptanio @albgen
                  last edited by Unoptanio

                  @albgen

                  In the meantime I solved it and now everything works correctly.
                  I disabled pfsense's pfBlockerNG module and now the firewall test has improved significantly:

                  I discovered that by disabling the Top Spammers GEOIP category the 3CX test of full cone nat ports passes

                  Digging deeper and leaving the GeoIP Top Spammers category enabled, the entry causing the problem was "France" which I deselected from the list. (I connect from Italy)

                  more information here:

                  https://www.3cx.it/community/threads/configurazione-del-firewall-pfsense-con-3cx.116324/#post-429317

                  Another issue causing the firewall test to fail within 3cx:
                  having a pool of static public addresses I had reserved a specific one for the 3cx server. This caused the problem because it must be identical to the public address you use to go out on the internet. After setting it equal the test passed.

                  pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                  CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                  n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                  S P A 3 Replies Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @Unoptanio
                    last edited by

                    @Unoptanio said in 3CX & NAT (Again):

                    GeoIP Top Spammers

                    FWIW, as I recall "top spammers" is simply a horribly named list of entire-country IPs.

                    It is however valid to run the 3CX firewall test and then block IPs/countries to limit access. We do so on the 3CX servers we host.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    UnoptanioU 1 Reply Last reply Reply Quote 0
                    • UnoptanioU
                      Unoptanio @SteveITS
                      last edited by

                      @SteveITS

                      This is my setup that works perfectly:
                      71402b7e-f29f-4ea1-834f-56a6cfebb410-image.png

                      6ee80d7c-d79a-43d9-97fd-79742d4678f7-image.png

                      7f101e7d-5658-4e17-9a44-1f15a3e9fb5c-image.png

                      pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                      CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                      n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                      1 Reply Last reply Reply Quote 0
                      • P
                        Patch @Unoptanio
                        last edited by

                        @Unoptanio I white list the IP address 3CX needs to work. White listing is done by adding an allow rule high up.
                        Required IP address include some 3CX company address as well as those used by your voip service providers.

                        1 Reply Last reply Reply Quote 0
                        • A
                          albgen @Unoptanio
                          last edited by

                          @Unoptanio my firewall test is okay and all green. I can call and recieve also calls. Strangly, it is not working perfectly on the android app. I see the following Screenshot_20240704_074048_3CX.jpg

                          The only difference from the standard install is that i changed the https port to 5001 and of course added a NAT entry for that.

                          No idea why it is not working.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            SteveITS Galactic Empire @albgen
                            last edited by

                            @albgen is your app using wireless or cell data/out of the office?

                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                            Upvote 👍 helpful posts!

                            A 1 Reply Last reply Reply Quote 0
                            • A
                              albgen @SteveITS
                              last edited by

                              @SteveITS whatever network connection i was using, it was not working and i found he culprit.
                              The reason is that you cannot just change the port of the https where the nginx web server of 3cx is listening. That will hange the Web UI interface.
                              You need also to go to the parameters of the 3cx(from the Web UI, Advanced->Parameters) and change a bunch of parameters. What i did was to find all the parameters containing the url https://.... and add the new port at the end.

                              Now seems everything works perfectly.

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                SteveITS Galactic Empire @albgen
                                last edited by

                                @albgen Ah. To change ports the supported method is to reinstall 3CX.

                                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                Upvote 👍 helpful posts!

                                A 1 Reply Last reply Reply Quote 0
                                • A
                                  albgen @SteveITS
                                  last edited by

                                  @SteveITS yes, that is correct and it is written everywhere.
                                  The problem is that, 99% of the cases, you cannot reinstall and that was my case :)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.