Technical support 3CX responds: configure the router for PBX VoIP server
- Tutorial
If you plan to connect SIP trunks from telecom operators or remote users to the 3CX system, and your PBX is located in a private network - a static publication (“forwarding”) of ports should be performed on the firewall.
VoIP applications use the RTP protocol to transfer multimedia streams (audio and video). Difficulties may arise when passing edge network devices (firewalls and routers). This is due to the fact that RTP uses random port numbers to send and receive multimedia traffic. The incorrect configuration of the firewall manifests itself as one-way audibility or no sound at all from the VoIP provider and remote users.
When using symmetric NAT, the edge network device dynamically changes the port number to which the audio stream is received. For example, when making an outgoing call via the operator's SIP trunk, 3CX first makes a STUN request to determine its external IP address and current port number. Then this address and port are transmitted to the operator's SIP-server for mutual communications. But at this time, your firewall dynamically closes this port (which has already been transferred to the operator - indicated in the INVITE header). There is an audio transmission failure. Obviously, because of this feature, it is impossible to ensure reliable operation of VoIP. In the firewall configuration guides, this technology is called symmetric NAT (Symmetric NAT).
To solve the problem with one-way audibility (or complete “silence”), you should configure the so-called conical NAT (Full Cone NAT), which is also known as one-to-one NAT. In it, the necessary ports on the external address of the router are mapped (or “forwarded”) to a specific internal address (the port number is preserved). The external host exchanges RTP packets with the internal host, sending them first to the external address of the router and the external (mapped) port.
In fact, the vast majority of network devices support this mode. As a rule, it is called "Static port mapping". Static publishing ensures that a particular port always remains open and never changes with a firewall. Some very cheap routers incorrectly implement this function, but most, as was said, allow you to properly configure the "forwarding" of ports. At the end of the article are examples of the appropriate configuration of various network devices.
A good way to check the configuration of a network device (finding out if you are behind Symmetric NAT and other configuration problems) is to use the 3CX Firewall Checker service.
3CX Firewall Checker allows you to check in advance that your edge network device correctly processes VoIP traffic from SIP operators, 3CX bridges, external SIP clients and connections using 3CX Tunnel technology. Consider a simple example of how to use this service. For example, we assume that the 3CX server has the address 192.168.0.100, testing is performed on port 9500, and the external address of your network is 11.22.33.44.
As it was said, the correct publication of the port means that any outgoing UDP packet from the PBX server with the source IP :: Port source address - 192.168.0.100::9500 should reach the recipient (usually this is the carrier’s SIP server, remote IP phone or another PBX 3CX) with the "rewritten" source address of source IP :: Port - 11.22.33.44::9500. Although an address translation occurs (which is necessary for routing a packet in a public WAN), the packet port does not change . In addition, any UDP packet coming from the WAN with the destination IP :: Port destination address - 11.22.33.44::9500 should reach the 3CX server with the destination IP :: Port address - 192.168.0.100::9500. 3CX Firewall Checker is just used to check the correct address translation, and also finds out another important one.
To launch 3CX Firewall Checker, go to the 3CX management interface> Home section> PBX Status section> click Firewall> Start.
After starting, the network tests will begin. Depending on the type of edge device and the actual configuration, you will see the result along with troubleshooting tips.
Attention:Starting 3CX Firewall Checker stops some 3CX services, so during the tests, the PBX will be unavailable. If the port is tested successfully, it takes 1 second. Unsuccessful testing of the port is stretched for 5-10 seconds. By default, ports in the range of 9000 - 10999 are tested. If initially everything is configured correctly, testing will take less than a minute. If problems arise, testing is delayed for 4-9 minutes. However, at any time you can stop the test.
The service uses the STUN server of 3CX, which should be installed in the Settings> Network> Public IP section. Some firewalls may incorrectly qualify this test as port scans. If this happens, 3CX Firewall Checker reports a problem at the very beginning of the test. Therefore, in the firewall, you should disable scanning scan before testing.
The utility checks the correctness of the hardware configuration, making various requests to the STUN-servers. Conducted two tests.
This test checks the availability of STUN servers from the 3CX server's verifiable ports. The operation of the DNS is also checked (STUN servers in 3CX are indicated by FQDN).
If this test fails, the following problems are possible:
This test tests the ability of the server on the Internet to communicate with the 3CX server on the internal network. The configuration of the one-to-one port translation (Full Cone NAT) is being tested.
3CX Firewall Checker sends a request to the STUN server from the (number) port that is being checked, and requests the STUN server to create a connection to the PBX server on this port from the external IP address. If the second test fails, check the following settings:
We list the test results and errors returned by the Firewall Checker.
This is a port for forwarding. VoIP can work. This configuration is supported (Success - the port is published correctly. VoIP communications will work. This configuration is supported by 3CX).
All tests passed successfully. Your border device allows traffic to the Internet from the test port and correctly converts the ports one to one. Configuration supported.
STUN server has no second address (STUN server does not have a second address).
The message appears if the STUN server is configured incorrectly in the 3CX interface. STUN server must have two addresses. In the Settings> Network> Public IP section, specify the following STUN servers: stun-eu.3cx.com, stun2.3cx.com, stun3.3cx.com.
Failed - No response received or port mapping is closed. Port forwarding is not configured correctly. The answer is not received or the port is closed. Incorrect configuration of the publication of the port.
The publication of the checked port is incorrectly configured. In this case, VoIP operators and remote IP phones will not work. Set up port publishing for these guides .
Failed - Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again (Failed - the firewall check failed. Errors were detected. Check the firewall configuration and try again).
This message appears if some ports have passed the test, but some have not. Pay attention to which specific ports failed the test and publish them. Also ensure that these ports are no longer published on the router for a different internal IP address.
Failed - Malformed response received - (aka Symmetric NAT). Port forwarding not correctly implemented (An incorrect response was received (possibly symmetric NAT). The publication of ports was incorrectly configured).
The answer indicates that Full Cone NAT does not work correctly for you.
The STUN server did not answer or port forwarding (the STUN server did not respond or the ports were not configured on the firewall).
Your STUN server is not responding. Possible reasons:
STUN server address cannot be resolved (the server’s IP address is not resolved by DNS).
Could not determine the IP address of the STUN server by its name. This may indicate problems with your DNS server, but also that the STUN server is permanently shut down.
Failed - Malformed or stun servers. STUN servers from Settings → Network → External IP Configuration section Check for an Internet connection, DNS settings, or use another STUN in the Settings → Network → section. External IP).
The answer says that the publication of ports is correct or your firewall blocks packets.
Failed - Port {0} or SIP port. The 3CX Firewall checker requires the SIP port to be free (The port is being used by another application on this server OR the SIP port is being used by the process {0}. The 3CX Firewall checker service needs a free SIP port.
The port being tested is used by another application installed on this server To determine the specific process, run the command
where 9500 is the port number. In the PID column you will see the process ID. Use Task Manager to identify the process. Alternatively, you can execute the command
where 4 is the process ID.
STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported (STUN servers are unavailable. Cannot perform firewall check. Configuration is not supported).
STUN servers configured in the 3CX interface are not available. As a rule, this is due to problems with Internet access. In the Settings> Network> Public IP section, specify the following STUN servers: stun-eu.3cx.com, stun2.3cx.com, stun3.3cx.com.
VoIP applications use the RTP protocol to transfer multimedia streams (audio and video). Difficulties may arise when passing edge network devices (firewalls and routers). This is due to the fact that RTP uses random port numbers to send and receive multimedia traffic. The incorrect configuration of the firewall manifests itself as one-way audibility or no sound at all from the VoIP provider and remote users.
The problem of VoIP with symmetric NAT (Symmetric NAT)
When using symmetric NAT, the edge network device dynamically changes the port number to which the audio stream is received. For example, when making an outgoing call via the operator's SIP trunk, 3CX first makes a STUN request to determine its external IP address and current port number. Then this address and port are transmitted to the operator's SIP-server for mutual communications. But at this time, your firewall dynamically closes this port (which has already been transferred to the operator - indicated in the INVITE header). There is an audio transmission failure. Obviously, because of this feature, it is impossible to ensure reliable operation of VoIP. In the firewall configuration guides, this technology is called symmetric NAT (Symmetric NAT).
Solving the problem with one-way audibility in VoIP - Full Cone NAT
To solve the problem with one-way audibility (or complete “silence”), you should configure the so-called conical NAT (Full Cone NAT), which is also known as one-to-one NAT. In it, the necessary ports on the external address of the router are mapped (or “forwarded”) to a specific internal address (the port number is preserved). The external host exchanges RTP packets with the internal host, sending them first to the external address of the router and the external (mapped) port.
In fact, the vast majority of network devices support this mode. As a rule, it is called "Static port mapping". Static publishing ensures that a particular port always remains open and never changes with a firewall. Some very cheap routers incorrectly implement this function, but most, as was said, allow you to properly configure the "forwarding" of ports. At the end of the article are examples of the appropriate configuration of various network devices.
Checking the correct operation of the firewall service 3CX Firewall Checker
A good way to check the configuration of a network device (finding out if you are behind Symmetric NAT and other configuration problems) is to use the 3CX Firewall Checker service.
3CX Firewall Checker allows you to check in advance that your edge network device correctly processes VoIP traffic from SIP operators, 3CX bridges, external SIP clients and connections using 3CX Tunnel technology. Consider a simple example of how to use this service. For example, we assume that the 3CX server has the address 192.168.0.100, testing is performed on port 9500, and the external address of your network is 11.22.33.44.
As it was said, the correct publication of the port means that any outgoing UDP packet from the PBX server with the source IP :: Port source address - 192.168.0.100::9500 should reach the recipient (usually this is the carrier’s SIP server, remote IP phone or another PBX 3CX) with the "rewritten" source address of source IP :: Port - 11.22.33.44::9500. Although an address translation occurs (which is necessary for routing a packet in a public WAN), the packet port does not change . In addition, any UDP packet coming from the WAN with the destination IP :: Port destination address - 11.22.33.44::9500 should reach the 3CX server with the destination IP :: Port address - 192.168.0.100::9500. 3CX Firewall Checker is just used to check the correct address translation, and also finds out another important one.
To launch 3CX Firewall Checker, go to the 3CX management interface> Home section> PBX Status section> click Firewall> Start.
After starting, the network tests will begin. Depending on the type of edge device and the actual configuration, you will see the result along with troubleshooting tips.
Attention:Starting 3CX Firewall Checker stops some 3CX services, so during the tests, the PBX will be unavailable. If the port is tested successfully, it takes 1 second. Unsuccessful testing of the port is stretched for 5-10 seconds. By default, ports in the range of 9000 - 10999 are tested. If initially everything is configured correctly, testing will take less than a minute. If problems arise, testing is delayed for 4-9 minutes. However, at any time you can stop the test.
The service uses the STUN server of 3CX, which should be installed in the Settings> Network> Public IP section. Some firewalls may incorrectly qualify this test as port scans. If this happens, 3CX Firewall Checker reports a problem at the very beginning of the test. Therefore, in the firewall, you should disable scanning scan before testing.
Tests 3CX Firewall Checker
The utility checks the correctness of the hardware configuration, making various requests to the STUN-servers. Conducted two tests.
Internet accessibility
This test checks the availability of STUN servers from the 3CX server's verifiable ports. The operation of the DNS is also checked (STUN servers in 3CX are indicated by FQDN).
If this test fails, the following problems are possible:
- The general problem of access to the Internet. If a browser is installed on the server, try to just go to a website. You may need to open access from the PBX server to the Internet using the ports specified in this manual .
- The test may fail if the STUN server is unavailable. Check the settings in Settings> Network> Public IP or use a backup server.
- Check which port is listed for STUN (default 3478)
- Ensure that the firewall on the 3CX server itself, such as Windows Firewall, allows connections to the ports under test. Antiviruses or other security programs can also block ports. Disable or even completely remove them from the server for the duration of the test (simple disconnection does not always help).
- Blocking ports can also be on the side of your Internet operator - you should exclude this possibility.
The correctness of the publication of ports (Full Cone NAT)
This test tests the ability of the server on the Internet to communicate with the 3CX server on the internal network. The configuration of the one-to-one port translation (Full Cone NAT) is being tested.
3CX Firewall Checker sends a request to the STUN server from the (number) port that is being checked, and requests the STUN server to create a connection to the PBX server on this port from the external IP address. If the second test fails, check the following settings:
- Your firewall should have a one-to-one static port publishing rule. Inexpensive devices, as a rule, offer only this type of rules.
- Some ports require a rule for both TCP and UDP traffic. See list of ports required for 3CX operation .
Test results / error messages
We list the test results and errors returned by the Firewall Checker.
This is a port for forwarding. VoIP can work. This configuration is supported (Success - the port is published correctly. VoIP communications will work. This configuration is supported by 3CX).
All tests passed successfully. Your border device allows traffic to the Internet from the test port and correctly converts the ports one to one. Configuration supported.
STUN server has no second address (STUN server does not have a second address).
The message appears if the STUN server is configured incorrectly in the 3CX interface. STUN server must have two addresses. In the Settings> Network> Public IP section, specify the following STUN servers: stun-eu.3cx.com, stun2.3cx.com, stun3.3cx.com.
Failed - No response received or port mapping is closed. Port forwarding is not configured correctly. The answer is not received or the port is closed. Incorrect configuration of the publication of the port.
The publication of the checked port is incorrectly configured. In this case, VoIP operators and remote IP phones will not work. Set up port publishing for these guides .
Failed - Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again (Failed - the firewall check failed. Errors were detected. Check the firewall configuration and try again).
This message appears if some ports have passed the test, but some have not. Pay attention to which specific ports failed the test and publish them. Also ensure that these ports are no longer published on the router for a different internal IP address.
Failed - Malformed response received - (aka Symmetric NAT). Port forwarding not correctly implemented (An incorrect response was received (possibly symmetric NAT). The publication of ports was incorrectly configured).
The answer indicates that Full Cone NAT does not work correctly for you.
The STUN server did not answer or port forwarding (the STUN server did not respond or the ports were not configured on the firewall).
Your STUN server is not responding. Possible reasons:
- The STUN server is unavailable from the 3CX server.
- STUN server is currently disabled.
- Port publishing not configured.
STUN server address cannot be resolved (the server’s IP address is not resolved by DNS).
Could not determine the IP address of the STUN server by its name. This may indicate problems with your DNS server, but also that the STUN server is permanently shut down.
Failed - Malformed or stun servers. STUN servers from Settings → Network → External IP Configuration section Check for an Internet connection, DNS settings, or use another STUN in the Settings → Network → section. External IP).
The answer says that the publication of ports is correct or your firewall blocks packets.
Failed - Port {0} or SIP port. The 3CX Firewall checker requires the SIP port to be free (The port is being used by another application on this server OR the SIP port is being used by the process {0}. The 3CX Firewall checker service needs a free SIP port.
The port being tested is used by another application installed on this server To determine the specific process, run the command
netstat -ano | findstr /I /C:"PID" /C:":9500"where 9500 is the port number. In the PID column you will see the process ID. Use Task Manager to identify the process. Alternatively, you can execute the command
tasklist /fi "pid eq 4"where 4 is the process ID.
STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported (STUN servers are unavailable. Cannot perform firewall check. Configuration is not supported).
STUN servers configured in the 3CX interface are not available. As a rule, this is due to problems with Internet access. In the Settings> Network> Public IP section, specify the following STUN servers: stun-eu.3cx.com, stun2.3cx.com, stun3.3cx.com.