Per 3CX, Sonicwall devices are not supported with the 3CX phone system.
“A Sonicwall Firewall, with port forwarding implemented, is not able to determine that there is a corresponding NAT inbound rule on a port and will change the ports when sending outbound packets, and as a result the 3CX Firewall Checker tests will fail”
In essence, Sonicwall treats the VoIP traffic as originating from end users and assigns a random port when sending packets out instead of sending and receiving traffic on the same port which would be the expected behavior when appropriate port forwarding and NAT rules are in place.
Example of expected behavior:
PBX IP: 192.168.99.99
Public IP: 22.214.171.124
Port: UDP 5060
Traffic originating from the PBX will have a TCP header with the following Source IP::Port: <192.168.99.99::5060>
At the WAN destination (typically SIP trunk provider), the expected Source IP::Port in the TCP header would be:
This means that the port must not be translated.
Additionally, traffic originating from the WAN should have the following Destination IP::Port in its TCP header:
Thus, traffic received at the firewall WAN port should be forwarded to the 3CX PBX with the following Destination IP::Port in the TCP header:
Workaround/Solution for Sonicwall Firewalls:
Instead of setting up Access rules and NAT rules using the WAN Primary IP, you will use a second public IP address to resolve the issue. The second public IP address will not be assigned to any interface.
FIREWALL > SERVICE OBJECTS
Create 3CX port service objects along with 3CX port service group
NETWORK > ADDRESS OBJECTS
Create a network object for 3CX PBX LAN IP Address <192.168.99.99> and one for the second public IP address WAN_124_Test <126.96.36.199>
NETWORK > NAT POLICY
Create a NAT policy to forward 3CX Ports to the 3CX PBX
When creating the NAT policy, be sure to check the box “Create reverse rule”
FIREWALL > ACCESS RULE
Create a firewall access rule which allows 3CX Service Ports ingress access through the firewall
Adjust VoIP settings as follows:
Enable consistent NAT == DISABLED
Enable SIP transformations == DISABLED