Scribd
Upload
112 views3 pages

Mikrotik With 3cx Pabx

This document provides instructions for configuring a MikroTik router to work with a 3CX phone system. It involves 4 steps: 1) disabling SIP ALG, 2) configuring port forwarding to the 3CX server LAN IP, 3) adding inbound access rules for PAT configurations, and 4) validating the setup by running the 3CX firewall checker tool and checking the firewall configuration through router commands.

Uploaded by

MarcusTotti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
112 views3 pages

Mikrotik With 3cx Pabx

This document provides instructions for configuring a MikroTik router to work with a 3CX phone system. It involves 4 steps: 1) disabling SIP ALG, 2) configuring port forwarding to the 3CX server LAN IP, 3) adding inbound access rules for PAT configurations, and 4) validating the setup by running the 3CX firewall checker tool and checking the firewall configuration through router commands.

Uploaded by

MarcusTotti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Configuring a MikroTik with 3CX

On this topic
 Introduction
 Step 1: Disable SIP ALG
 Step 2: Configure Port Forwarding (NAT)
 Step 3: Inbound Access List (PAT configuration only)
 Step 4:Validating Your Setup

Introduction
This document describes the configuration of MikroTik RB951 devices for use with 3CX and should
be compatible with other devices in this series. Although settings can be configured via the GUI
(winbox.exe) or web interface, this guide provides configuration through SSH. Please note that we
cannot assist you in the configuration of your firewall.

Step 1: Disable SIP ALG


1. Log into the firewall. In the command line enter:
ip firewall service-port disable sip

Step 2: Configure Port Forwarding (NAT)


You now need to port forward the following ports in order to support configuration of SBCs, Remote
Extensions and VoIP Providers. The full list of default ports required can be found here.
While still logged into the firewall, enter the following commands:
1. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[HTTPS Port] protocol=tcp dst-port=[HTTPS Port] comment="3CX Presence
and Provisioning HTTPS"
2. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[SIP Port] protocol=udp dst-port=[SIP Port] comment="3CX SIP UDP"
3. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[SIP Port] protocol=tcp dst-port=[SIP Port] comment="3CX SIP TCP"
4. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[SIP Port + 1] protocol=tcp dst-port=[SIP Port + 1] comment="3CX SIP
TLS"
5. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=9000-10999 protocol=udp dst-port=9000-10999 comment="3CX Media UDP"
6. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[Tunnel Port] protocol=tcp dst-port=[Tunnel Port] comment="3CX Tunnel
TCP"
7. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP]
to-ports=[Tunnel Port] protocol=udp dst-port=[Tunnel Port] comment="3CX Tunnel
UDP"
Note that in the above commands you must replace the section in the brackets with the correct port
for your setup.
Step 3: Inbound Access List (PAT configuration
only)
If you have a 1 to 1 NAT, you can skip this step. If you have a PAT configuration you must create the
following access rules using these commands:
1. ip firewall filter add chain=input action=accept connection-state=established
2. ip firewall filter add chain=input action=accept connection-state=related
3. ip firewall filter add chain=forward action=accept connection-state=established
4. ip firewall filter add chain=forward action=accept connection-state=related
5. ip firewall filter add chain=forward action=drop connection-state=invalid
6. ip firewall filter add chain=input action=drop in-interface=[Interface Name]
7. ip firewall nat add chain=srcnat action=masquerade out-interface=[Interface Name]
Note that in steps 6 and 7, you are required to enter the “in-interface” name you are using for 3CX
(the one with the public ip address). All interface names can be listed using the following command:
/interface print

Step 4:Validating Your Setup


1. Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall
Checker. This will validate if your firewall is correctly configured for use with 3CX.
More information about the Firewall Checker can be found here.
2. Check the Firewall configuration using the following commands:

1. > ip address print


2. > ip firewall nat print

3. > ip firewall filter print

You might also like