Finding problems when connecting remote subscribers and VoIP-operators through 3CX Firewall Checker
In VoIP, the problem of one-sided hearing is quite common, and most often the problem lies in the Firewall settings. 3CX offers several tools to analyze such problems.
3CX Firewall Checker is a utility that checks a router or firewall for open ports for normal traffic traffic from VoIP operators, trunks between PBXs, external subscribers and 3CX Tunnel connections. For 3CX Phone System, one-to-one port forwarding configuration is required.
')
Below we look at the work of 3CXFirewall checker on a specific example.
For clarity, we take the following parameters:
1. The 3CX Phone System server has an IP address of 192.168.0.100 and a test port of 9500.
2. The real IP address for this server is 11.22.33.44.
In principle, if the port is correctly configured, then any UDP packet from a PBX with a record in the header “outgoing IP :: Port” or “192.168.0.100::5060” should arrive at the final destination (Operator or Remote subscriber) with a header like 11.22. 33.44 :: 5060. So, only the IP address is changed, it is NOT necessary to touch the port. If you look at the reverse process - in this case, the UDP packet with the header “IP Destination :: Port” or “11.22.33.44::5060” should go to 3CX Phone System from the local network with the header 192.168.0.100::5060.
3CX Firewall Checker is used to check the correct port mapping and also provides additional information that can help in configuring the firewall.
To run 3CX Firewall Checker:
1. Go to the 3CX management console.
2. Section "Settings" item "Firewall Checker".
3. Click the Start Firewall Checker button.
After launching the Firewall Checker, it will test the configuration of the firewall or router and will give recommendations in cases when errors occur.
ATTENTION:
Firewall Checker checks the availability of ports based on requests to the STUN server that is configured in the Settings> Network> STUN server section. There are two types of checks:
Tests will check the availability of the STUN server and name resolution through DNS (if the server name is specified for STUN).
If the test failed, check the following:
This test checks for one-to-one port forwarding (also known as Full Cone Nat, also known as symmetric NAT).
During the verification process, 3CX Firewall Checker sends requests to the STUN server from the port being checked, and requests STUN to establish a connection from another IP to this port.
If Test 1 is successful and Test 2 fails, check the following:
• Your WAN to LAN device (firewall or router) supports one-to-one static forwarding ports.
• Some ports require TCP and UDP forwarding settings. Check the ports again.
The application can check the availability of the required ports from the remote subscriber.
The 3CX Firewall Checker Client Application does the following:
Download the application here http://downloads.3cx.com/downloads/3CXFirewallCheckerClientApplication.zip
That's all, thank you for your attention.
What is 3CX Firewall Checker?
3CX Firewall Checker is a utility that checks a router or firewall for open ports for normal traffic traffic from VoIP operators, trunks between PBXs, external subscribers and 3CX Tunnel connections. For 3CX Phone System, one-to-one port forwarding configuration is required.
')
Below we look at the work of 3CXFirewall checker on a specific example.
For clarity, we take the following parameters:
1. The 3CX Phone System server has an IP address of 192.168.0.100 and a test port of 9500.
2. The real IP address for this server is 11.22.33.44.
Port Forwarding Information
In principle, if the port is correctly configured, then any UDP packet from a PBX with a record in the header “outgoing IP :: Port” or “192.168.0.100::5060” should arrive at the final destination (Operator or Remote subscriber) with a header like 11.22. 33.44 :: 5060. So, only the IP address is changed, it is NOT necessary to touch the port. If you look at the reverse process - in this case, the UDP packet with the header “IP Destination :: Port” or “11.22.33.44::5060” should go to 3CX Phone System from the local network with the header 192.168.0.100::5060.
3CX Firewall Checker is used to check the correct port mapping and also provides additional information that can help in configuring the firewall.
Run 3CX Firewall Checker
To run 3CX Firewall Checker:
1. Go to the 3CX management console.
2. Section "Settings" item "Firewall Checker".
3. Click the Start Firewall Checker button.
After launching the Firewall Checker, it will test the configuration of the firewall or router and will give recommendations in cases when errors occur.
ATTENTION:
- IMPORTANT: Starting the Firewall Checker will stop ALL 3CX services. During the test, the PBX will not work. The test takes about 1 second for each successful port and about 5 -10 seconds for error handling. By default, 256 ports are checked. This is a pool from 9000 to 9255. If WebRTC is used, then you need to open ports 9255-9500. If everything is set up correctly, the test will take about 1 minute. In case of a problem from 4 to 9 minutes. At any time, the test can be stopped.
- Firewall Checker sends requests to the STUN server which is configured in Settings> Network> STUN server. Some systems may respond to such activity by blocking ports, since this can be recognized as port scanning, in which case 3CX Firewall Checker will show errors during the scan. If this happens, disable scan protection for the duration of the scan.
3CX Firewall Checker Checks
Firewall Checker checks the availability of ports based on requests to the STUN server that is configured in the Settings> Network> STUN server section. There are two types of checks:
Test 1 - Internet access
Tests will check the availability of the STUN server and name resolution through DNS (if the server name is specified for STUN).
If the test failed, check the following:
- Perhaps there is a problem with the connection to the Internet. Check the availability of the site through a browser.
- Perhaps you need to configure permissions for 3CX Phone System on the router. Used ports here .
- It is necessary to configure traffic transmission in both directions on the router via TCP and UDP. Read more here .
- Perhaps the STUN server is not available or configured incorrectly.
- Invalid STUN server port.
- Verify that Windows Firewal on the server passes traffic through the correct ports. Antivirus and other anti-malware software does not block traffic. It is best to disable it or delete it during the scan. Warning: disabling antimalware application does not guarantee passing tests.
- Your operator can block traffic. Used ports to check.
Test 2 - One-to-one port forwarding (for inbound connection)
This test checks for one-to-one port forwarding (also known as Full Cone Nat, also known as symmetric NAT).
During the verification process, 3CX Firewall Checker sends requests to the STUN server from the port being checked, and requests STUN to establish a connection from another IP to this port.
If Test 1 is successful and Test 2 fails, check the following:
• Your WAN to LAN device (firewall or router) supports one-to-one static forwarding ports.
• Some ports require TCP and UDP forwarding settings. Check the ports again.
3CX Firewall Checker Client Application for remote subscribers
The application can check the availability of the required ports from the remote subscriber.
The 3CX Firewall Checker Client Application does the following:
- Allows FQDN.
- Sends STUN request towards 3CX Server.
- Trying to register on the PBX.
- Makes a one-minute call to the PBX echo service (* 777) and analyzes the receipt of RTP packets.
- Makes a call back test with PBX (* 888) and analyzes incoming traffic from PBX.
Download the application here http://downloads.3cx.com/downloads/3CXFirewallCheckerClientApplication.zip
That's all, thank you for your attention.
Source: https://habr.com/ru/post/269865/
All Articles