Problemas con firewall despues de cambiar de v15 a v16

[giovare]

Hola a todos, el test de firewall me da error en la nueva version. Tengo un router asus rt ac88u con los puertos abiertos desde la version anterior, sin embargo, esto es lo que me muestra ahora el sistema.

• resolving 'stun-us.3cx.com'... done
• resolving 'stun2.3cx.com'... done
• resolving 'stun3.3cx.com'... done
• resolving 'sip-alg-detector.3cx.com'... done
• testing 3CX SIP Server... done
  • stopping service... done
  • detecting SIP ALG... not detected
  • testing port 5060... done
  • starting service... done
• testing 3CX Tunneling Proxy... done
  • stopping service... done
  • testing port 5090... done
  • starting service... done
• testing 3CX Media Server... failed (How to resolve?)
  • stopping service... done
  • testing ports [9000..9398]... failed (How to resolve?)
    • testing port 9000... done
    • testing port 9002... Mapping does not match 9002. Mapping is 9000. (How to resolve?)
    • testing port 9004... Mapping does not match 9004. Mapping is 9000. (How to resolve?)
    • testing port 9006... Mapping does not match 9006. Mapping is 9000. (How to resolve?)
    • testing port 9008... Mapping does not match 9008. Mapping is 9000. (How to resolve?)
    • testing port 9010... Mapping does not match 9010. Mapping is 9000. (How to resolve?) Agradezco su pronta ayuda.

 

[Alejandro_3CX]

Hola @giovare el error que muestra no tiene nada que ver con que la central esté en la v16 o v15.5

Ese error simplemente indica que no hay una preservación de puertos, quiere decir que los puertos están siendo cambiados externamente por otro puerto, a esto se le conoce como remapeo.

Asegúrate de no estar usando Source Port Remap, igualmente puede que tu configuración esté bien pero el remapeo lo esté ejecutando tu proveedor de internet al no usar internet corporativo.

La preservación de puertos indica que si la central envía una solicitud interna con puerto 5060 por ejemplo, entonces en la solicitud externa ese puerto debe prevalecer y no ser alterado por otro puerto.

Esto garantizará la conectividad con la central.

Te dejo la siguiente documentación referente a la Verificación del Firewall:

https://www.3cx.com/docs/troubleshooting-firewall-checker/

https://www.3cx.com/docs/firewall-checker/

Ahí se encuentra el siguiente texto:

Port Preservation

Port preservation is another key factor which is checked by the firewall checker. It detects if the firewall alters the port during the LAN IP to WAN IP translation. Technically speaking this should not matter, however it depends on the provider’s implementation whether they reply to the transport source port of 3CX Phone System seen in the UDP header rather than what is defined by the RFC. The RFC defines that a SIP server MUST reply to the defined “contact” IP and Port which is in the content of the SIP message. In order to eliminate any “maybies” the firewall checker also validates this mapping. It is required that if a SIP message is generated locally by 3CX Phone System from the source port 5060 (default SIP Port) then translated to the public IP Address (WAN IP) the port, in this case 5060, remains unchanged.

To do this the firewall checker will run two independent tests with the first configured STUN Server in your system. By default this is set to stun.3cx.com. It is highly recommended that this is not altered. Overall, the firewall checker is a programmatic way to detect your public IP address, similar to using a website like “what is my IP”, but is extended to also check the port.

Un saludo!

 

[giovare]

Gracias por tu respuesta Alejandro, pero no entiendo que pasa, pq en el router no hubo modificaciones, y en v15 no me daba error el firewall checker de 3cx. Sigo sin poder resolver.

 

[Sisteltec]

Hola, a mi también me pasa con la versión 16 pero solo en un puerto:

• testing port 10690... done
• testing port 10692... done
• testing port 10694... done
• testing port 10696... done
• testing port 10698... Mapping does not match 10698. Mapping is 10696.

 

[giovare]

Pues a pesar del problema y de que a mi me pasa en casi todos los puertos la central esta funcionando normal, me preocupa que efectos puede traer esta situacion que aun no haya detectado. Ya borre la configuracion del servidor virtual y los puertos udp de 3cx en el router y la reescribi, reinicie el router y volvi a verificar y sigue dando error el firewall checker.

 

[Alejandro_3CX]

El error de remapeo como les indiqué, se debe a que el puerto en la solicitud externa está siendo alterado por otro puerto. Ese remapeo te permitirá usar la central pero simplemente no garantiza una conexión externa al 100%.

Esto puede deberse también a tu proveedor que esté cambiando estos puertos.

Por otro lado si no vas a usar telefónos IP remotos por STUN ni troncales VoIP con algún proveedor entonces esos puertos no tienen porque importante, más bien deberías dejar abiertos solamente aquellos puertos en uso. El puerto del túnel lo puedes dejar abierto públicamente sin problema.

Tengo una central en la versión 16 con todo configurado e internet corporativo y la prueba es validada al 100%.

Con esto quiero demostrarle que no existe ningún tema/problema asociado a la versión 16

• resolving 'stun-sa.3cx.com'... done
• resolving 'stun2.3cx.com'... done
• resolving 'stun3.3cx.com'... done
• resolving 'sip-alg-detector.3cx.com'... done
• testing 3CX SIP Server... done
  • stopping service... done
  • detecting SIP ALG... not detected
  • testing port 5060... done
  • starting service... done
• testing 3CX Tunneling Proxy... done
  • stopping service... done
  • testing port 5090... done
  • starting service... done
• testing 3CX Media Server... done
  • stopping service... done
  • testing ports [9000..9398]... done
    • testing port 9000... done
    • testing port 9002... done
    • testing port 9004... done
    • testing port 9006... done
    • testing port 9008... done
    • testing port 9010... done
    • testing port 9012... done
    • testing port 9014... done
    • testing port 9016... done
    • testing port 9018... done
    • testing port 9020... done
    • testing port 9022... done
    • testing port 9024... done
    • testing port 9026... done
    • testing port 9028... done
    • testing port 9030... done
    • testing port 9032... done
    • testing port 9034... done
    • testing port 9036... done
    • testing port 9038... done
    • testing port 9040... done
    • testing port 9042... done
    • testing port 9044... done
    • testing port 9046... done
    • testing port 9048... done
    • testing port 9050... done
    • testing port 9052... done
    • testing port 9054... done
    • testing port 9056... done
    • testing port 9058... done
    • testing port 9060... done
    • testing port 9062... done
    • testing port 9064... done
    • testing port 9066... done
    • testing port 9068... done
    • testing port 9070... done
    • testing port 9072... done
    • testing port 9074... done
    • testing port 9076... done
    • testing port 9078... done
    • testing port 9080... done
    • testing port 9082... done
    • testing port 9084... done
    • testing port 9086... done
    • testing port 9088... done
    • testing port 9090... done
    • testing port 9092... done
    • testing port 9094... done
    • testing port 9096... done
    • testing port 9098... done
    • testing port 9100... done
    • testing port 9102... done
    • testing port 9104... done
    • testing port 9106... done
    • testing port 9108... done
    • testing port 9110... done
    • testing port 9112... done
    • testing port 9114... done
    • testing port 9116... done
    • testing port 9118... done
    • testing port 9120... done
    • testing port 9122... done
    • testing port 9124... done
    • testing port 9126... done
    • testing port 9128... done
    • testing port 9130... done
    • testing port 9132... done
    • testing port 9134... done
    • testing port 9136... done
    • testing port 9138... done
    • testing port 9140... done
    • testing port 9142... done
    • testing port 9144... done
    • testing port 9146... done
    • testing port 9148... done
    • testing port 9150... done
    • testing port 9152... done
    • testing port 9154... done
    • testing port 9156... done
    • testing port 9158... done
    • testing port 9160... done
    • testing port 9162... done
    • testing port 9164... done
    • testing port 9166... done
    • testing port 9168... done
    • testing port 9170... done
    • testing port 9172... done
    • testing port 9174... done
    • testing port 9176... done
    • testing port 9178... done
    • testing port 9180... done
    • testing port 9182... done
    • testing port 9184... done
    • testing port 9186... done
    • testing port 9188... done
    • testing port 9190... done
    • testing port 9192... done
    • testing port 9194... done
    • testing port 9196... done
    • testing port 9198... done
    • testing port 9200... done
    • testing port 9202... done
    • testing port 9204... done
    • testing port 9206... done
    • testing port 9208... done
    • testing port 9210... done
    • testing port 9212... done
    • testing port 9214... done
    • testing port 9216... done
    • testing port 9218... done
    • testing port 9220... done
    • testing port 9222... done
    • testing port 9224... done
    • testing port 9226... done
    • testing port 9228... done
    • testing port 9230... done
    • testing port 9232... done
    • testing port 9234... done
    • testing port 9236... done
    • testing port 9238... done
    • testing port 9240... done
    • testing port 9242... done
    • testing port 9244... done
    • testing port 9246... done
    • testing port 9248... done
    • testing port 9250... done
    • testing port 9252... done
    • testing port 9254... done
    • testing port 9256... done
    • testing port 9258... done
    • testing port 9260... done
    • testing port 9262... done
    • testing port 9264... done
    • testing port 9266... done
    • testing port 9268... done
    • testing port 9270... done
    • testing port 9272... done
    • testing port 9274... done
    • testing port 9276... done
    • testing port 9278... done
    • testing port 9280... done
    • testing port 9282... done
    • testing port 9284... done
    • testing port 9286... done
    • testing port 9288... done
    • testing port 9290... done
    • testing port 9292... done
    • testing port 9294... done
    • testing port 9296... done
    • testing port 9298... done
    • testing port 9300... done
    • testing port 9302... done
    • testing port 9304... done
    • testing port 9306... done
    • testing port 9308... done
    • testing port 9310... done
    • testing port 9312... done
    • testing port 9314... done
    • testing port 9316... done
    • testing port 9318... done
    • testing port 9320... done
    • testing port 9322... done
    • testing port 9324... done
    • testing port 9326... done
    • testing port 9328... done
    • testing port 9330... done
    • testing port 9332... done
    • testing port 9334... done
    • testing port 9336... done
    • testing port 9338... done
    • testing port 9340... done
    • testing port 9342... done
    • testing port 9344... done
    • testing port 9346... done
    • testing port 9348... done
    • testing port 9350... done
    • testing port 9352... done
    • testing port 9354... done
    • testing port 9356... done
    • testing port 9358... done
    • testing port 9360... done
    • testing port 9362... done
    • testing port 9364... done
    • testing port 9366... done
    • testing port 9368... done
    • testing port 9370... done
    • testing port 9372... done
    • testing port 9374... done
    • testing port 9376... done
    • testing port 9378... done
    • testing port 9380... done
    • testing port 9382... done
    • testing port 9384... done
    • testing port 9386... done
    • testing port 9388... done
    • testing port 9390... done
    • testing port 9392... done
    • testing port 9394... done
    • testing port 9396... done
    • testing port 9398... done
  • testing ports [10600..10998]... done
    • testing port 10600... done
    • testing port 10602... done
    • testing port 10604... done
    • testing port 10606... done
    • testing port 10608... done
    • testing port 10610... done
    • testing port 10612... done
    • testing port 10614... done
    • testing port 10616... done
    • testing port 10618... done
    • testing port 10620... done
    • testing port 10622... done
    • testing port 10624... done
    • testing port 10626... done
    • testing port 10628... done
    • testing port 10630... done
    • testing port 10632... done
    • testing port 10634... done
    • testing port 10636... done
    • testing port 10638... done
    • testing port 10640... done
    • testing port 10642... done
    • testing port 10644... done
    • testing port 10646... done
    • testing port 10648... done
    • testing port 10650... done
    • testing port 10652... done
    • testing port 10654... done
    • testing port 10656... done
    • testing port 10658... done
    • testing port 10660... done
    • testing port 10662... done
    • testing port 10664... done
    • testing port 10666... done
    • testing port 10668... done
    • testing port 10670... done
    • testing port 10672... done
    • testing port 10674... done
    • testing port 10676... done
    • testing port 10678... done
    • testing port 10680... done
    • testing port 10682... done
    • testing port 10684... done
    • testing port 10686... done
    • testing port 10688... done
    • testing port 10690... done
    • testing port 10692... done
    • testing port 10694... done
    • testing port 10696... done
    • testing port 10698... done
    • testing port 10700... done
    • testing port 10702... done
    • testing port 10704... done
    • testing port 10706... done
    • testing port 10708... done
    • testing port 10710... done
    • testing port 10712... done
    • testing port 10714... done
    • testing port 10716... done
    • testing port 10718... done
    • testing port 10720... done
    • testing port 10722... done
    • testing port 10724... done
    • testing port 10726... done
    • testing port 10728... done
    • testing port 10730... done
    • testing port 10732... done
    • testing port 10734... done
    • testing port 10736... done
    • testing port 10738... done
    • testing port 10740... done
    • testing port 10742... done
    • testing port 10744... done
    • testing port 10746... done
    • testing port 10748... done
    • testing port 10750... done
    • testing port 10752... done
    • testing port 10754... done
    • testing port 10756... done
    • testing port 10758... done
    • testing port 10760... done
    • testing port 10762... done
    • testing port 10764... done
    • testing port 10766... done
    • testing port 10768... done
    • testing port 10770... done
    • testing port 10772... done
    • testing port 10774... done
    • testing port 10776... done
    • testing port 10778... done
    • testing port 10780... done
    • testing port 10782... done
    • testing port 10784... done
    • testing port 10786... done
    • testing port 10788... done
    • testing port 10790... done
    • testing port 10792... done
    • testing port 10794... done
    • testing port 10796... done
    • testing port 10798... done
    • testing port 10800... done
    • testing port 10802... done
    • testing port 10804... done
    • testing port 10806... done
    • testing port 10808... done
    • testing port 10810... done
    • testing port 10812... done
    • testing port 10814... done
    • testing port 10816... done
    • testing port 10818... done
    • testing port 10820... done
    • testing port 10822... done
    • testing port 10824... done
    • testing port 10826... done
    • testing port 10828... done
    • testing port 10830... done
    • testing port 10832... done
    • testing port 10834... done
    • testing port 10836... done
    • testing port 10838... done
    • testing port 10840... done
    • testing port 10842... done
    • testing port 10844... done
    • testing port 10846... done
    • testing port 10848... done
    • testing port 10850... done
    • testing port 10852... done
    • testing port 10854... done
    • testing port 10856... done
    • testing port 10858... done
    • testing port 10860... done
    • testing port 10862... done
    • testing port 10864... done
    • testing port 10866... done
    • testing port 10868... done
    • testing port 10870... done
    • testing port 10872... done
    • testing port 10874... done
    • testing port 10876... done
    • testing port 10878... done
    • testing port 10880... done
    • testing port 10882... done
    • testing port 10884... done
    • testing port 10886... done
    • testing port 10888... done
    • testing port 10890... done
    • testing port 10892... done
    • testing port 10894... done
    • testing port 10896... done
    • testing port 10898... done
    • testing port 10900... done
    • testing port 10902... done
    • testing port 10904... done
    • testing port 10906... done
    • testing port 10908... done
    • testing port 10910... done
    • testing port 10912... done
    • testing port 10914... done
    • testing port 10916... done
    • testing port 10918... done
    • testing port 10920... done
    • testing port 10922... done
    • testing port 10924... done
    • testing port 10926... done
    • testing port 10928... done
    • testing port 10930... done
    • testing port 10932... done
    • testing port 10934... done
    • testing port 10936... done
    • testing port 10938... done
    • testing port 10940... done
    • testing port 10942... done
    • testing port 10944... done
    • testing port 10946... done
    • testing port 10948... done
    • testing port 10950... done
    • testing port 10952... done
    • testing port 10954... done
    • testing port 10956... done
    • testing port 10958... done
    • testing port 10960... done
    • testing port 10962... done
    • testing port 10964... done
    • testing port 10966... done
    • testing port 10968... done
    • testing port 10970... done
    • testing port 10972... done
    • testing port 10974... done
    • testing port 10976... done
    • testing port 10978... done
    • testing port 10980... done
    • testing port 10982... done
    • testing port 10984... done
    • testing port 10986... done
    • testing port 10988... done
    • testing port 10990... done
    • testing port 10992... done
    • testing port 10994... done
    • testing port 10996... done
    • testing port 10998... done
  • starting service... done

 

[giovare]

Gracias Alejandro, mi cuenta con mi isp tambien es corporativa con ip publica fija, como puedo revisar si ahi es donde me causa el problema, pq si estoy usando una troncal de un proveedor voip. Aunque aparentemente me esta funcionando todo normal como ya te mencione.

 

[Alejandro_3CX]

@giovare puedes hacer una captura con wireshark, ejecutar la verificación de firewall y revisar tu resultado como muestra la siguiente guia en el TEST 1:

https://www.3cx.com/docs/firewall-checker/