3CX & NAT (Again)
-
@alek AFAIK pfSense doesn't have a SIP ALG "feature." Is there an ISP router upstream that could be doing that? Is the pfSense WAN IP a public IP or NATted from the ISP router? If the latter then the ports need to be forwarded on the ISP router also, or pfSense made its DMZ.
-
@steveits said in 3CX & NAT (Again):
@alek AFAIK pfSense doesn't have a SIP ALG "feature." Is there an ISP router upstream that could be doing that? Is the pfSense WAN IP a public IP or NATted from the ISP router? If the latter then the ports need to be forwarded on the ISP router also, or pfSense made its DMZ.
I don't think so but will ask our ISP if it's the case.
In the past, they told us that everything is open and unrestricted since it's a business connection.Yes the pfsense WAN IP is a public IP.
-
@alek do you have some sort of firewall on the VM?
SIP ALG actively modifies the packets in transit.
-
@steveits
No firewall, it's the 3cx appliance -
-
@patch
Thanks for the screenshots, what's PBX_IP_in_SIP in your rules ?I edited my rules to make them looks like yours except for the PBX IP alias :
Dest. Address is our VIP
NAT Address is our VIPThere is some progress on 3cx firewall checker. Now the SIP ALG passes :
But still the same problem with the ports. -
@alek said in 3CX & NAT (Again):
what's PBX_IP_in_SIP in your rules ?
The SIP address of the VoIP suppliers I use. Mostly defined by FQDN but some as small ranges of IP addresses (stored in a separate alias). Using it means I white list the IP addresses which can access my 3CX, decreasing it's attack surface.
Note this must also include the 3CX SIP server IP addresses to enable passing the fire wall testing.
3CX console -> Settings -> Network -> External IP Configuration
plus
sip-alg-detector.3cx.com@alek said in 3CX & NAT (Again):
But still the same problem with the ports.
I suspect double NAT / CGNAT
-
@patch
If I put our VIP in source Address for Port Forward and Destination in Outbound I pass the SIP ALG test but I still have a problem with the ports match.
I'm waiting for an answer from our ISP about double NAT / CGNAT... -
@alek Have you enabled static port mapping?
pfsense -> Firewall -> Nat -> Outbound -> Mapping -> Edit
-
@patch Yes it's checked