Hi,
I am new to work with mikrotik and I have a special question to real pros
I have installed 2 3CX servers in the same network.
3CX 1: 192.168.2.183
3CX 2: 192.168.2.182

My Firewall Config looks like this:

(PORTS FOR 3CX 1:)

nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5001 protocol=tcp dst-port=5001 in-interface-list=WAN comment="3CX Presence and Provisioning HTTPS"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5060 protocol=udp dst-port=5060 in-interface-list=WAN comment="3CX SIP UDP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5060 protocol=tcp dst-port=5060 in-interface-list=WAN comment="3CX SIP TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5061 protocol=tcp dst-port=5061 in-interface-list=WAN comment="3CX SIP TLS"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=9000-10999 protocol=udp dst-port=9000-10999 in-interface-list=WAN comment="3CX Media UDP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5090 protocol=tcp dst-port=5090 in-interface-list=WAN comment="3CX Tunnel TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 to-ports=5090 protocol=udp dst-port=5090 in-interface-list=WAN comment="3CX Tunnel UDP"

/ip firewall filter add chain=input action=accept connection-state=established comment="3CX"
/ip firewall filter add chain=input action=accept connection-state=related
/ip firewall filter add chain=forward action=accept connection-state=established
/ip firewall filter add chain=forward action=accept connection-state=related
/ip firewall filter add chain=forward action=drop connection-state=invalid
/ip firewall filter add chain=input action=drop in-interface=WAN
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN comment="3CX MASQ"

(PORTS FOR 3CX 2:)

nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5101 protocol=tcp dst-port=5101 in-interface-list=WAN comment="3CX-Test Presence and Provisioning HTTPS"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5160 protocol=udp dst-port=5160 in-interface-list=WAN comment="3CX-Test SIP UDP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5160 protocol=tcp dst-port=5160 in-interface-list=WAN comment="3CX-Test SIP TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5161 protocol=tcp dst-port=5161 in-interface-list=WAN comment="3CX-Test SIP TLS"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=11000-12999 protocol=udp dst-port=11000-12999 in-interface-list=WAN comment="3CX-Test Media UDP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5190 protocol=tcp dst-port=5190 in-interface-list=WAN comment="3CX-Test Tunnel TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.182 to-ports=5190 protocol=udp dst-port=5190 in-interface-list=WAN comment="3CX-Test Tunnel UDP"

everything works well except the firewall checker! It depends which rule regarding Media UDP is in front of the other. The first matching rule makes the configured server work. The other Server is getting error messages like "Full cone test failed" or "Mapping does not match [Port]. Mapping is [DifferentPort]"

No idea how to get this working?

bests, Christian

This is more a question for 3cx forum

Hm, I only run one 3CX server behind a Mikrotik router, but your nat and filter settings look fine. You did disable the sip alg, did you?

Wow, thats a wide range you are opening up the network too, 9000-10,999
Also if your too port is the same as the destination port, it is not required (really only needed if doing port translation before hitting the firewall).

I would simplify as well.........
(PORTS FOR 3CX 1:)

nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 protocol=tcpdst-port=5001, 5060, 5061, 5090 in-interface-list=WAN comment="3CX Server 1 TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 protocol=udpdst-port=5060, 5090, 9000-10999 in-interface-list=WAN comment="3CX Server1 UDP"

Standard sourcnat rule seems fine:
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN comment="3CX MASQ"

As for firewall rules, they are not complete but I dont see one allowing port forwarding and I see a non standard one that could be stated better.

Standard Input Chain Rules blah blah blah...........
Last rule action=drop. covering all directions not just in-interface WAN
(if you haven't stated traffic as allowed it should not occur - best practices)

Forward Chain rules....
/ip firewall filter add chain=forward action=accept connection-state=established, related
/ip firewall filter add chain=forward action=drop connection-state=invalid
+++ whatever subnets(vlans etc) need access to WAN
/ip firewall filter add chain=forward action=forward in-interface=WAN connection-state=new connection-NAT-state=dstnat

and of course dont forget the last rule also valid in the forward chain
Last rule action=drop

@anav,

Ports 9000 - 10999 is rtp ports, required for the voip audio, need 2 per voip conversation so nothing wrong there

I have 2 3CX servers with firewall test failed on WUI, but everything works just fine for 3 years now.
If you don't have any problems with RTP and calls, just ignore it.
Me thinks 3CX is a bit dumb in that regard.

I have 2 3CX servers with firewall test failed on WUI, but everything works just fine for 3 years now.
If you don't have any problems with RTP and calls, just ignore it.
Me thinks 3CX is a bit dumb in that regard.

Hi!

are you using different ports for RTP on both servers?

bests, Christian

Wow, thats a wide range you are opening up the network too, 9000-10,999
Also if your too port is the same as the destination port, it is not required (really only needed if doing port translation before hitting the firewall).

I would simplify as well.........
(PORTS FOR 3CX 1:)

nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 protocol=tcpdst-port=5001, 5060, 5061, 5090 in-interface-list=WAN comment="3CX Server 1 TCP"
nat / ip防火墙添加链= = dst-nat t dstnat行动o-addresses=192.168.2.183 protocol=udpdst-port=5060, 5090, 9000-10999 in-interface-list=WAN comment="3CX Server1 UDP"

Standard sourcnat rule seems fine:
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN comment="3CX MASQ"

As for firewall rules, they are not complete but I dont see one allowing port forwarding and I see a non standard one that could be stated better.

Standard Input Chain Rules blah blah blah...........
Last rule action=drop. covering all directions not just in-interface WAN
(if you haven't stated traffic as allowed it should not occur - best practices)

Forward Chain rules....
/ip firewall filter add chain=forward action=accept connection-state=established, related
/ip firewall filter add chain=forward action=drop connection-state=invalid
+++ whatever subnets(vlans etc) need access to WAN
/ip firewall filter add chain=forward action=forward in-interface=WAN connection-state=new connection-NAT-state=dstnat

and of course dont forget the last rule also valid in the forward chain
Last rule action=drop

Hi, I did! One server is working really well. But the other one has troubles with the RTP Ports. When I asked 3CX they told me it must be something with the mikrotik router - because the firewall checker is using the new changed ports. But it doesnt work without full cone errors.....

bests, Christian

I have 2 3CX servers with firewall test failed on WUI, but everything works just fine for 3 years now.
If you don't have any problems with RTP and calls, just ignore it.
Me thinks 3CX is a bit dumb in that regard.

Hi!

are you using different ports for RTP on both servers?

bests, Christian

No. Using 9000-10999 UDP
One server per public IP.
All ports are UDP except http and https
我记得范围has been increased in some update. Make sure you are using the new range.

I have 2 3CX servers with firewall test failed on WUI, but everything works just fine for 3 years now.
If you don't have any problems with RTP and calls, just ignore it.
Me thinks 3CX is a bit dumb in that regard.

Hi!

are you using different ports for RTP on both servers?

bests, Christian

No. Using 9000-10999 UDP
One server per public IP.
All ports are UDP except http and https
我记得范围has been increased in some update. Make sure you are using the new range.

Ok - but how can you take care both servers are using (sharing) the same portrange for RTP ports? As far as I know in on mikrotik router you are only able to forward to one specific server?

bests, Christian

The only way is if one uses port translation.
Two servers behind the same NAT cannot use the same ports in general.

But if the destination ports (what outside users are coming in on are different then the router will keep track of back and forth traffic (I think)
So, destination port 50 for 192.168.0.10 to port=50 should be fine.
So, destination port =100 for 192.168.20.10 to-ports=50 should be fine.

@stoneage
What I want to suggest is to simplify the NAT rules as @anav proposed, for Server 1 and 2.
Use the default filter rules. You don’t need to add or change them.
Do not use the default values during installation of 3CX Server 2, but use the ports you want to use. After installation you cannot change them anymore.
After installing Server 2 log into 3CX, go to Settings > Parameters and check or change FIRSTEXTPORT: 11000 and LASTEXTPORT: 12499.
还要检查或改变WEBRTC_WRTC_FIRST_PORT: 12500and WEBRTC_WRTC_LAST_PORT: 12999
Lets hope this will not conflict with the IVR_RTP range which is running in 12000-13999

Hope this will help.

Hi,

I've tried to reduce the portrange for both Servers. My acutal configuration now is:

3CX 1
FIRSTEXTPORT auf Port 9000
LASTEXTPORT auf Port 9499
WEBRTC_WRTC_FIRST_PORT auf Port 9500
WEBRTC_WRTC_LAST_PORT auf Port 9999

3CX 2
FIRSTEXTPORT auf Port 10000
LASTEXTPORT auf Port 10499
WEBRTC_WRTC_FIRST_PORT auf Port 10500
WEBRTC_WRTC_LAST_PORT auf Port 10999

Now nearly everything works - BUT: Now I get the problem with SIP ALG.... and the first Port has the full cone problem - any idea?The other thing is that SIP ALG already is disabled on mikrotik (!)Routerboard Firmware and Software version is 6.46.4 (latest stable version)

bests, Christian

Please show the (new) NAT rules of 3CX 1 and 3CX 2
Why did you decide to reduce the port range?

I miss the results of the firewall checker of 3CX 1
Are the PBX's run on Debian or Windows.
If Debian, please check the iptables
If Windows, please check the firewall rules or disable the firewall completely

Disable SIP ALG looks fine to me.

Please show the (new) NAT rules of 3CX 1 and 3CX 2
Why did you decide to reduce the port range?

I miss the results of the firewall checker of 3CX 1
Are the PBX's run on Debian or Windows.
If Debian, please check the iptables
If Windows, please check the firewall rules or disable the firewall completely

Disable SIP ALG looks fine to me.

Hi,

its the same output - just different ports.
I am using linux - think its debian? But its the image built from 3cx - no idea what credentials to use to login via putty (ssh)?

bests, Christian

I have a basic VOIP connection sip alg is on, but direct media is not selected.

@stoneage,

I propose to have everything work properly with 1 PBX first, then add the second PBX.

3cx has a packet capture facility, do a packet capture on 3cx server, view in wireshark to make sure correct port numbers are received by 3cx server from Mikrotik, if yes, then log call with 3cx, if no, come back here with packet capture details

Hi!
took me some time, now I know it was something because of my tp-link router.
I am using now the mikrotik LHG LTE6 Kit (RBLHGR&R11e-LTE6). Now the public IP is directly on the WAN interface of the mikrotik router.... everything is passed through - so everything works now

Thank you for your replies!

bests, Christian