Configuring the VPN router TP-Link TL-ER6020 to work with 3CX Phone System
TP-Link wireless routers have received deserved recognition, especially from home users and small companies. However, TP-Link also produces a line of powerful and fairly functional routers and enterprise-level access points. In particular, the business class router TL-ER6020 at a very affordable price has a number of interesting features:
A detailed description of the features and settings of the TL-ER6020 is available here . In this article, we will limit ourselves to the description of setting up the TP-Link TL-ER6020 router for working with 3CX Phone System.
The network diagram provides for the location of the 3CX server on the NAT of the router in the network 192.168.0.0 / 24. The IP address of the router is 192.168.0.1, and the IP address of the server is 3CX 192.168.0.2
')
First of all, you need to update the firmware TL-ER6020, because, as it turned out , even the latest firmware from the official TP-Link site has an error that does not allow disabling SIP ALG . Disabling SIP ALG is critical for the correct operation of various SIP operators with 3CX.
Configuring a router consists of three steps:
Connecting one (or both) WAN ports to the Internet is done in the Network - WAN section. At the bottom of the interface, you can check the status of the connection. This example uses a PPPoE connection.
Disable SIP ALG in the Advanced - NAT - ALG section .
For the correct operation of external SIP trunks, you must publish a number of ports of the 3CX Phone System server :
Publication of services is done in the section Advanced - NAT - Virtual Server . Let's start with the SIP server.
After publishing all the services, the interface should look something like this.
Publication of services as it is implemented in the TL-ER6020, causes fair concerns: we are opening the SIP port 5060, which hackers love so much, in fact, for the whole world. In the publishing interface there is no possibility to specify for which IP addresses the 3CX server's SIP port should be opened.
Our strong recommendation: open port 5060 only for the SIP addresses of telecom operators / SIP providers your system works with.
In our example, the system works with the Russian operator Megafon (Multifon service) and the Ukrainian operator Kyivstar, while Megafon uses different IP addresses for the SIP server and SIP proxy , and Kyivstar is the only SIP server.
First, we define the services / port ranges to which access should be restricted in the Firewall - Access Control - Service section.
Here we defined only SIP port 5060 and RTP ports 9000-9255 . Since the remaining 3CX services must be accessible to any IP address on the Internet and there is no need to restrict access to them.
In the Firewall - Access Control - Access Rules section, we add firewall rules that allow access to certain 3CX services only from certain SIP addresses.
You also need to add one general prohibition rule that restricts access to these ports to all Internet addresses. Please note - this rule should be the last in the list. The final list of rules should look like this.
The second part of the list with the general prohibiting rule.
To verify that the firewall is working correctly, make outgoing and incoming calls. The call should be successful, the audibility should be two-way and there should not be a connection break after 32 seconds .
Setting up the TP-Link TL-ER6020 VPN router to work with the 3CX Phone System is a fairly simple process, but requires consideration of some of the features that we had to face. It is also desirable to have an understanding of the basic principles of the VoIP technology.
In this guide, we did not consider such an interesting feature of the TL-ER6020 as the reservation of the WAN channel. This feature allows you to provide uninterrupted VoIP connection even in the event of the “fall” of the main Internet connection.
However, keep in mind that such a reservation imposes certain requirements on the SIP connections used:
- 2 Gigabit WAN ports with backup switching capability, 2 Gigabit LAN ports, 1 Gigabit LAN / DMZ port and 1 console port
- Support for multiple VPN protocols, including IPsec / PPTP / L2TP servers
- Supports up to 50 IPsec VPN tunnels using a hardware VPN handler
- Advanced security features including ARP inspection, protection against DoS attacks, filtering by URL and domain name keyword, and access control
A detailed description of the features and settings of the TL-ER6020 is available here . In this article, we will limit ourselves to the description of setting up the TP-Link TL-ER6020 router for working with 3CX Phone System.
The network diagram provides for the location of the 3CX server on the NAT of the router in the network 192.168.0.0 / 24. The IP address of the router is 192.168.0.1, and the IP address of the server is 3CX 192.168.0.2
')
Router preparation
First of all, you need to update the firmware TL-ER6020, because, as it turned out , even the latest firmware from the official TP-Link site has an error that does not allow disabling SIP ALG . Disabling SIP ALG is critical for the correct operation of various SIP operators with 3CX.
- Log in to the router interface at 192.168.0.1 (default address) with username and password admin / admin
- Download firmware and upgrade router
- After updating, it is recommended to reset the device to default settings.
Router Setup
Configuring a router consists of three steps:
- Connect at least one WAN port to the Internet
- Disable SIP ALG service
- Publication of services (port forwarding) through NAT, necessary for the full operation of 3CX Phone System
- Additional firewall settings for increased security
- Testing the correctness of the configuration of the TL-ER6020 inbound and outbound SIP call
Connecting the router to the Internet
Connecting one (or both) WAN ports to the Internet is done in the Network - WAN section. At the bottom of the interface, you can check the status of the connection. This example uses a PPPoE connection.
Disable SIP ALG service
Disable SIP ALG in the Advanced - NAT - ALG section .
Publication of services (port forwarding) through NAT
For the correct operation of external SIP trunks, you must publish a number of ports of the 3CX Phone System server :
- 5060 TCP / UDP - SIP
- 5090 TCP / UDP - 3CX Tunnel
- 5000, 5001 (for Abyss web server) or 80 and 443 (for IIS server) TCP — 3CXPhone advanced management and auto configuration of IP phones
- 9000-9500 UDP - RTP and WebRTC media stream
Publication of services is done in the section Advanced - NAT - Virtual Server . Let's start with the SIP server.
After publishing all the services, the interface should look something like this.
Configure a firewall for increased security
Publication of services as it is implemented in the TL-ER6020, causes fair concerns: we are opening the SIP port 5060, which hackers love so much, in fact, for the whole world. In the publishing interface there is no possibility to specify for which IP addresses the 3CX server's SIP port should be opened.
Our strong recommendation: open port 5060 only for the SIP addresses of telecom operators / SIP providers your system works with.
In our example, the system works with the Russian operator Megafon (Multifon service) and the Ukrainian operator Kyivstar, while Megafon uses different IP addresses for the SIP server and SIP proxy , and Kyivstar is the only SIP server.
First, we define the services / port ranges to which access should be restricted in the Firewall - Access Control - Service section.
Here we defined only SIP port 5060 and RTP ports 9000-9255 . Since the remaining 3CX services must be accessible to any IP address on the Internet and there is no need to restrict access to them.
In the Firewall - Access Control - Access Rules section, we add firewall rules that allow access to certain 3CX services only from certain SIP addresses.
You also need to add one general prohibition rule that restricts access to these ports to all Internet addresses. Please note - this rule should be the last in the list. The final list of rules should look like this.
The second part of the list with the general prohibiting rule.
Setup Testing
To verify that the firewall is working correctly, make outgoing and incoming calls. The call should be successful, the audibility should be two-way and there should not be a connection break after 32 seconds .
Conclusion
Setting up the TP-Link TL-ER6020 VPN router to work with the 3CX Phone System is a fairly simple process, but requires consideration of some of the features that we had to face. It is also desirable to have an understanding of the basic principles of the VoIP technology.
In this guide, we did not consider such an interesting feature of the TL-ER6020 as the reservation of the WAN channel. This feature allows you to provide uninterrupted VoIP connection even in the event of the “fall” of the main Internet connection.
However, keep in mind that such a reservation imposes certain requirements on the SIP connections used:
- It is recommended to use SIP connections with authorization by username and password. In this case, when the main Internet channel is disconnected, the SIP connection is automatically re-registered through the second operator.
- If you are using a SIP line with authorization by IP address (SIP trunk), ask the operator to authorize the IP address of the backup Internet connection. After that, the operator will be able to receive and route calls through this connection.
Additional Information
- Used ports in 3CX Phone System
- Passing SIP and RTP traffic
- Recommendations for configuring various firewalls for 3CX Phone System
- TP-Link Technical Support Forum
- 3CX Remote Firewall Checker utility for detecting problems with firewalls
Source: https://habr.com/ru/post/281757/
All Articles