====3CX Debian Linux Install====

<code>
1.) Enter hostname (not FQDN, e.g. voip-server)
2.) Enter domain name (e.g. example.com)
3.) Create root password
4.) Set timezone
5.) Setup disk (no LVM, all one partition)
6.) Choose stable version of install
7.) When prompted on how to run the tool, choose (2) From Command Line
8.) Create a new install.. -> enter license key -> create username for web console and password
9.) Let it auto detect your public IP -> Set to Dynamic IP
10.) Set local static IP
11.) Enter hostname that will be used as prefix for 3CX's free FDQN service
12.) Set region -> select a domain suffix
13.) Set DNS options -> set internal FQDN (I choose to use the name that results from step 1 and 2)
14.) Set port settings, defaults are fine
15.) Set # of digits extensions should have (I choose 3)
16.) Enter email for logs/etc
17.) Set region -> courtry -> timezone
18.) Set Operator/reception extension (I use 100) -> enter name/email/etc
19.) Set voicemailbox extension
20.) Set language prompts
21.) Enter contact info
22.) Reboot
23.) Login to console and set local static IP (the wizard didn't stick) -> edit /etc/network/interfaces

iface eth0 inet static
        address 192.168.1.202
        netmask 255.255.255.0
        gateway 192.0.1.1

Set DNS to some public DNS providers: /etc/resolv.conf

then systemctl restart networking

24.) Update: apt-get update && apt-get upgrade -> Reboot
25.) Login to web ui using local static IP: https://xx.xx.xx.xx:5001
26.) Enable automatic backups & visit update page and install all non-beta updates
27.) Register your sip trunk (we like Flowroute, Callcenric then VOIP.ms as a backup) and configure your outbound rules (create one for 911 at top, the for 11 digit, then 10 digit (prepend 1) then 7 digit (prepend 1 + local area code))
28.) Plug in your phones and assign an extension, test inbound and outbound. (If the phones don't show up and you have some IGMP snooping or broadcast/multicast filtering enabled on the switch this might be the cause)
29.) Create groups to assign permissions, groups should represent distinctions between roles that might need additional features or features restrictions. Set the default group to match what most extensions will need then build other groups off this and remove them from the default group when added to other groups.
30.) Create additional extensions (we space out extensions based on company sizes, like take the largest dept and use that + some headroom as the interval for extension numbers, so if there were 8 departments and the largest was 18 users then reception+special would be 100-129 deptA 130-159, deptB 160-189, deptC 190-219, deptD 220-249, then use the 900s for things like ring groups, paging groups, etc)
</code>

====NTP Server====
On the VOIP VLAN we allow only the 3CX server to access the Internet. The IP phones need to communicate with a NTP server so we'll use the Debian based 3CX install to setup an NTP server.

==Install NTP==
<code>
apt-get install ntp
systemctl enable ntp
systemctl restart ntp
</code>

==Setup firewall rule==
<code>
vi /etc/nftables.conf
</code>

Add the line after one of the other "INPUT" lines
<code>
add rule ip filter INPUT udp dport 123 ct state new,established counter accept
</code>

====Notes====
Note: On each extension -> voicemail, send as attachement and delete from mbox -> BLF, set 1st 3 as Line keys, remaining as needed according to role.

Notes: on transferring calls, putting them on hold then typing in the extension will allow you to transfer (which will make your ext call the dest ext and see if someone is there before transferring) or to btransfer (which will transfer the call directly to the destination); if you transfer and press a line key name then you won't get those options and the CallerID will be the changed to the source ext and not the original caller...

Note: To prevent the Ringgroup/que name from showing up in the caller ID- > Please navigate to Contacts/ Options and select do not add under "Add Group, Queue or DID/DDI Names to Caller ID". 

Note: Asterisk/Trixbox behind Untangle
Asterisk-based telephony systems handle end-to-end SIP communication. In this case, disabling the SIP NAT Helper as well as the SIP Bypass Rule in the Config->Networking->Advanced section is necessary. Without these changes, outbound calls will still work, but no inbound calls will work. Remember to set Port Forwarding for the SIP port(s) and RTP port range. A reboot of Untangle is required after the changes, or unusual SIP information in the Asterisk Verbose Logging will occur such as "ss-noservice." Remember that extensions inside the network need to be set with "nat = no" or the extension will not connect.

Most VoIP providers require Registration (a good thing). If Untangle's Attack Blocker is installed, it will probably see the Registration attempts as an attack and block them. Either adding an exception to the IP of the Registration site or removing the Attack Blocker rack module will solve this problem. A nameserver lookup (on Windows: "nslookup" in the command prompt) is recommended to determine which IP is associated to the registration server.

Note: An issue with dropped inbound calls after 15-18 seconds was found when using Flowroute and 3CX (callcentric had some issues where is wouldn't disconnect). To resolve we did step 2 on this page for our pfSense gateway: https://www.3cx.com/docs/pfsense-firewall/

====QoS====
Setup QoS on Debian to tag packets as DSCP 56

[[https://www.3cx.com/blog/voip-howto/qos-linux/|https://www.3cx.com/blog/voip-howto/qos-linux/]]

Step 1: Making sure your QoS rules are applied permanently to your system By default, your Debian Linux system will NOT save any rules applied at runtime. This can however be resolved by adding the iptables-persistent package to your installation as follows:

<code>
apt-get install iptables-persistent
</code>

iptables -A OUTPUT -t mangle -p udp -m udp --sport 5060 -j DSCP --set-dscp-class ef
iptables -A OUTPUT -t mangle -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp-class ef

iptables accepts the commands and after saving with '/etc/init.d/iptables save' the commands can be found in the rules-save file

iptables -t mangle -nvL 

Step 3: Checking QoS is Applied to Outbound Traffic Use tcpdump to create a network capture file for you to examine using Wireshark on some other computer:

<code>
tcpdump -s 0 -w 247-check-dscp.pcap
</code>

Download this file onto your PC, and open it with Wireshark. You can check that outbound traffic is indeed being tagged with the correct DSCP value: