Problem 3CX After Migrate to Nethsecurity

Denis_Pollini · June 5, 2024, 2:09pm

Initial Situation:
Client with a Proxmox Server with vm as a 3CX PBX and the other vm as NethServer 7 firewall.
No issues encountered

Current Situation:
Create new VM and import image of Nethsecurity, boot ok, install “firewall migration tool” on Nethserver7 Firewall and export the configuration.Shutdown the current firewall and import the configuration on new Nethsecurity firewall, no error encountered.

I see the Port Forwarding rules for 3CX and the firewall test on the 3cx is passed without error, sip trunk is registered, but i can’t make any call and receive too.
If i shutdown the new firewall and poweron the nethserver7 firewall is back to working.

giacomo · June 5, 2024, 2:36pm

Probably you should enable the SIP helper: NAT helpers — NethSecurity documentation

Denis_Pollini · June 5, 2024, 2:42pm

Hi @giacomo thx for answering

It meens that nat helpers becomes enabled only if i do migration in place, in my case with export configuration and upload to nethsecurity is still disabled? how can i check that from CLI?

giacomo · June 5, 2024, 2:52pm

No, it does not matter how you migrated.
You just need to make sure to have both the package on NS7 and the image of NethSecurity 8 at the latest release.

how can i check that from CLI?

Did you follow the link to dev manual?
It’s explained there:

Depending on what you’re testing, the command should be something like:

lsmod | grep ^nf_nat_sip

Denis_Pollini · June 5, 2024, 3:12pm

It meens that are enabled?

mrmarkuz · June 5, 2024, 3:27pm

Yes, it means that the nf_nat_sip kernel module is loaded.

Denis_Pollini · June 5, 2024, 3:30pm

Ok so what i need to do? if is already enabled.

giacomo · June 6, 2024, 7:52am

You need to inspect your PBX and see what is blocked.

Take a look to the documentation: How to configure your Firewall Router in 3CX Phone System

It’s clearly stated that SIP helpers should be disabled.
So disable them inside the firewall config, than check if all other documented configurations are in place.

Denis_Pollini · June 6, 2024, 9:07am

hi giacomo yes on the old firewall nethserver 7 sip alg was disabled, i try to edit that file /etc/modules.d/ns-nathelpers and remove these two lines:

and reboot the firewall
The content of the file now is these one:

but if i do this command seems the module still load:

But now the sip trunk not registered anymore by removing these two modules.

I try to remove only nf_nat_sip as you can see and reboot but the module is still loaded:

UPDATE:
As a workaround now i disable the module manually by doing these command:

rmmod nf_nat_sip
load-kernel-modules
service firewall restart

Wait your update @giacomo thx

Denis_Pollini · June 6, 2024, 2:52pm

@giacomo
So i restart from zero install nethsecurity without import the configuration and check if the nat sip module is enabled and it’s not enabled.
Now the 3cx works fine.

So the problem is something related to the import configuration.

giacomo · June 6, 2024, 3:29pm

Thank you for reporting.
I will try to reproduce.

Denis_Pollini · June 21, 2024, 2:28pm

Hi @giacomo you have some news?

I’m plent to migrate 2-3 nethserver7 to nethsecurity all this installation have pbx behind the firewall, i would like to export the configuration and restore to nethsecurity because i have many openvpn roadwarrior configure on each nethserver7.

I want to know if there is any news regarding the problem I encountered, i.e. disabling the sip alg.

Thanks.

giacomo · June 21, 2024, 3:10pm

You need to disable the helpers manually after the migration.
Just wipe /etc/modules.d/ns-nathelpers and reboot.