From VTX Public Wiki

Introducation[edit | edit source]

FIXME to be written

Configuration[edit | edit source]

Firewall[edit | edit source]

Disable open SIP rules on 3CX[edit | edit source]

  • Problem: By default 3CX add a jump in nftables towards a chain "phonesystem" that makes 3CX SIP access opened to the whole world ! It is useful but should not done if not necessary ! You need to be careful otherwise these rules will bypass your own
  • Solution: Follow the procedure below
  1. Comment out the insert of "chain phonesystem" in /var/lib/3cxpbx/Bin/nftables.conf
sed -i "s/^insert/#insert/" /var/lib/3cxpbx/Bin/nftables.conf
  1. Edit your own /etc/nftables.conf to fit your needs
  2. Reboot the server

Default firewall setup with the insert commented

root@bus-ind-vp-3cx-01:[~]# cat /var/lib/3cxpbx/Bin/nftables.conf
#!/usr/sbin/nft -f

add table inet filter
add chain inet filter input
add chain inet filter phonesystem
#insert rule inet filter input jump phonesystem
flush chain inet filter phonesystem

add table ip filter
add chain ip filter INPUT
add chain ip filter phonesystem
#insert rule ip filter INPUT jump phonesystem
flush chain ip filter phonesystem

add table ip6 filter
add chain ip6 filter INPUT
add chain ip6 filter phonesystem
#insert rule ip6 filter INPUT jump phonesystem
flush chain ip6 filter phonesystem

table inet filter {
        chain phonesystem {
                ip daddr counter accept;
                tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
                udp dport { 5060,5090,7000-10999 } counter accept;

table ip filter {
        chain phonesystem {
                ip daddr counter accept;
                tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
                udp dport { 5060,5090,7000-10999 } counter accept;

table ip6 filter {
        chain phonesystem {
                tcp dport { 5000,5001,5060,5061,5090,5062 } ct state new counter accept;
                udp dport { 5060,5090,7000-10999 } counter accept;

Example of email alarm because people are bruteforcing SIP that is by default opened to the world

De:	3CX Phone System - VTX Services SA <noreply@3cx.net>
À:	operations.voip@vtx-telecom.ch <operations.voip@vtx-telecom.ch>
Objet:	IP has been blacklisted on PBX - bus-ind-vp-3cx-01.3cx.ch
Date:	Wed, 14 Oct 2020 20:47:56 +0000 (14. 10. 20 22:47:56)

The IP on PBX bus-ind-vp-3cx-01.3cx.ch has been blacklisted and will expire on: 2020/10/15 22:47:19.
Affected Module: SIP Server
User agent: Avaya IP Phone 1120E

Reason: Too many failed authentications! 

This IP Address has made numerous attempts to authenticate with 3CX using invalid credentials. In response, 3CX has blacklisted this IP and denied any further requests.

No action is required on your behalf.

If you would like to review, edit or delete the rule, you can do so from your Management Console > Dashboard > IP Blacklist.
For more information: https://www.3cx.com/docs/allow-deny-ip-addresses/

SIP Trunks[edit | edit source]

General Tab[edit | edit source]

  • Trunk Details
    • Name = "VTX Service SA"
    • Registrar/Server/Gateway Hostname or IP = s1.XX.trk.ipvoip.ch ( Uniquer per customer, copy paste info from VTX Kiosk ex : s1.238234.trk.ipvoip.ch)
    • Outbound Proxy : ( DNS resolution of the SIP Registrar/Server/Gateway Hostname )
    • Number of SIM Calls : 4 or more ( Depends on the Service Type you have ( Connect_PABX_4 => 4 calls, Connect_PABX_8 => 8 calls, Connnect_PABX_60 => 60 calls, ...) )
  • Authentication
    • Type of Authentication : Register/Account Based
    • Authentication ID (aka SIP User ID) : 41...lbo ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
    • Authentication Password: ( Uniquer per SIP trunk, copy paste info from VTX Kiosk)
  • Route calls to
    • Main Trunk No: 004121566... ( Warning, by default incoming call routing number are in international format 0041, this can be changed on request to +e164 or National format )

DIDs[edit | edit source]


Caller ID[edit | edit source]

Options[edit | edit source]

  • Advanced
    • PBX Delivers Audio = Yes ( forces the PBX to convert RTP stream, will use resources on the PBX and might trigger problem )
    • Supports Re-Invite = Yes
    • Force Invites to be send to IP of Registrar = Yes
    • Re-Register Timeout = 600
    • Select which IP to use in 'Contact' (SIP) and 'Connection'(SDP) fields = Local IP Address
    • Transport Protocol = TCP (Not to have problem with Firewall that do not accept UDP fragmented packets)
  • Codec Priority
    • G722
    • G711a
    • G729
  • Options
    • Set Contact (SIP) and "Connection" (SDP) with "Local IP"

Inbound Parameters[edit | edit source]

Keep it default or adapt it to fit your needs

Outbound Parameters[edit | edit source]

Here are the parameters that you need to adapt to be able to bill all numbers

SIP Field Variable Impact Explanation
P-Preferred Identity : User Part Leave default value

(old value : "LineNumber")

Will not send P-Preferred-Identify Header anymore

not to always bill your LineNumber all the time

PPI needs only to be used to define the number to be billed

So it is only useful when you wish to display a number out of your range with "Special Arrangement" and bill one specific number of your trunk

P-Preferred Identity : Host Part Leave default value

(old value : "GWHostPort")

Extensions[edit | edit source]

General Tab[edit | edit source]

  • User Information
    • Outbound Caller ID : 0041__ ( Enter here the number to display for outgoing call for this extension from the trunk or external if you have "Special Arrangement / CLIP No Screening" )

Inbound Rules[edit | edit source]

Create a new incoming DID rule with a number added in the SIP trunks DDI

  • Name = "Useful Description"
  • DDI = Select one from the list
  • Route calls to = Set it up according to your needs

Outbound Rules[edit | edit source]

Add the following rules

  • General
    • Rule Name = VTX_Default_Rule
    • Calls to numbers starting with prefix = 0
  • Make outbound calls on
    • Route: "VTX Services SA" + Strip Digits = 0

Usage[edit | edit source]

Create a VTX SIP Trunk with XML template[edit | edit source]

  • Information: If "Special Arrangement / CLIP No Screening" (advanced feature) got activated on your VTX trunk, you can manually adapt the parameters as described in Outbound Parameters or import the Advanced VTX Template below
  • Problem: The "VTX" SIP trunk template has been temporarily deleted from the 3CX SIP trunk template list. We are checking to have it added back
  • Workaround: You can import the VTX Template manually following procedure below
  1. Download the 3CX VTX Template on your PC
    1. ("normal" template) https://wiki.vtx.ch/media/3CX_VTX_provider.pv.xml
    2. ("Special Arrangement template") : https://wiki.vtx.ch/media/3CX_VTX_provider_advanced.pv.xml
  2. Connect on your 3CX PBX Admin interface
  3. Go in "SIP Trunks" menu and click on the "Import Provider" button
  4. Upload the "3CX_VTX_provider.pv.xml" file
  5. Finish the setup of your trunk using the VoIP:Hardware:3CX#Configuration