Hi,
I am new to work with mikrotik and I have a special question to real pros
I have installed 2 3CX servers in the same network.
3CX 1: 192.168.2.183
3CX 2: 192.168.2.182
everything works well except the firewall checker! It depends which rule regarding Media UDP is in front of the other. The first matching rule makes the configured server work. The other Server is getting error messages like “Full cone test failed” or “Mapping does not match [Port]. Mapping is [DifferentPort]”
Wow, thats a wide range you are opening up the network too, 9000-10,999
Also if your too port is the same as the destination port, it is not required (really only needed if doing port translation before hitting the firewall).
As for firewall rules, they are not complete but I dont see one allowing port forwarding and I see a non standard one that could be stated better.
Standard Input Chain Rules blah blah blah…
Last rule action=drop. covering all directions not just in-interface WAN
(if you haven’t stated traffic as allowed it should not occur - best practices)
Forward Chain rules…
/ip firewall filter add chain=forward action=accept connection-state=established, related
/ip firewall filter add chain=forward action=drop connection-state=invalid
+++ whatever subnets(vlans etc) need access to WAN
/ip firewall filter add chain=forward action=forward in-interface=WAN connection-state=new connection-NAT-state=dstnat
and of course dont forget the last rule also valid in the forward chain
Last rule action=drop
I have 2 3CX servers with firewall test failed on WUI, but everything works just fine for 3 years now.
If you don’t have any problems with RTP and calls, just ignore it.
Me thinks 3CX is a bit dumb in that regard.
Hi, I did! One server is working really well. But the other one has troubles with the RTP Ports. When I asked 3CX they told me it must be something with the mikrotik router - because the firewall checker is using the new changed ports. But it doesnt work without full cone errors…
No. Using 9000-10999 UDP
One server per public IP.
All ports are UDP except http and https
I recall the range has been increased in some update. Make sure you are using the new range.
Ok - but how can you take care both servers are using (sharing) the same portrange for RTP ports? As far as I know in on mikrotik router you are only able to forward to one specific server?
The only way is if one uses port translation.
Two servers behind the same NAT cannot use the same ports in general.
But if the destination ports (what outside users are coming in on are different then the router will keep track of back and forth traffic (I think)
So, destination port 50 for 192.168.0.10 to port=50 should be fine.
So, destination port =100 for 192.168.20.10 to-ports=50 should be fine.
@stoneage
What I want to suggest is to simplify the NAT rules as @anav proposed, for Server 1 and 2.
Use the default filter rules. You don’t need to add or change them.
Do not use the default values during installation of 3CX Server 2, but use the ports you want to use. After installation you cannot change them anymore.
After installing Server 2 log into 3CX, go to Settings > Parameters and check or change FIRSTEXTPORT: 11000 and LASTEXTPORT: 12499.
Also check or change WEBRTC_WRTC_FIRST_PORT: 12500 and WEBRTC_WRTC_LAST_PORT: 12999
Lets hope this will not conflict with the IVR_RTP range which is running in 12000-13999
I’ve tried to reduce the portrange for both Servers. My acutal configuration now is:
3CX 1
FIRSTEXTPORT auf Port 9000
LASTEXTPORT auf Port 9499
WEBRTC_WRTC_FIRST_PORT auf Port 9500
WEBRTC_WRTC_LAST_PORT auf Port 9999
3CX 2
FIRSTEXTPORT auf Port 10000
LASTEXTPORT auf Port 10499
WEBRTC_WRTC_FIRST_PORT auf Port 10500
WEBRTC_WRTC_LAST_PORT auf Port 10999
Now nearly everything works - BUT: Now I get the problem with SIP ALG… and the first Port has the full cone problem - any idea?
The other thing is that SIP ALG already is disabled on mikrotik (!)
Routerboard Firmware and Software version is 6.46.4 (latest stable version)
Please show the (new) NAT rules of 3CX 1 and 3CX 2
Why did you decide to reduce the port range?
I miss the results of the firewall checker of 3CX 1
Are the PBX’s run on Debian or Windows.
If Debian, please check the iptables
If Windows, please check the firewall rules or disable the firewall completely
its the same output - just different ports.
I am using linux - think its debian? But its the image built from 3cx - no idea what credentials to use to login via putty (ssh)?
3cx has a packet capture facility, do a packet capture on 3cx server, view in wireshark to make sure correct port numbers are received by 3cx server from Mikrotik, if yes, then log call with 3cx, if no, come back here with packet capture details
Hi!
took me some time, now I know it was something because of my tp-link router.
I am using now the mikrotik LHG LTE6 Kit (RBLHGR&R11e-LTE6). Now the public IP is directly on the WAN interface of the mikrotik router… everything is passed through - so everything works now
