Configuring a MikroTik with 3CX

Introduction

This document describes the configuration of MikroTik RB951 devices for use with 3CX and should be compatible with other devices in this series. Although settings can be configured via the GUI (winbox.exe) or web interface, this guide provides configuration through SSH. Please note that we cannot assist you in the configuration of your firewall.

Step 1: Disable SIP ALG

  1. Log into the firewall. In the command line enter:
    ip firewall service-port disable sip

Step 2: Configure Port Forwarding (NAT)

You now need to port forward the following ports in order to support configuration of SBCs, Remote Extensions and VoIP Providers.

While still logged into the firewall, enter the following commands:

  1. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[HTTPS Port] protocol=tcp dst-port=[HTTPS Port] comment="3CX Presence and Provisioning HTTPS"
  2. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=udp dst-port=[SIP Port] comment="3CX SIP UDP"
  3. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port] protocol=tcp dst-port=[SIP Port] comment="3CX SIP TCP"
  4. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[SIP Port + 1] protocol=tcp dst-port=[SIP Port + 1] comment="3CX SIP TLS"
  5. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=9000-10999 protocol=udp dst-port=9000-10999 comment="3CX Media UDP"
  6. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=tcp dst-port=[Tunnel Port] comment="3CX Tunnel TCP"
  7. ip firewall nat add chain=dstnat action=dst-nat to-addresses=[3CX Server LAN IP] to-ports=[Tunnel Port] protocol=udp dst-port=[Tunnel Port] comment="3CX Tunnel UDP"

Note that in the above commands you must replace the section in the brackets with the correct port for your setup.

Step 3: Inbound Access List (PAT configuration only)

If you have a 1 to 1 NAT, you can skip this step. If you have a PAT configuration you must create the following access rules using these commands:

  1. ip firewall filter add chain=input action=accept connection-state=established
  2. ip firewall filter add chain=input action=accept connection-state=related
  3. ip firewall filter add chain=forward action=accept connection-state=established
  4. ip firewall filter add chain=forward action=accept connection-state=related
  5. ip firewall filter add chain=forward action=drop connection-state=invalid
  6. ip firewall filter add chain=input action=drop in-interface=[Interface Name]
  7. ip firewall nat add chain=srcnat action=masquerade out-interface=[Interface Name]

Note that in steps 6 and 7, you are required to enter the “in-interface” name you are using for 3CX (the one with the public ip address). All interface names can be listed using the following command:

/interface print

Step 4:Validating Your Setup

  1. Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX.
    More information about the Firewall Checker can be found     here.
  2. Check the Firewall configuration using the following commands:

Commands to check Firewall configuration

  1. > ip address print

IP firewall nat print in Mikrotik

  1. > ip firewall nat print

IP firewall filter print command in Mikrotik

  1. > ip firewall filter print

See also

Last Updated

This document was last updated on 23rd June 2023

https://www.3cx.com/docs/mikrotik-firewall-configuration/