VoIP:Hardware:3CX: Difference between revisions
From VTX Public Wiki
(→Create a VTX SIP Trunk with XML template: nmal > default) |
Marc Leurent (talk | contribs) (Add Certification sub section) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
== Certification == |
|||
VTX SIP Trunk ( Connect_PABX service ) is compatible with 3CX PBX System. VTX provided template since 2015 and was officially certified since 2018. In 2022 VTX got removed from the Operator in 3CX templates. Since then we are trying to pass new certification without success. There is no ETA for 3CX Certification, but trunk can be used with "SIP Generic Trunk" or by importing VTX template manually using [[VoIP:Hardware:3CX#Create_a_VTX_SIP_Trunk_with_XML_template|Create a VTX SIP Trunk with XML template]] |
VTX SIP Trunk ( Connect_PABX service ) is compatible with 3CX PBX System. VTX provided template since 2015 and was officially certified since 2018. In 2022 VTX got removed from the Operator in 3CX templates. Since then we are trying to pass new certification without success. There is no ETA for 3CX Certification, but trunk can be used with "SIP Generic Trunk" or by importing VTX template manually using [[VoIP:Hardware:3CX#Create_a_VTX_SIP_Trunk_with_XML_template|Create a VTX SIP Trunk with XML template]] |
||
= Documentation = |
== Documentation == |
||
* '''Official Web Site''': http://www.3cx.com/ |
* '''Official Web Site''': http://www.3cx.com/ |
||
Line 20: | Line 22: | ||
# Download the 3CX VTX Template on your PC |
# Download the 3CX VTX Template on your PC |
||
## ("default" template v18) https://wiki.vtx.ch/media/3CX_VTX_provider.pv.xml |
## <s>("default" template v18) : https://wiki.vtx.ch/media/3CX_VTX_provider.pv.xml</s> |
||
## ("default" template v20) https://wiki.vtx.ch/media/VTXv20.pv.xml |
## ("default" template v20) : https://wiki.vtx.ch/media/VTXv20.pv.xml |
||
## ("Special Arrangement template" v18) : https://wiki.vtx.ch/media/3CX_VTX_provider_advanced.pv.xml |
## <s>("Special Arrangement template" v18) : https://wiki.vtx.ch/media/3CX_VTX_provider_advanced.pv.xml</s> |
||
## ("Special Arrangement template" v20) : https://wiki.vtx.ch/media/VTXv20adv.pv.xml |
## ("Special Arrangement template" v20) : https://wiki.vtx.ch/media/VTXv20adv.pv.xml |
||
# Connect on your 3CX PBX Admin interface |
# Connect on your 3CX PBX Admin interface |
||
Line 30: | Line 32: | ||
# Import the '''"VTXv20.pv.xml"''' file (or VTXv20adv.pv.xml) |
# Import the '''"VTXv20.pv.xml"''' file (or VTXv20adv.pv.xml) |
||
# Finish the setup of your trunk using the [[{{FULLPAGENAME}}#Configuration]] |
# Finish the setup of your trunk using the [[{{FULLPAGENAME}}#Configuration]] |
||
= Others = |
|||
== Firewall == |
|||
=== Disable open SIP rules on 3CX === |
|||
* '''Problem''': By default 3CX add a jump in nftables towards a chain "phonesystem" that makes 3CX SIP access opened to the whole world ! It is useful but should not done if not necessary ! You need to be careful otherwise these rules will bypass your own |
|||
* '''Solution''': Follow the procedure below |
|||
# Comment out the insert of "chain phonesystem" in /var/lib/3cxpbx/Bin/nftables.conf |
|||
sed -i "s/^insert/#insert/" /var/lib/3cxpbx/Bin/nftables.conf |
|||
# Edit your own /etc/nftables.conf to fit your needs |
|||
# Reboot the server |
|||
''Default firewall setup with the insert commented'' |
|||
<source lang="bash"> |
|||
root@bus-ind-vp-3cx-01:[~]# cat /var/lib/3cxpbx/Bin/nftables.conf |
|||
#!/usr/sbin/nft -f |
|||
add table inet filter |
|||
add chain inet filter input |
|||
add chain inet filter phonesystem |
|||
#insert rule inet filter input jump phonesystem |
|||
flush chain inet filter phonesystem |
|||
add table ip filter |
|||
add chain ip filter INPUT |
|||
add chain ip filter phonesystem |
|||
#insert rule ip filter INPUT jump phonesystem |
|||
flush chain ip filter phonesystem |
|||
add table ip6 filter |
|||
add chain ip6 filter INPUT |
|||
add chain ip6 filter phonesystem |
|||
#insert rule ip6 filter INPUT jump phonesystem |
|||
flush chain ip6 filter phonesystem |
|||
table inet filter { |
|||
chain phonesystem { |
|||
ip daddr 224.0.1.75 counter accept; |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
table ip filter { |
|||
chain phonesystem { |
|||
ip daddr 224.0.1.75 counter accept; |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
table ip6 filter { |
|||
chain phonesystem { |
|||
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept; |
|||
udp dport { 5060,5090,7000-10999 } counter accept; |
|||
} |
|||
} |
|||
</source> |
|||
''Example of email alarm because people are bruteforcing SIP that is by default opened to the world'' |
|||
<source lang="text"> |
|||
De: 3CX Phone System - VTX Services SA <noreply@3cx.net> |
|||
À: operations.voip@vtx-telecom.ch <operations.voip@vtx-telecom.ch> |
|||
Objet: IP 179.43.171.190 has been blacklisted on PBX - bus-ind-vp-3cx-01.3cx.ch |
|||
Date: Wed, 14 Oct 2020 20:47:56 +0000 (14. 10. 20 22:47:56) |
|||
The IP 179.43.171.190 on PBX bus-ind-vp-3cx-01.3cx.ch has been blacklisted and will expire on: 2020/10/15 22:47:19. |
|||
Affected Module: SIP Server |
|||
User agent: Avaya IP Phone 1120E |
|||
Reason: Too many failed authentications! |
|||
This IP Address 179.43.171.190 has made numerous attempts to authenticate with 3CX using invalid credentials. In response, 3CX has blacklisted this IP and denied any further requests. |
|||
No action is required on your behalf. |
|||
If you would like to review, edit or delete the rule, you can do so from your Management Console > Dashboard > IP Blacklist. |
|||
For more information: https://www.3cx.com/docs/allow-deny-ip-addresses/ |
|||
</source> |
Latest revision as of 08:19, 30 September 2024
Introduction[edit | edit source]
Certification[edit | edit source]
VTX SIP Trunk ( Connect_PABX service ) is compatible with 3CX PBX System. VTX provided template since 2015 and was officially certified since 2018. In 2022 VTX got removed from the Operator in 3CX templates. Since then we are trying to pass new certification without success. There is no ETA for 3CX Certification, but trunk can be used with "SIP Generic Trunk" or by importing VTX template manually using Create a VTX SIP Trunk with XML template
Documentation[edit | edit source]
- Official Web Site: http://www.3cx.com/
- Documentation: https://www.3cx.com/docs/manual/
Configuration[edit | edit source]
SIP Trunks[edit | edit source]
General Tab[edit | edit source]
- Trunk Details
- Name = "VTX Service SA"
- Registrar/Server/Gateway Hostname or IP = s1.XX.trk.ipvoip.ch ( Uniquer per customer, copy paste info from VTX Kiosk ex : s1.238234.trk.ipvoip.ch)
- Outbound Proxy : 212.147.47.218 ( DNS resolution of the SIP Registrar/Server/Gateway Hostname )
- Number of SIM Calls : 4 or more ( Depends on the Service Type you have ( Connect_PABX_4 => 4 calls, Connect_PABX_8 => 8 calls, Connnect_PABX_60 => 60 calls, ...) )
- Authentication
- Type of Authentication : Register/Account Based
- Authentication ID (aka SIP User ID) : 41...lbo ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Authentication Password: ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Route calls to
- Main Trunk No: 004121566... ( Warning, by default incoming call routing number are in international format 0041, this can be changed on request to +e164 or National format )
DIDs[edit | edit source]
Enter all DIDs managed by the PBX in International Format format 0041, this can be changed on request to +e164 or National format |
0041215668340 0041215668341 0041215668342 0041215668343
Caller ID[edit | edit source]
Options[edit | edit source]
- Advanced
- PBX Delivers Audio = Yes ( forces the PBX to convert RTP stream, will use resources on the PBX and might trigger problem )
- Supports Re-Invite = Yes
Force Invites to be send to IP of Registrar = Yes- Re-Register Timeout = 600
Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields = Local IP Address- Transport Protocol = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets)
- Codec Priority
- G722
- G711a
- G729
- Options
Set Contact (SIP) and "Connection" (SDP) with "Local IP"
Inbound Parameters[edit | edit source]
Keep it default or adapt it to fit your needs
Outbound Parameters[edit | edit source]
Here are the parameters that you need to adapt to be able to bill all numbers
SIP Field | Variable | Impact | Explanation |
---|---|---|---|
P-Preferred Identity : User Part | Leave default value
|
Will not send P-Preferred-Identify Header anymore
not to always bill your LineNumber all the time |
PPI needs only to be used to define the number to be billed
So it is only useful when you wish to display a number out of your range with "Special Arrangement" and bill one specific number of your trunk |
P-Preferred Identity : Host Part | Leave default value
| ||
Extensions[edit | edit source]
General Tab[edit | edit source]
- User Information
- Outbound Caller ID : 0041__ ( Enter here the number to display for outgoing call for this extension from the trunk or external if you have "Special Arrangement / CLIP No Screening" )
Inbound Rules[edit | edit source]
Create a new incoming DID rule with a number added in the SIP trunks DDI
- Name = "Useful Description"
- DDI = Select one from the list
- Route calls to = Set it up according to your needs
Outbound Rules[edit | edit source]
Add the following rules
- General
- Rule Name = VTX_Default_Rule
- Calls to numbers starting with prefix = 0
- Make outbound calls on
- Route: "VTX Services SA" + Strip Digits = 0
Usage[edit | edit source]
Create a VTX SIP Trunk with XML template[edit | edit source]
- Information: If "Special Arrangement / CLIP No Screening" (advanced feature) got activated on your VTX trunk, you can manually adapt the parameters as described in Outbound Parameters or import the Advanced VTX Template below
- Problem: The "VTX" SIP trunk template has been temporarily deleted from the 3CX SIP trunk template list. We are checking to have it added back, but no ETA for 3CX Certification
- Workaround: You can import the VTX Template manually following procedure below
- Download the 3CX VTX Template on your PC
("default" template v18) : https://wiki.vtx.ch/media/3CX_VTX_provider.pv.xml- ("default" template v20) : https://wiki.vtx.ch/media/VTXv20.pv.xml
("Special Arrangement template" v18) : https://wiki.vtx.ch/media/3CX_VTX_provider_advanced.pv.xml- ("Special Arrangement template" v20) : https://wiki.vtx.ch/media/VTXv20adv.pv.xml
- Connect on your 3CX PBX Admin interface
- V18: Go in "SIP Trunks" menu and click on the "Import Provider" button
- Upload the "3CX_VTX_provider.pv.xml" file (or 3CX_VTX_provider_advanced.pv.xml)
- V20: Open "Advanced" menu, click on "Templates" then choose "Provider Templates" and click on "Import Provider" button
- Import the "VTXv20.pv.xml" file (or VTXv20adv.pv.xml)
- Finish the setup of your trunk using the VoIP:Hardware:3CX#Configuration
Others[edit | edit source]
Firewall[edit | edit source]
Disable open SIP rules on 3CX[edit | edit source]
- Problem: By default 3CX add a jump in nftables towards a chain "phonesystem" that makes 3CX SIP access opened to the whole world ! It is useful but should not done if not necessary ! You need to be careful otherwise these rules will bypass your own
- Solution: Follow the procedure below
- Comment out the insert of "chain phonesystem" in /var/lib/3cxpbx/Bin/nftables.conf
sed -i "s/^insert/#insert/" /var/lib/3cxpbx/Bin/nftables.conf
- Edit your own /etc/nftables.conf to fit your needs
- Reboot the server
Default firewall setup with the insert commented
root@bus-ind-vp-3cx-01:[~]# cat /var/lib/3cxpbx/Bin/nftables.conf
#!/usr/sbin/nft -f
add table inet filter
add chain inet filter input
add chain inet filter phonesystem
#insert rule inet filter input jump phonesystem
flush chain inet filter phonesystem
add table ip filter
add chain ip filter INPUT
add chain ip filter phonesystem
#insert rule ip filter INPUT jump phonesystem
flush chain ip filter phonesystem
add table ip6 filter
add chain ip6 filter INPUT
add chain ip6 filter phonesystem
#insert rule ip6 filter INPUT jump phonesystem
flush chain ip6 filter phonesystem
table inet filter {
chain phonesystem {
ip daddr 224.0.1.75 counter accept;
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
table ip filter {
chain phonesystem {
ip daddr 224.0.1.75 counter accept;
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
table ip6 filter {
chain phonesystem {
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
Example of email alarm because people are bruteforcing SIP that is by default opened to the world
De: 3CX Phone System - VTX Services SA <noreply@3cx.net>
À: operations.voip@vtx-telecom.ch <operations.voip@vtx-telecom.ch>
Objet: IP 179.43.171.190 has been blacklisted on PBX - bus-ind-vp-3cx-01.3cx.ch
Date: Wed, 14 Oct 2020 20:47:56 +0000 (14. 10. 20 22:47:56)
The IP 179.43.171.190 on PBX bus-ind-vp-3cx-01.3cx.ch has been blacklisted and will expire on: 2020/10/15 22:47:19.
Affected Module: SIP Server
User agent: Avaya IP Phone 1120E
Reason: Too many failed authentications!
This IP Address 179.43.171.190 has made numerous attempts to authenticate with 3CX using invalid credentials. In response, 3CX has blacklisted this IP and denied any further requests.
No action is required on your behalf.
If you would like to review, edit or delete the rule, you can do so from your Management Console > Dashboard > IP Blacklist.
For more information: https://www.3cx.com/docs/allow-deny-ip-addresses/