Firewall/NAT

We're about to add a VOIP system in our offices, and am currently doing the pre-load of the server and indeed our m0n0wall...

It requires the following ...

Ports:
SIP Port = 5060
Ports for external calls = 9000 - 9015
Ports for internal calls = 7000 - 7499

Stun Server Settings:
Stun Server = stun.sipgate.net
Stun Port = 10000

My problem is thus ...

3CX has a built in "firewall test" which does a couple tests for the connection etc, however it is constantly failing with the following error messages, now I'm not that good at this sort of stuff so my limited knowledge of NAT etc is now at it's limits, so any info/help/pointers would be well received...

Code:

1 9000 Error (4) The STUN server returned an ip which is not accessible from outside. addrFromSTUN = 78.105.115.233:49608
2 9000 Error (6) An incompatible NAT configuration has been detected. Please check FAQ for further information. addrFromAgent = 78.105.115.233:9000addrFromSTUN = 78.105.115.233:49608
3 9000 Warning (8) Local port is not blocked from outside. STUN server has returned global port different from the local one, but the local port is also accessible from outside.
4 9000 Error (10) Port is open, but port number has been changed during NAT translation. THIS ERROR means you have Symmetric NAT and you do not have STATIC PORT MAPPINGS in place. 3CX Phone System will not communicated correctly with your VOIP provider or external extensions. See this FAQ: http://www.3cx.com/support/firewal-checker.html

The above repeats for the entire 9000-9015 range.

Thanks in advance.

Stewart

Hi...

I'm surprised no one can advise on this at all?! I mean 50 views of the topic and no one has chimed in.

I don't mind admitting I am a total dunce at this type of stuff, but please, can someone offer any constructive advice?

Thanks.

I'm impressed 140+ topic reads and 1 reply, from me.

Some of you must be able to help with my issue?! Not even "Have you tried this" "have you tried that" ??

  I'll try to help but I'm also a monowall noob.

Did you make NAT entry's? in NAT assigned the ports?
then check rules WAN side. Make shure all the allows are in front of the blocked.
It goes rule by rule. If you first have a rule wich blocks data. The allow rule isn't good anymore. You need to allow things first and then block.

Maybe you can check this.

I'll try to help but I'm also a monowall noob.

Did you make NAT entry's? in NAT assigned the ports?
then check rules WAN side. Make shure all the allows are in front of the blocked.
It goes rule by rule. If you first have a rule wich blocks data. The allow rule isn't good anymore. You need to allow things first and then block.

Maybe you can check this.

<wwhhhooooooooooooooooooossssssssshhhh>

That's the sound of what you just said going over my head :-/

Are you on skype or msn or something?

well I've done something, just not sure what...

As now the firewall test passes, however the line is not active ?

scratch that, it's failing again :-/

Sorry it sounded to technical.
when you go to your monowall.`

On the lefthand side you have the menus.
One is called rules.
One is called NAT


Did you made rules in the section NAT?
If not things won't work if you're firewall is also a router and so your clients like the 3CX system is behind NAT. So you need to set forwarders for your NAT devices.
When this is set. You need to make firewall rules.
This is done in the section above NAT.
Her you have LAN rulues typical is LAN -> any
and WAN rules. The ones you want to let thrue the firewall.

IE.  PORT 10000 for your STUN server.
The firewall reads down the list. The first rule it sees he tries to do. If the first rule is to block all incoming traffic. Everything is blocked.

I hope you understand it now. Else I show you in a picture.

Regards,

Osa2

Ah no I got that bit

I've been told my problem is down to m0n0wall portmapping, however as you know for VOIP portmapping cannot happen, so I setup a rule in NAT Outbound for port 10000 but that allowed the firewall test to PASS, but ...

1. I can't actually connect to SIPGATE
2. No other net traffic works.

Attached are 2 images of my NAT and FIREWALL settings, I suspect there is something REALLY obvious that I am just missing...

Be very carefull with your first line.
The test rule.

It allows ALL traffic to the WAN wich makes your firewall obsolete.
the rest seems okay at first sight

yeah the first line is NOT active, hence it's a dull colour.

The setup might look ok, but it's not right as the damned thing doesn't work

As I said in my post it's to do with port mapping getting in the way, which apparently is an issue that m0n0wall has; but I've seen some people posting saying that they've got it working.

Can you also send your LAN sides setup rules?

Have you made all available from LAN -> ANY??

yeah LAN is ANY. so there is a single rule for that.

Maybe you can ask 3CX what settings need to be set in the firewall??

I don't have worked with 3CX VOIP systems.
I use ASKOZIA Pbx and the firewall works.

Telephone system works from LAN side to WAN
Incomming calls go true my ISDN Phone system. I use a vox card to connect it to my voip telephones.

Did you get some information from 3CX wich ports should be enabled etc??