Problem 3CX After Migrate to Nethsecurity

Initial Situation:
Client with a Proxmox Server with vm as a 3CX PBX and the other vm as NethServer 7 firewall.
No issues encountered

Current Situation:
Create new VM and import image of Nethsecurity, boot ok, install “firewall migration tool” on Nethserver7 Firewall and export the configuration.Shutdown the current firewall and import the configuration on new Nethsecurity firewall, no error encountered.

I see the Port Forwarding rules for 3CX and the firewall test on the 3cx is passed without error, sip trunk is registered, but i can’t make any call and receive too.
If i shutdown the new firewall and poweron the nethserver7 firewall is back to working.

Probably you should enable the SIP helper: NAT helpers — NethSecurity documentation

Hi @giacomo thx for answering


It meens that nat helpers becomes enabled only if i do migration in place, in my case with export configuration and upload to nethsecurity is still disabled? how can i check that from CLI?

No, it does not matter how you migrated.
You just need to make sure to have both the package on NS7 and the image of NethSecurity 8 at the latest release.

how can i check that from CLI?

Did you follow the link to dev manual?
It’s explained there:

Depending on what you’re testing, the command should be something like:

lsmod | grep ^nf_nat_sip


It meens that are enabled?

Yes, it means that the nf_nat_sip kernel module is loaded.

Ok so what i need to do? if is already enabled.

You need to inspect your PBX and see what is blocked.

Take a look to the documentation: How to configure your Firewall Router in 3CX Phone System

It’s clearly stated that SIP helpers should be disabled.
So disable them inside the firewall config, than check if all other documented configurations are in place.

1 Like

hi giacomo yes on the old firewall nethserver 7 sip alg was disabled, i try to edit that file /etc/modules.d/ns-nathelpers and remove these two lines:


and reboot the firewall
The content of the file now is these one:
image
but if i do this command seems the module still load:
image
But now the sip trunk not registered anymore by removing these two modules.

I try to remove only nf_nat_sip as you can see and reboot but the module is still loaded:
image

UPDATE:
As a workaround now i disable the module manually by doing these command:

rmmod nf_nat_sip
load-kernel-modules
service firewall restart

Wait your update @giacomo thx :slight_smile:

1 Like

@giacomo
So i restart from zero install nethsecurity without import the configuration and check if the nat sip module is enabled and it’s not enabled.
Now the 3cx works fine.

So the problem is something related to the import configuration.

1 Like

Thank you for reporting.
I will try to reproduce.

Hi @giacomo you have some news?

I’m plent to migrate 2-3 nethserver7 to nethsecurity all this installation have pbx behind the firewall, i would like to export the configuration and restore to nethsecurity because i have many openvpn roadwarrior configure on each nethserver7.

I want to know if there is any news regarding the problem I encountered, i.e. disabling the sip alg.

Thanks.

You need to disable the helpers manually after the migration.
Just wipe /etc/modules.d/ns-nathelpers and reboot.

1 Like