3CX port forwarding in Fortigate (with Static NAT 1:1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello again this is thomas from hotkey404 and today we start another mini series on 3cx in a previous one i showed you how to install the software on various operating systems and today we will do a firewall configuration and maybe you're thinking that this is a bit strange that 3cx requires a proper firewall configuration to work however if you have ever used some asterisk-based software like freepbx and after installation you face some issues with one-way audio media update control or some disconnects after 32 seconds after unsuccessful reinvite then the idea of having the proper configuration at the very beginning is not so stupid so today i will show you how to do a port forwarding how to disable sip aog and how to enable static one to one nut in 40 gate device then we will do the same in some other routers so let's get started at the very beginning i just want to say that although we are talking about 3cx here you can easily apply the same rules to some voip devices or for example some asterisk-based servers but going back to our 3cx you'll notice that without the proper port forwarding you won't be able to even access the link from your congratulations screen so instead of using that i will just switch to local ip address and access it internally so after we log into our 3cx you'll notice that there is an exclamation mark and this red dot and the warning next to your firewall because 3cx requires a proper file work to work so as you can see if we run the test we can see that some of those ports are not forwarded so i will just stop here and we will jump to our 40 gate device to set up those port forwardings now after logging into our 48 device we will do exactly the same things that are described on our hotkey4.com website where in addition to fortigate settings you will find all those ports that needs to be forwarded as you see the configuration is pretty empty we have just one ip4 policy to enable outgoing traffic so let's jump to policy and objects objects virtual ips and set the first one as a name let's say 3cx http external ip address your public ip address mapped ip your local address and we will start with tcp 5001 because this is the port for our web server and we'll do exactly the same thing for all of the services remembering that for example for c transport for 3cx tunnel protocol we need to add both udp and tcp and for media transport we'll add not one port but a range of ports so let's quickly add all of those required port forwardings having all of those we can go to policy ip4 and create a new incoming policy but i just want to highlight that since we are opening the ports to the world in addition to using this one one incoming interface i strongly suggest restricting incoming traffic for example use geolocalization to restrict from just a specific country or use fqdn to allow just 3cx just to make your services a bit more secure but for now we will just stick to all set outgoing interface to lan and add all of those virtual ips that we have created then schedule always service all and we can disable nat services because we have that set up inside our virtual ips so now when we jump to r3cx and we go to firewall and run it once again you'll notice that some of the services are okay for example tunneling proxy media server but still we have some issues with our firewall and like we said 3cx requires firewall to pass all the tests so we see that the next step is disabling sip alg honestly in my lifetime i've seen just one scenario during which i have my sip aog turned on in most cases you turn it off so going back to our fortigate device we will use cli console to disable cplg here we'll execute config system session helper and with show we'll find entry number 13 which points to zip traffic and we'll delete it with delete 13. and then end to leave session helper settings next we will execute config system settings and here set default voip aog mode and from proxy based we will switch to kernel helper based then although it is not necessary at this point just to be certain we will set sip helper disable set sip not trace disable and end these settings and the last one if you want to use voip profiles we will go to config void profile edit the default one config ship and set status to disable and then end and end and to apply all those changes we could clear the sessions but i would just reboot my fortigate device after the reboot if we go back to our 3cx once again run firewall check you will see that all of the tests are passed so at this point you can easily use all the features of your 3cx server and one last thing unfortunately setting the incoming traffic redirection does not guarantee that our server will answer queries with the same port especially if you have more than one public ip address this firewall checker can show some port mismatch so to solve this i will quickly show you how to add one-to-one static nut in fortigate to set this up we'll go to once again policy and objects objects addresses and we'll create a new address we can name it as 3cx and add local ip address then as an interface we will use lan show in address list and submit this as a second step we will go to ipools create new add a name which will be recognizable so i will use one and my ip address and that as a type we will set one to one and as an ip we'll set our public ip address and disable arp reply so there's just one last step for today we'll go to policy ip4 set an incoming interface as lan our source address will be this newly created 3cx as an outgoing interface we'll use one destination all schedule always service all and inside firewall settings we will use dynamic ipool and select the one that we have just created and the last thing here is to adjust a correct order of our policies to make sure that we haven't messed things up we once again run a firewall check as you see everything is still nicely working and we can finally use the link from the very beginning of this video and from local ip address we can finally use this fully qualified domain name from our 3cx domain great so as you can see adjusting 40 gate to fit 3cx needs is not so difficult but if you're thinking that you have a different version of the software something older something newer then google is your friend today i showed you just the general idea on how to configure all those settings and of course like we said at the beginning in the next videos i will show you how to do the same on different devices so for now thank you for watching have an amazing day and see you in the next one you
Info
Channel: HOTKEY404
Views: 6,592
Rating: undefined out of 5
Keywords: 3cx, tutorial, fortigate, firewall, sipalg
Id: me8u0tk_YWA
Channel Id: undefined
Length: 8min 52sec (532 seconds)
Published: Sun Jun 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.