VoIP:Hardware:3CX:Configuration: Difference between revisions
From VTX Public Wiki
(Create a configuration page) |
(→Options: Fix strike option) |
||
Line 130: | Line 130: | ||
** <strike>'''Force Invites to be send to IP of Registrar''' = Yes</strike> |
** <strike>'''Force Invites to be send to IP of Registrar''' = Yes</strike> |
||
** '''Re-Register Timeout''' = '''600''' |
** '''Re-Register Timeout''' = '''600''' |
||
** < |
** <strike>'''Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields''' = '''Local IP Address'''</strike> |
||
** '''Transport Protocol''' = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets) |
** '''Transport Protocol''' = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets) |
||
* '''Codec Priority''' |
* '''Codec Priority''' |
Revision as of 10:12, 1 February 2023
Firewall[edit | edit source]
Disable open SIP rules on 3CX[edit | edit source]
- Problem: By default 3CX add a jump in nftables towards a chain "phonesystem" that makes 3CX SIP access opened to the whole world ! It is useful but should not done if not necessary ! You need to be careful otherwise these rules will bypass your own
- Solution: Follow the procedure below
- Comment out the insert of "chain phonesystem" in /var/lib/3cxpbx/Bin/nftables.conf
sed -i "s/^insert/#insert/" /var/lib/3cxpbx/Bin/nftables.conf
- Edit your own /etc/nftables.conf to fit your needs
- Reboot the server
Default firewall setup with the insert commented
root@bus-ind-vp-3cx-01:[~]# cat /var/lib/3cxpbx/Bin/nftables.conf
#!/usr/sbin/nft -f
add table inet filter
add chain inet filter input
add chain inet filter phonesystem
#insert rule inet filter input jump phonesystem
flush chain inet filter phonesystem
add table ip filter
add chain ip filter INPUT
add chain ip filter phonesystem
#insert rule ip filter INPUT jump phonesystem
flush chain ip filter phonesystem
add table ip6 filter
add chain ip6 filter INPUT
add chain ip6 filter phonesystem
#insert rule ip6 filter INPUT jump phonesystem
flush chain ip6 filter phonesystem
table inet filter {
chain phonesystem {
ip daddr 224.0.1.75 counter accept;
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
table ip filter {
chain phonesystem {
ip daddr 224.0.1.75 counter accept;
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
table ip6 filter {
chain phonesystem {
tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
udp dport { 5060,5090,7000-10999 } counter accept;
}
}
Example of email alarm because people are bruteforcing SIP that is by default opened to the world
De: 3CX Phone System - VTX Services SA <noreply@3cx.net>
À: operations.voip@vtx-telecom.ch <operations.voip@vtx-telecom.ch>
Objet: IP 179.43.171.190 has been blacklisted on PBX - bus-ind-vp-3cx-01.3cx.ch
Date: Wed, 14 Oct 2020 20:47:56 +0000 (14. 10. 20 22:47:56)
The IP 179.43.171.190 on PBX bus-ind-vp-3cx-01.3cx.ch has been blacklisted and will expire on: 2020/10/15 22:47:19.
Affected Module: SIP Server
User agent: Avaya IP Phone 1120E
Reason: Too many failed authentications!
This IP Address 179.43.171.190 has made numerous attempts to authenticate with 3CX using invalid credentials. In response, 3CX has blacklisted this IP and denied any further requests.
No action is required on your behalf.
If you would like to review, edit or delete the rule, you can do so from your Management Console > Dashboard > IP Blacklist.
For more information: https://www.3cx.com/docs/allow-deny-ip-addresses/
SIP Trunks[edit | edit source]
General Tab[edit | edit source]
- Trunk Details
- Name = "VTX Service SA"
- Registrar/Server/Gateway Hostname or IP = s1.XX.trk.ipvoip.ch ( Uniquer per customer, copy paste info from VTX Kiosk ex : s1.238234.trk.ipvoip.ch)
- Outbound Proxy : 212.147.47.218 ( DNS resolution of the SIP Registrar/Server/Gateway Hostname )
- Number of SIM Calls : 4 or more ( Depends on the Service Type you have ( Connect_PABX_4 => 4 calls, Connect_PABX_8 => 8 calls, Connnect_PABX_60 => 60 calls, ...) )
- Authentication
- Type of Authentication : Register/Account Based
- Authentication ID (aka SIP User ID) : 41...lbo ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Authentication Password: ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
- Route calls to
- Main Trunk No: 004121566... ( Warning, by default incoming call routing number are in international format 0041, this can be changed on request to +e164 or National format )
DIDs[edit | edit source]
Enter all DIDs managed by the PBX in International Format format 0041, this can be changed on request to +e164 or National format |
0041215668340 0041215668341 0041215668342 0041215668343
Caller ID[edit | edit source]
Options[edit | edit source]
- Advanced
- PBX Delivers Audio = Yes ( forces the PBX to convert RTP stream, will use resources on the PBX and might trigger problem )
- Supports Re-Invite = Yes
Force Invites to be send to IP of Registrar = Yes- Re-Register Timeout = 600
Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields = Local IP Address- Transport Protocol = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets)
- Codec Priority
- G722
- G711a
- G729
- Options
Set Contact (SIP) and "Connection" (SDP) with "Local IP"
Inbound Parameters[edit | edit source]
Keep it default or adapt it to fit your needs
Outbound Parameters[edit | edit source]
Here are the parameters that you need to adapt to be able to bill all numbers
SIP Field | Variable | Impact | Explanation |
---|---|---|---|
P-Preferred Identity : User Part | Leave default value
|
Will not send P-Preferred-Identify Header anymore
not to always bill your LineNumber all the time |
PPI needs only to be used to define the number to be billed
So it is only useful when you wish to display a number out of your range with "Special Arrangement" and bill one specific number of your trunk |
P-Preferred Identity : Host Part | Leave default value
| ||
Extensions[edit | edit source]
General Tab[edit | edit source]
- User Information
- Outbound Caller ID : 0041__ ( Enter here the number to display for outgoing call for this extension from the trunk or external if you have "Special Arrangement / CLIP No Screening" )
Inbound Rules[edit | edit source]
Create a new incoming DID rule with a number added in the SIP trunks DDI
- Name = "Useful Description"
- DDI = Select one from the list
- Route calls to = Set it up according to your needs
Outbound Rules[edit | edit source]
Add the following rules
- General
- Rule Name = VTX_Default_Rule
- Calls to numbers starting with prefix = 0
- Make outbound calls on
- Route: "VTX Services SA" + Strip Digits = 0