Table of Contents
If you wish to use a VoIP provider remotely, all you have to do is make changes to your internet firewall. This guide explains how you can open ports on your routers at home and set up your firewall for 3CX.
Requirements to Port Forward 3CX
Just before you begin with the process of port forwarding, make sure you have the following things:
- The IP address of your router.
- IP address of your gaming device.
- TCP and UDP ports of 3CX for your gaming device as mentioned in the section below.
Step-by-step guide on how to port forward 3CX
Now that you have the above details noted down, you can move to the next stage of 3CX port forwarding:
- On your web browser address bar, type your router’s IP Address/Default Gateway.
- Log in with your router’s credentials (username and password) to view your router’s firmware settings.
- Navigate to the port forwarding section of your router.
- Click on Port Forwarding.
- Enter the IP address of your gaming device in your router in the correct box.
- Put the TCP and UDP ports of the 3CX server in the boxes in your router. The default 3CX port number is 5060. And then click the apply button.
- And you’re done. Restart your router to let the changes take effect.
- Once your changes take effect, now you can connect to 3CX.
3CX Default ports
To play 3CX online and create a server without any interruptions, you’ll have to allow access to certain ports on your firewall. The default 3CX ports are:
Network Port Requirements for 3CX Services
| Service | Ports | Description |
| Remote 3CX Apps & SBC | TCP: 5090, 5091 TCP: 443 (WebMeeting) TCP: 5000-5100 (Media) | Communication between 3CX clients and Session Border Controller (SBC) WebMeeting feature for remote collaboration Media transmission for voice and video calls |
| 3CX Video Conference | TCP: 5090, 5091 TCP: 443 (WebMeeting) TCP: 5000-5100 (Media) | Communication for video conferencing sessions WebMeeting feature for video conferencing Media transmission for video conference streams |
| Other Services (SMTP & Activation) | TCP: 25, 587 (SMTP) TCP: 9000 (Activation) | Simple Mail Transfer Protocol (SMTP) for email servicesActivation service for licensing and registration |
| SIP Trunk / VoIP Provider | Varies (Check with provider) | Ports specified by the SIP Trunk or VoIP provider for communication |
Steps to Configure Split DNS/ Hairpin NAT
Efficient 3CX phone system operation demands the integration of Split DNS and Hairpin NAT, which is crucial for maintaining a smooth and secure experience across internal and external networks.
Split DNS customizes domain name resolution based on network origin, while Hairpin NAT enables internal clients to access the 3CX system using its external IP without disruptions.
Steps to Configure Split DNS:
Identify Domain Names:
- Internal: “3cx.internal”
- External: “yourcompany.com”
Internal DNS:
- Resolve 3CX FQDN internally.
- Create A record for “pbx.yourcompany.com” pointing to the internal IP.
External DNS:
- Resolve 3CX FQDN externally.
- Create A record for “pbx.yourcompany.com” pointing to the public IP.
3CX Management Console:
- Set FQDN to an external domain (“pbx.yourcompany.com”).
Steps to Configure Hairpin NAT:
Router:
- Access router interface.
- Create a NAT rule to forward external IP traffic to the internal 3CX server.
- Apply the rule to both TCP and UDP on essential ports (e.g., SIP, RTP).
Firewall:
- Adjust settings to allow traffic on configured ports.
- Create rules for the internal network to access external IP.
3CX Management Console:
- Navigate to “Settings” > “Network” > “Firewall Checker.”
- Run firewall checker for port validation.
Verification:
Internal Access:
- Test internal access using external FQDN; should resolve to internal IP.
External Access:
- Test external access using external FQDN; should resolve to external IP.
Firewall Checker:
- Rerun checker to confirm no reported issues.
Tips For Some Famous 3CX Firewalls
| Device | Configuration Tasks | Additional Notes |
| Sonicwall Firewall | Port forwarding for 3CX ports Enable SIP transformations | Ensure Sonicwall security policies allow SIP and RTP traffic. Review Sonicwall documentation for specific firmware versions and recommendations. |
| Draytek 2820 Router | Port forwarding for 3CX ports Enable SIP ALG | Implement Quality of Service (QoS) for prioritizing VoIP traffic.Draytek routers may have different models with variations in firmware; refer to specific model docs. |
| AVM FritzBox | Port forwarding for 3CX ports Enable or configure QoS for VoIP traffic | Disable SIP ALG if present.FritzBox configurations can vary. Check the FritzBox admin interface for relevant settings. |
| CISCO Router | Access Control Lists (ACLs) for 3CX ports Enable QoS for VoIP | Adjust settings for NAT and inspect SIP traffic. Cisco router configurations depend on the specific model and IOS version; refer to Cisco docs. |
| FortiGate 80C | Virtual IP and Firewall Policies for 3CX ports Implement VoIP security policies | Set up security profiles and ensure SIP and RTP traffic is allowed. FortiGate settings may vary; consult FortiGate documentation for accurate configurations. |
| WatchGuard XTM Firewall | Configure Packet Filter and NAT for 3CX ports Enable SIP and H.323 ALG if available | Adjust security settings and exceptions for VoIP traffic.Refer to WatchGuard documentation for model-specific details. |
| pfSense Firewall | NAT Port Forward for 3CX ports Implement Traffic Shaping or QoS for VoIP traffic | Adjust firewall rules and disable SIP ALG. Consult pfSense documentation for version-specific instructions. |
| MikroTik Firewall | Create NAT rules for 3CX ports Configure Firewall Filter Rules | Implement Simple Queues or Queue Tree for VoIP traffic prioritization. MikroTik RouterOS versions may have differences; check documentation accordingly. |
Quickly and safely open ports using PureVPN
Opening a port shouldn’t be complicated. With the Port Forwarding add-on, it’s as simple as 1, 2, and 3!
Ports to forward on devices
Ports to run on Windows
| TCP Port: | 5060-5061 |
| UDP Port | 5060 |
How to open ports behind CGNAT
What if your ISP performs CGNAT? Most ISPs perform CGNAT (Carrier-grade Network Address Translation) to conserve bandwidth and assign a single IP address to multiple users connected to the same internet network. However, CGNAT makes it difficult for you to open ports on the router.
To get around the CGNAT issue, you can use the Port Forwarding add-on to bypass this problem and port forward routers without hassle.
Here’s more information on how to use PureVPN’s Port Forwarding add-on and bypass CGNAT in a few clicks.
PureVPN’s Port Forwarding Add-on
A secure way to open all ports
To most people, port forwarding is quite a demanding task. For starters, every router has a different console, which often makes it difficult to navigate to specific settings.
Secondly, you won’t always be able to open 3CX ports on your router if your ISP restricts the ports. Yes, you heard that right! ISPs are notorious for blocking ports due to security reasons. If ISP isn’t the reason behind a blocked port, then perhaps it could be your operating system’s firewall.
Well, you can make all these problems go away and enjoy smooth online gaming on all your desired systems with PureVPN’s Port Forwarding add-on. Through the Port Forwarding add-on, you can allow all ports, disallow all ports, and allow specific ports.
Sameed Ajax
December 6, 2023
5 months ago
