How do I configure my firewall/router?
The outbound traffic detailed below must be permitted. If you need to limit outbound traffic to a certain destination, you should only do so with the FQDN of your PBX Blue service – we can provide this to you. You should not use the IP address of the service as it can change at any time.
Physical phones provisioned directly to PBX Blue and not through an SBC (including desk phones, conference phones, DECT units, door intercoms etc.):
- Outbound destination port TCP 443
- Outbound destination port TCP + UDP 5060
- Outbound destination port TCP 5061
- Outbound destination port range UDP 9000-10999
Soft clients (i.e. 3CX web client; 3CX Windows, macOS, iOS and Android apps):
- Outbound destination port TCP + UDP 5090
- Outbound destination port 443
Deployments with a Session Border Controller (SBC):
- Outbound destination port TCP + UDP 5090
- Outbound destination port 443
- Phones and SBC should be on the same subnet
The list above assumes that stateful firewalls are in use. If your router or firewall is stateless, you will likely need to create a second set of those rules in the reverse direction.
SIP ALG/helper
SIP ALG (sometimes known as SIP Helper or inspect SIP) must be disabled on your router or firewall. The feature causes more problems than it solves. Please consult the documentation for your router or firewall on how to disable it.
Voice VLAN
You can put physical phones and alike into a dedicated VLAN for voice traffic.
Yealink phones support LLDP for dynamic voice VLAN assignment and it is enabled by default. Consult the documentation for your switch. Alternatively, you can use an OUI-based VLAN assignment feature. At time of writing, the following OUIs are used for Yealink phones:
- 00:15:65
- 80:5E:C0
- 80:5E:0C
- 24:9A:D8
If you have multiple voice VLANs and have an SBC deployed, ensure the voice VLANs are fully routed and do not have any firewall restrictions between them. Alternatively, you can deploy an SBC within each voice VLAN.
CGNAT
Internet connections that have CGNAT enabled, including mobile internet connections, will not register correctly with PBX Blue when physical phones are provisioned directly to it.
Where possible, please ask your internet service provider to disable CGNAT on your service. Alternatively, you can deploy an SBC. Please let us know if this is required and we will help you out.
Soft clients (i.e. 3CX web client; 3CX Windows, macOS, iOS and Android apps) are not affected by CGNAT and will work.