3CX & NAT (Again)

SteveITS · Jul 3, 2024, 3:43 PM

@Unoptanio I don't think pfSense even has SIP ALG, check your ISP router for SIP ALG and disable it there.

albgen · Jul 3, 2024, 3:43 PM

The problem in your case is for sure that you have to change some parameters on 3cx.
From the web UI of 3cx go to Advanced->Parameters. Search with the local ip address value. It will find many entries. Change them to the public ip address. There should be only one left with the local ip.
Once you do this it will work and the firewall test will pass but there is still another problem with the port forwarding i think. Forx example i cant chat. Can't change the status on yhr 3cx client..

Unoptanio · Jul 3, 2024, 4:51 PM

@albgen

In the meantime I solved it and now everything works correctly.
I disabled pfsense's pfBlockerNG module and now the firewall test has improved significantly:

I discovered that by disabling the Top Spammers GEOIP category the 3CX test of full cone nat ports passes

Digging deeper and leaving the GeoIP Top Spammers category enabled, the entry causing the problem was "France" which I deselected from the list. (I connect from Italy)

more information here:

https://www.3cx.it/community/threads/configurazione-del-firewall-pfsense-con-3cx.116324/#post-429317

Another issue causing the firewall test to fail within 3cx:
having a pool of static public addresses I had reserved a specific one for the 3cx server. This caused the problem because it must be identical to the public address you use to go out on the internet. After setting it equal the test passed.

SteveITS · Jul 3, 2024, 4:52 PM

@Unoptanio said in 3CX & NAT (Again):

GeoIP Top Spammers

FWIW, as I recall "top spammers" is simply a horribly named list of entire-country IPs.

It is however valid to run the 3CX firewall test and then block IPs/countries to limit access. We do so on the 3CX servers we host.

Unoptanio · Jul 3, 2024, 4:57 PM

@SteveITS

This is my setup that works perfectly:
🔒 Log in to view

🔒 Log in to view

Patch · Jul 3, 2024, 11:59 PM

@Unoptanio I white list the IP address 3CX needs to work. White listing is done by adding an allow rule high up.
Required IP address include some 3CX company address as well as those used by your voip service providers.

albgen · Jul 4, 2024, 5:52 AM

@Unoptanio my firewall test is okay and all green. I can call and recieve also calls. Strangly, it is not working perfectly on the android app. I see the following 🔒 Log in to view

The only difference from the standard install is that i changed the https port to 5001 and of course added a NAT entry for that.

No idea why it is not working.

SteveITS · Jul 4, 2024, 1:17 PM

@albgen is your app using wireless or cell data/out of the office?

albgen · Jul 4, 2024, 1:39 PM

@SteveITS whatever network connection i was using, it was not working and i found he culprit.
The reason is that you cannot just change the port of the https where the nginx web server of 3cx is listening. That will hange the Web UI interface.
You need also to go to the parameters of the 3cx(from the Web UI, Advanced->Parameters) and change a bunch of parameters. What i did was to find all the parameters containing the url https://.... and add the new port at the end.

Now seems everything works perfectly.

SteveITS · Jul 4, 2024, 1:42 PM

@albgen Ah. To change ports the supported method is to reinstall 3CX.

albgen · Jul 4, 2024, 1:46 PM

@SteveITS yes, that is correct and it is written everywhere.
The problem is that, 99% of the cases, you cannot reinstall and that was my case :)