VoIP:Hardware:3CX:Configuration: Difference between revisions
From VTX Public Wiki
(Create a configuration page) |
(Remove Firewall and certifications) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
[[File:VTX-ConnectPBX-Certification-01.png|thumb|VTX Certification]] |
|||
== Firewall == |
|||
=== Disable open SIP rules on 3CX === |
|||
* '''Problem''': By default 3CX add a jump in nftables towards a chain "phonesystem" that makes 3CX SIP access opened to the whole world ! It is useful but should not done if not necessary ! You need to be careful otherwise these rules will bypass your own |
|||
* '''Solution''': Follow the procedure below |
|||
# Comment out the insert of "chain phonesystem" in /var/lib/3cxpbx/Bin/nftables.conf |
|||
sed -i "s/^insert/#insert/" /var/lib/3cxpbx/Bin/nftables.conf |
|||
# Edit your own /etc/nftables.conf to fit your needs |
|||
# Reboot the server |
|||
''Default firewall setup with the insert commented'' |
|||
<source lang="bash"> |
|||
root@bus-ind-vp-3cx-01:[~]# cat /var/lib/3cxpbx/Bin/nftables.conf |
|||
#!/usr/sbin/nft -f |
|||
add table inet filter |
|||
add chain inet filter input |
|||
add chain inet filter phonesystem |
|||
#insert rule inet filter input jump phonesystem |
|||
flush chain inet filter phonesystem |
|||
add table ip filter |
|||
add chain ip filter INPUT |
|||
add chain ip filter phonesystem |
|||
#insert rule ip filter INPUT jump phonesystem |
|||
flush chain ip filter phonesystem |
|||
add table ip6 filter |
|||
add chain ip6 filter INPUT |
|||
add chain ip6 filter phonesystem |
|||
#insert rule ip6 filter INPUT jump phonesystem |
|||
flush chain ip6 filter phonesystem |
|||
table inet filter { |
|||
chain phonesystem { |
|||
ip daddr 224.0.1.75 counter accept; |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
table ip filter { |
|||
chain phonesystem { |
|||
ip daddr 224.0.1.75 counter accept; |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
table ip6 filter { |
|||
chain phonesystem { |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
</source> |
|||
''Example of email alarm because people are bruteforcing SIP that is by default opened to the world'' |
|||
<source lang="text"> |
|||
De: 3CX Phone System - VTX Services SA <noreply@3cx.net> |
|||
À: operations.voip@vtx-telecom.ch <operations.voip@vtx-telecom.ch> |
|||
Objet: IP 179.43.171.190 has been blacklisted on PBX - bus-ind-vp-3cx-01.3cx.ch |
|||
Date: Wed, 14 Oct 2020 20:47:56 +0000 (14. 10. 20 22:47:56) |
|||
The IP 179.43.171.190 on PBX bus-ind-vp-3cx-01.3cx.ch has been blacklisted and will expire on: 2020/10/15 22:47:19. |
|||
Affected Module: SIP Server |
|||
User agent: Avaya IP Phone 1120E |
|||
Reason: Too many failed authentications! |
|||
This IP Address 179.43.171.190 has made numerous attempts to authenticate with 3CX using invalid credentials. In response, 3CX has blacklisted this IP and denied any further requests. |
|||
No action is required on your behalf. |
|||
If you would like to review, edit or delete the rule, you can do so from your Management Console > Dashboard > IP Blacklist. |
|||
For more information: https://www.3cx.com/docs/allow-deny-ip-addresses/ |
|||
</source> |
|||
== SIP Trunks == |
== SIP Trunks == |
||
Line 130: | Line 33: | ||
** <strike>'''Force Invites to be send to IP of Registrar''' = Yes</strike> |
** <strike>'''Force Invites to be send to IP of Registrar''' = Yes</strike> |
||
** '''Re-Register Timeout''' = '''600''' |
** '''Re-Register Timeout''' = '''600''' |
||
** < |
** <strike>'''Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields''' = '''Local IP Address'''</strike> |
||
** '''Transport Protocol''' = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets) |
** '''Transport Protocol''' = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets) |
||
* '''Codec Priority''' |
* '''Codec Priority''' |
Latest revision as of 15:07, 26 September 2024
SIP Trunks[edit | edit source]
General Tab[edit | edit source]
- Trunk Details
- Name = "VTX Service SA"
- Registrar/Server/Gateway Hostname or IP = s1.XX.trk.ipvoip.ch ( Uniquer per customer, copy paste info from VTX Kiosk ex : s1.238234.trk.ipvoip.ch)
- Outbound Proxy : 212.147.47.218 ( DNS resolution of the SIP Registrar/Server/Gateway Hostname )
- Number of SIM Calls : 4 or more ( Depends on the Service Type you have ( Connect_PABX_4 => 4 calls, Connect_PABX_8 => 8 calls, Connnect_PABX_60 => 60 calls, ...) )
- Authentication
- Type of Authentication : Register/Account Based
- Authentication ID (aka SIP User ID) : 41...lbo ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Authentication Password: ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Route calls to
- Main Trunk No: 004121566... ( Warning, by default incoming call routing number are in international format 0041, this can be changed on request to +e164 or National format )
DIDs[edit | edit source]
Enter all DIDs managed by the PBX in International Format format 0041, this can be changed on request to +e164 or National format |
0041215668340 0041215668341 0041215668342 0041215668343
Caller ID[edit | edit source]
Options[edit | edit source]
- Advanced
- PBX Delivers Audio = Yes ( forces the PBX to convert RTP stream, will use resources on the PBX and might trigger problem )
- Supports Re-Invite = Yes
Force Invites to be send to IP of Registrar = Yes- Re-Register Timeout = 600
Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields = Local IP Address- Transport Protocol = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets)
- Codec Priority
- G722
- G711a
- G729
- Options
Set Contact (SIP) and "Connection" (SDP) with "Local IP"
Inbound Parameters[edit | edit source]
Keep it default or adapt it to fit your needs
Outbound Parameters[edit | edit source]
Here are the parameters that you need to adapt to be able to bill all numbers
SIP Field | Variable | Impact | Explanation |
---|---|---|---|
P-Preferred Identity : User Part | Leave default value
|
Will not send P-Preferred-Identify Header anymore
not to always bill your LineNumber all the time |
PPI needs only to be used to define the number to be billed
So it is only useful when you wish to display a number out of your range with "Special Arrangement" and bill one specific number of your trunk |
P-Preferred Identity : Host Part | Leave default value
| ||
Extensions[edit | edit source]
General Tab[edit | edit source]
- User Information
- Outbound Caller ID : 0041__ ( Enter here the number to display for outgoing call for this extension from the trunk or external if you have "Special Arrangement / CLIP No Screening" )
Inbound Rules[edit | edit source]
Create a new incoming DID rule with a number added in the SIP trunks DDI
- Name = "Useful Description"
- DDI = Select one from the list
- Route calls to = Set it up according to your needs
Outbound Rules[edit | edit source]
Add the following rules
- General
- Rule Name = VTX_Default_Rule
- Calls to numbers starting with prefix = 0
- Make outbound calls on
- Route: "VTX Services SA" + Strip Digits = 0