Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    nat problem between pfsense and 3cx

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vettalex
      last edited by

      Hi everyone, I have a local 3CX PBX, and a PfSense as a firewall.
      Through this official procedure: https://www.3cx.com/docs/pfsense-firewall/, I was able to solve the NAT problem of the ports of the 5090 and 5061.
      Despite this, I still have the problem of the NAT of the ports 9000 to 10999 of the Media Server.
      I'll post the rules made on PfSense and the error that 3CX gives me with the firewall checker.

      Also I wanted to know, to make the 3CX app work outdoors, do I have to open any particular door?
      thanks everyone for the support
      edc83b9e-d1f2-4ee9-a400-461fec3506d5-image.png
      ea4ea954-54ca-4248-8a62-51df0c6d1727-image.png
      a944fe39-8eea-4efd-b376-6c8fcfba85ec-image.png

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @vettalex
        last edited by

        @vettalex Did you set up the outbound NAT? (Step 2: Port Preservation (Full Cone NAT))

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        V 1 Reply Last reply Reply Quote 0
        • V
          vettalex @SteveITS
          last edited by

          @steveits Hi, I think I have done everything correctly, I post you the photo of the conf:
          51e79025-b7c7-466c-baf9-8151ef4593a7-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            vettalex @vettalex
            last edited by

            @vettalex ptm0.2-ppp0 PROXY 9000 192.168.100.9 9000 udp 1000

            ptm0.2-ppp0 PROXY 1194 192.168.100.9 1194 tcp 83.2xx.xx.xx add napt

            ptm0.2-ppp0 PROXY 80 192.168.100.9 80 tcp add napt ptm0.2-ppp0 PROXY 443 192.168.100.9 443 tcp

            ptm0.2-ppp0 PROXY 1194 192.168.100.9 1194 udp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5090 192.168.100.9 5090 tcp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5090 192.168.100.9 5090 udp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5060 192.168.100.9 5060 tcp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5060 192.168.100.9 5060 udp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5061 192.168.100.9 5061 tcp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5061 192.168.100.9 5061 udp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5000 192.168.100.9 5000 tcp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 5001 192.168.100.9 5001 tcp 83.2xx.xx.xx add napt ptm0.2-ppp0 PROXY 500 192.168.100.9 500 tcp 83.2xx.xx.xx

            add napt ptm0.2-ppp0 PROXY 500 192.168.100.9 500 udp 83.2xx.xx.xx

            add napt ptm0.2-ppp0 PROXY 4500 192.168.100.9 4500 tcp 83.2xx.xx.xx

            add napt ptm0.2-ppp0 PROXY 4500 192.168.100.9 4500 udp 83.2xx.xx.xx

            These are the ports opened by my provider.
            Important thing !: if I bypass pfsense, everything works regularly (i.e. I set the IP of the pfsense wan on the 3cx switchboard and connect it directly to the router)

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @vettalex
              last edited by

              @vettalex said in nat problem between pfsense and 3cx:

              These are the ports opened by my provider

              So there is an ISP router outside of the pfSense, and 192.168.100.9 is your pfSense WAN IP? Then because of the double NATing the ISP router will also need SIP-ALG off, static mapping, etc. Can it be set as a bridge?

              What 3CX license do you have? Pro and higher have free hosting...there are caveats but it's available. (we're 3CX Partners but our clients host in our data center, where there is no NAT)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              V 1 Reply Last reply Reply Quote 0
              • V
                vettalex @SteveITS
                last edited by vettalex

                @steveits Hi Steve, thanks for the reply and sorry for my late reply (I have a 3 month old baby who does not let us sleep as much ๐Ÿ˜ฅ ).
                So, the 3cx license is free, and the possibility to host it for free expired in November 2020, now I need to set the ports correctly between 3cx, pfsense and the router.
                I made a scheme (very simple) to make you understand my network.
                I want to clarify that if I set the 3cx ip, with the pfsense ip wan (192.168.100.9), the 3cx checker gives me everything correctly green. Surely the setting problem is on PfSense, at 100%.
                pfsense_3cx.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  vettalex @vettalex
                  last edited by

                  @vettalex I add updated screenshots on the rules set:
                  192.168.8.1_firewall_nat_out_edit.php_id=0.png 192.168.8.1_firewall_nat_out.php.png 192.168.8.1_firewall_nat.php.png

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @vettalex
                    last edited by

                    Thread https://www.3cx.com/community/threads/pfsense-2-4-x-full-cone-test-failed.72102/post-321768 links to a Google doc which may be slightly different. I might try creating one rule per port (range) rather than one rule for all the ports. There are some that need UDP or TCP only, as well, see https://www.3cx.com/docs/manual/firewall-router-configuration/ and/or https://www.3cx.com/docs/ports/.

                    I would also suspect the double NAT from the ISP router is getting in the way. Is it possible to bridge or passthrough that so the pfSense gets the public IP on its WAN?

                    You might post in the 3CX forum linked above as well.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      vettalex @SteveITS
                      last edited by

                      @steveits hi Steve, unfortunately it is not possible to configure in bridge, nor to configure the wan directly on pfsense (maybe). However I will divide the ports for each service with its protocol (tcp or UDP) and see how it goes. I will also read the link above, I have already opened a post on the 3CX community.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        vettalex @vettalex
                        last edited by

                        @SteveITS Hi Steve, I followed your advice, reset all the rules and following the following link, redid the rules, All working! thanks to the availability!

                        https://www.3cx.com/docs/pfsense-firewall/

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.