3CX firewall checker failing with Mikrotik

RouterOS General
1

I’m in the process of switching from a PfSense router to an RB5009. I have a single fiber WAN with a single dynamic IP. 3CX works and Firewall Checker passes with the pFsense router.

Ether5 is in a bridge called bridge-dmz at 10.1.1.0/24. The 3CX server’s IP is 10.1.1.20.

I followed the guide on the 3CX website with the following commands. I also disabled the SLP ALG service port.

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5001 protocol=tcp dst-port=5001 comment=“3CX Presence and Provisioning HTTPS”


ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5060 protocol=udp dst-port=5060 comment=“3CX SIP UDP”
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5060 protocol=tcp dst-port=5060 comment=“3CX SIP TCP”
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5061 protocol=tcp dst-port=5061 comment=“3CX SIP TLS”
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=9000-10999 protocol=udp dst-port=9000-10999 comment=“3CX Media UDP”
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5090 protocol=tcp dst-port=5090 comment=“3CX Tunnel TCP”
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=5090 protocol=udp dst-port=5090 comment=“3CX Tunnel UDP”

ip firewall filter add chain=input action=accept connection-state=established
ip firewall filter add chain=input action=accept connection-state=related
ip firewall filter add chain=forward action=accept connection-state=established
ip firewall filter add chain=forward action=accept connection-state=related
ip firewall filter add chain=forward action=drop connection-state=invalid
ip firewall filter add chain=input action=drop in-interface=ether1
ip firewall nat add chain=srcnat action=masquerade out-interface=ether1


The only other rules I have added are NAT rules for my web server.

Has anybody ever configured an MT router for 3CX before?
mikrotik-rules-3cx.jpg
mikrotik-filter-rules-3cx.jpg

2

Dont know about 3CX but your rules shown are on the crappy side.
In any case without evidence full config, any comment is not all that useful.
/export file=anynameyouwish (minus router serial number, public wanip information, long list of dhcp leases )

3

Yes, I’ve used MikroTik routers with 3CX and they work very well together (once you’ve got all the rules configured correctly). I have several questions about your setup:


  1. Have you assigned an IP to the ether5 interface (e.g.: 10.1.1.1),
  2. Do you have DHCP running for your DMZ bridge, and
  3. Does the 3CX server have a static IP and, if so, have you configured the gateway correctly,
  4. Can you ping an outside address from your 3CX server?


Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig

4
  1. Yes, ether5 is 10.1.1.1/24
  2. Yes, the bridge is serving DHCP
  3. Yes the 3CX box has a static private IP of 10.1.1.20.
    -What do you mean by gateway? If you mean a PSTN gateway, I’m not using one.
  4. Yes, I can ping by both IP address and domain name out to the internet (8.8.8.8 and google.com, for example).
5

In this case, gateway means Internet gateway and refers to the IP address of your router. To see the setting use the following command:

On Windows: PowerShell or Command prompt

ipconfig

On Linux: command prompt (bash shell or terminal)

more /etc/network/interfaces

You will see something similar to one of these screenshots.
network-info-windows-ipconfig.png
network-info-linux-interfaces.png
Does you MikroTik connect directly to the Internet (i.e.: The IP on ether1 is Internet addressable). Please attach your MikroTik config (see below for details on how to get that if you don’t already know) so that we can give you more detailed help.


Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig