Included with 3CX is the 3CX Tunnel, also known as the 3CX SBC. This software, which can be run on either a Raspberry Pi or a Windows PC, allows for easier connection of remote extensions to a remote 3CX phone system. Using port 5090 by default, (unless being utilized in a multi-tenant array). The 3CX Tunnel combines all SIP and RTP VoIP Packets from one location and can deliver them to the 3CX servers location on a single port. This allows the traffic to help overcome various firewall and mobile network issues and allows a simpler route to configuring remote extensions on your system. Some of the other reasons to use it include:
- Resolve issues of NAT Traversal at the remote location.
- Simplified Firewall configuration at both the remote and the PBX location.
- Overcome difficulties with ISP's that block VoIP Traffic based on port numbers.
- Allows VoIP-over-WiFi in some restricted locations
- Can help overcome troublesome firewalls that can not handle VoIP traffic correctly
or are problematic to configure.
The 3CX Tunnel functions using port 5090 by default, unless being utilized in a multi-tenant environment, and helps allow easier remote connection of extensions back to the 3CX server. In order to do this, you will need to setup the 3CX SBC software on either a Windows PC, or a Raspberry Pi. (the 3CX tunnel will be installed at the phones location, not on the PBX's LAN) The Windows SBC can support up to 16 phones, and the Raspberry Pi can support up to 5 phones. Using more on either device can lead to dropped calls, so it is not recommended to go over that limit. However, you can have multiple SBC's running on one LAN, splitting up the devices. When using the 3CX tunnel you will only have to worry about forwarding the designated tunnel port.
One use case for the 3CX SBC; say you have two or more phones located at a remote site, the SBC will route the signaling back to the phone system through the port selected, however it will keep the media streams local for extension to extension calls at the remote site. This will help limit bandwidth requirements for phones at the remote site.
Another usage scenario for the 3CX Tunnel is for remote 3CXPhone users. The 3CXPhone application has a built in tunnel which when configured at the extension level, will automatically be used when it is detected that it is not on the LAN. This will help voip calls navigate on mobile networks where port 5060 can be blocked by the mobile network provider.
There are several steps needed to ensure that your system is correctly setup to use the 3CX tunnel.
First, let's configure the PBX.
In the 3CX Management Console, look under settings for the Security --> 3CX Tunnel tab. The tunnel password is set to a randomly generated value, you can use this password or change it to something different. You will also see the local IP and tunnel port options. These do not need to be changed and in a cloud system cannot be changed. The tunnel port on a single install of 3cx will default to 5090, in a multi-tenant cloud system, this will change depending upon which tenant you are. For example, Instance 9 on a multi-tenant server will default to tunnel port 13090.
Click OK and the tunnel service will restart automatically.
Next, we are going to look at the configuration of the firewall. When using the 3CX tunnel or 3CX SBC, you will only need to open up the designated tunnel port for remote connections. Please remember to open both UDP and TCP connections through this port.
Configuration on Remote Sites:
Prior to installing the 3CX SBC software, you will want to ensure that all other network adapters on your PC are disabled outside of the one you are going to be using, this can include, Bluetooth, Wireless, and additional Ethernet ports. You will also want to disable IPv6 on the network adapter that you are going to be using. If you do not take these steps, the SBC software can conflict with the different network adapters and lead to 3CX pulling an incorrect IP address for the location of your SBC. If you change this in 3CX to the correct IP your phones will provision, however, it is likely that any outbound calls from that phone will give you a 403 Forbidden error. An example of this faulty IP address is shown below. In our case it is showing the SBC at 169.254.199.132:5060 which is not correct. Our SBC is located at 192.168.90.175.
The 3CX SBC software can be installed on either a Windows PC or a Raspberry Pi. We will go over how to install the software on a Windows PC in this guide.
First, you will need to download the 3CX SBC for Windows software. Go ahead and launch the installer once it has completed downloading.
After you get past the terms & conditions you will be faced with this screen.
You will enter the details from your 3CX server here. In this example, our FQDN is testpbx.test.com. This will vary depending upon your configuration and can either be your public/external IP or the FQDN. In a single install, you should not need to change the ports here, however, if you're in a multi-tenant environment, these values will be different depending upon which tenant you are. Based on the earlier example, Tenant 9 would need you to change the 3CX PBX SIP Port to 13060 and the 3CX Tunnel Port to 13090.
On the next page you will see the option for a failover PBX. If have another server on standby, you can enable this option and enter the public IP of that 3CX server and the SBC software will know to roll-over to that server when your primary server has failed.
Finally, you will be presented with the screen below.
You are going to enter the password that was generated by 3CX for you in the earlier steps, unless you changed it to something different. You also have the ability to turn encryption on or off. By default it is on and it adds a layer of security by encrypting all of the calls passing through the 3CX Tunnel. Go ahead and click next and the 3CX SBC service will install and start. You can now move onto configuring phones to work through the 3CX SBC.
Configuration of a Phone on the SBC:
We will go over the manual and automatic configuration of a Yealink device to the 3CX SBC in this article.
To begin, create an extension on 3CX, for this example we will be using 203. Once completed, you will want to return to the phone's gui. Go ahead and enter the details from 3CX for the extension you created, (Register Name, User Name, Password). Proceed to the SIP Server settings, this will be set to the FQDN of your hosted server, or the public IP of that server depending upon your setup. In this example, this is a hosted server that is positioned as tenant 9, and is using port 13060 to communicate. The port will vary depending upon your setup. Finally, you will need to set your outbound proxy settings. This will be set to the IP address of the Windows PC/Raspberry Pi that you installed the SBC software on. In this example, it is located at 192.168.90.175 and the phones will still communicate back to the SBC using port 5060. It is just the connection from the SBC to the 3CX server that is using the designated tunnel port. These settings are pictured below. Apply the settings and you should see the device register.
To do this, proceed to the phones tab in 3CX. 3CX will recognize all the phones that are plugged into the network that the SBC is setup on. This will allow you to easily autoprovision and set phones up through the 3CX management console. The image below is how unprovisioned phones on the SBC's network will show up in 3CX.
Select the phone you would like to provision and assign the device to an existing extension, or create a new extension. When assigning a phone to an existing or new extension, 3CX will automatically fill in the necessary information. You will want to ensure that the private IP address of the SBC is located in the IP address of 3CX SBC field. Once completed and you have applied the changes, the phone will receive the NOTIFY to provision and will pull down it's config from the 3CX server. This page is pictured below.