RB2011UAS-2HnD - my router.
I have Sip server pbx behind router
Vpn ipsec/l2tp
Few external sip phones that connects to the sip server from Wan.
Ports 5060-5082, 10000-20000 UDP, 5060tcp are forward and dsnat to the pbx.
When vpn client connects to the router from WAN and there is a sip phone connected
to pbx from the same lan, the sip phone fails to register in to the pbx.
And its stay like this for a while after vpn client is disconnected.
I know that the router see one vpn client and one sip client from same ip natted
and probably this is the reason of the problem.
How can I resolve this? The attaching second real ip of the pbx and move it
before the router or outside the router is not possible for the moment.
PLEASE HELP.
Re: Sip phone fail to connect
please post your configuration to check.
Re: Sip phone fail to connect
Code: Select all
add address="remote_office_1_IP" list=safe
add address="SIP PROVIDER TRUNK IP" list=safe
add address="remote_office_2_IP" list=safe
add address="Local network behind the router" list=safe
/ip firewall filter
add action=log chain=input comment="LOG input" log-prefix=Filter:
add chain=input comment="allow DNS request" dst-port=53 protocol=tcp
add chain=forward comment="allow DNS request" dst-port=53 protocol=tcp
add chain=input comment="Allow DNS request" dst-port=53 protocol=udp
add chain=forward comment="Allow DNS request" dst-port=53 protocol=udp
add chain=forward dst-port=5060 protocol=tcp src-address-list=safe
add chain=input dst-port=5060 protocol=tcp src-address-list=safe
add chain=input dst-port=5060-5082,10000-20000 protocol=udp src-address-list=safe
add chain=forward dst-port=5060-5082,10000-20000 protocol=udp src-address-list=safe
add chain=input comment="accept established connection packets" connection-state=established
add chain=input comment="accept related connection packets" connection-state=related
add chain=input comment="Allow access to router from known network" src-address-list=safe
add chain=input comment=SSH_ROUTER dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=53056 protocol=tcp
add chain=input comment=SSH_ROUTER dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=53056 protocol=udp
add chain=input comment=WINBOX dst-port=8291 protocol=tcp
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 protocol=icmp
add chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add chain=services comment="allow IPSec connections" dst-port=1701 protocol=udp
add chain=services comment="allow IPSec connections" dst-port=4500 protocol=udp
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=input comment="allow SMTP" dst-port=25 protocol=tcp
add chain=forward comment="allow SMTP" dst-port=25 protocol=tcp
add chain=input comment="allow POP3" dst-port=110 protocol=tcp
add chain=forward comment="allow POP3" dst-port=110 protocol=tcp
add chain=input comment="allow POP3 SSL" dst-port=995 protocol=tcp
add chain=forward comment="allow POP3 SSL" dst-port=995 protocol=tcp
add chain=input comment="allow SSL SMTP" dst-port=465 protocol=tcp
add chain=forward comment="allow SSL SMTP" dst-port=465 protocol=tcp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=drop chain=input comment="drop everything else"
add chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=5060 new-connection-mark=SIPPP protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=yes new-connection-mark=SIPPP protocol=udp src-port=5060
add action=mark-packet chain=prerouting connection-mark=SIPPP disabled=yes new-packet-mark=SIPPPACK
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT rule" out-interface=bridgeWan src-address=192.168.20.0/24
add action=netmap chain=dstnat comment="SIP TCP 5060 IN" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=5060 protocol=tcp to-addresses=192.168.20.2 to-ports=5060
add action=netmap chain=dstnat comment="SIP UDP 5060-5082 IN" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=5060-5082,10000-20000 protocol=udp to-addresses=192.168.20.2 to-ports=\
5060-5082
add action=netmap chain=srcnat comment="SIP TCP 5060 OUT" protocol=tcp src-address=192.168.20.2 src-port=5060 to-ports=5060
add action=netmap chain=srcnat comment="SIP UDP 5060-5082 OUT" protocol=udp src-address=192.168.20.2 src-port=5060-5082,10000-20000 to-ports=5060
add action=netmap chain=dstnat comment="HTTP TO SIP" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=8182 protocol=tcp to-addresses=192.168.20.2 to-ports=80
add action=netmap chain=dstnat comment="SSH DOM0" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=22022 protocol=tcp to-addresses=192.168.20.2 to-ports=22
add action=netmap chain=dstnat comment="SSH DOM0" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=22022 protocol=udp to-addresses=192.168.20.2 to-ports=22
add action=netmap chain=dstnat comment="DNS forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=53 protocol=tcp to-addresses=192.168.20.3 to-ports=53
add action=netmap chain=dstnat comment="DNS forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=53 protocol=udp to-addresses=192.168.20.3 to-ports=53
add action=netmap chain=srcnat comment="DNS forward OUT" protocol=tcp src-address=192.168.20.3 src-port=53 to-ports=53
add action=netmap chain=srcnat comment="DNS forward OUT" protocol=udp src-address=192.168.20.3 src-port=53 to-ports=53
add action=netmap chain=dstnat comment="SMTP forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=25 protocol=tcp to-addresses=192.168.20.4 to-ports=25
add action=netmap chain=srcnat comment="SMTP forward" dst-port=25 protocol=tcp src-address=192.168.20.4 to-ports=25
add action=netmap chain=dstnat comment="SMTP/SSL forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=465 protocol=tcp to-addresses=192.168.20.4 to-ports=465
add action=netmap chain=srcnat comment="SMTP/SSL forward" dst-port=465 protocol=tcp src-address=192.168.20.4 to-ports=465
add action=netmap chain=dstnat comment="POP3 forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=110 protocol=tcp to-addresses=192.168.20.4 to-ports=110
add action=netmap chain=srcnat comment="POP3 forward" dst-port=110 protocol=tcp src-address=192.168.20.4 to-ports=110
add action=netmap chain=dstnat comment="POP3/SSL forward" dst-address="EXTERNAL REAL IP OF THE ROUTER" dst-port=995 protocol=tcp to-addresses=192.168.20.4 to-ports=995
add action=netmap chain=srcnat comment="POP3/SSL forward" dst-port=995 protocol=tcp src-address=192.168.20.4 to-ports=995
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip ports=5060,5090
set pptp disabled=yes
/interface bridge
add arp=proxy-arp l2mtu=1598 name=bridgeLan
add admin-mac="MAC ADDRESS" arp=proxy-arp auto-mac=no l2mtu=1598 name=\
bridgeWan
/interface ethernet
set 6 arp=proxy-arp
set 10 arp=proxy-arp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed management-protection-key="blablabla" mode=dynamic-keys name=\
vatex_office supplicant-identity="" wpa-pre-shared-key=baubau \
wpa2-pre-shared-key="baubau"
/interface wireless
set 0 band=2ghz-b/g/n disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 \
mode=ap-bridge security-profile=vatex_office ssid=wirele55_office
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.100
add name=vpn ranges=192.168.20.245-192.168.20.250
add name=hotel ranges=192.168.20.252-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridgeLan name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=192.168.20.244 name=vatex-vpn \
remote-address=vpn
set 2 local-address=192.168.20.251 remote-address=hotel
/interface bridge port
add bridge=bridgeLan interface=ether2
add bridge=bridgeLan interface=ether3
add bridge=bridgeLan interface=ether4
add bridge=bridgeLan interface=ether5
add bridge=bridgeLan interface=ether6
add bridge=bridgeLan interface=ether7
add bridge=bridgeLan interface=ether8
add bridge=bridgeLan interface=ether9
add bridge=bridgeLan interface=ether10
add bridge=bridgeLan interface=wlan1
add bridge=bridgeWan interface=sfp1
add bridge=bridgeWan interface=ether1
/interface l2tp-server server
set default-profile=vatex-vpn enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default
/ip address
add address=192.168.20.1/24 interface=bridgeLan network=192.168.20.0
add address=10.5.50.1/24 comment="hotspot network" disabled=yes interface=wlan1 \
network=10.5.50.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=bridgeWan
/ip dhcp-server lease
add address=192.168.20.9 client-id="" mac-address=\
"" server=dhcp1
add address=192.168.20.6 mac-address="" server=dhcp1
add address=192.168.20.2 mac-address="" server=dhcp1
add address=192.168.20.3 mac-address="" server=dhcp1
add address=192.168.20.4 mac-address="" server=dhcp1
add address=192.168.20.5 mac-address="" server=dhcp1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=192.168.20.3,192.168.20.3
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 nat-traversal=yes secret=blablablabla
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=60000
set ssh port=53056
/ppp secret
add name=kup4ooo password=blablablablabla profile=vatex-vpn service=l2tp
add disabled=yes name=ppp1 password=blabla profile=vatex-vpn service=l2tp
/system logging
set 0 action=disk disabled=yes
set 1 action=disk disabled=yes
set 2 action=disk disabled=yes
set 3 action=disk disabled=yes
add action=disk prefix=CRITICAL: topics=critical
add action=echo prefix=CRITICAL: topics=critical
add action=disk prefix=ERROR: topics=error
add prefix=INFO: topics=info
/system ntp client
set enabled=yes primary-ntp=193.104.79.174 secondary-ntp=78.83.48.155
/system ntp server
set broadcast=yes broadcast-addresses=192.168.20.1 multicast=yes
192.168.20.3 - DNS server (virtual machine xen)
192.168.20.4 - web server (virtual machine xen)
web server and dns are is still in configuration stage and the ports may be are not corect or full at all.
The service port config is tested with or without sip enable - the problem persist.
Re: Sip phone fail to connect
are you able to ping the SIP server from vpn client?
Re: Sip phone fail to connect
Code: Select all
C:\Users\admin>ping 192.168.20.2
Pinging 192.168.20.2 with 32 bytes of data:
Reply from 192.168.20.2: bytes=32 time=505ms TTL=63
Reply from 192.168.20.2: bytes=32 time=30ms TTL=63
Reply from 192.168.20.2: bytes=32 time=30ms TTL=63
Reply from 192.168.20.2: bytes=32 time=30ms TTL=63
Ping statistics for 192.168.20.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 505ms, Average = 148ms
Re: Sip phone fail to connect
hmmmm its seems to be hairpin issue.
try to add the below lines to your nat firewall configuration:
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.20.2 out-interface=bridgeLan src-address=192.168.20.0/24
try to add the below lines to your nat firewall configuration:
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.20.2 out-interface=bridgeLan src-address=192.168.20.0/24
Re: Sip phone fail to connect
I try and put the rule on top of the rules.
There is no result of it.
The http interface is reachable from the vpn client on both ip-s public and private.
But the sip isn't. The soft phone of the vpn client can't connect to the public ip of the sip server, only on private one.
The hardware sip phone on the same private networ as the vpn client cant register to the sip server.
I will read more about hairpin problem. I just don't know that this is the name.
I attache one picture of the situation just to be exact.
My problem is with the sip phones where the vpn client is. so sip remote phone 1 cant connect when the vpn client is connected to the tunnel. Also when the client close the vpn connection, the sip phone register after few hours - looks like some kind of timeout.
This is my confusion. I don't know where to search.
Meanwhile the remote hardwar phone 2 on another private network somewhere on internet is working perfectly. Of course when I have a vpn client on this network the remote sip phone 2 cant register.
There is no result of it.
The http interface is reachable from the vpn client on both ip-s public and private.
But the sip isn't. The soft phone of the vpn client can't connect to the public ip of the sip server, only on private one.
The hardware sip phone on the same private networ as the vpn client cant register to the sip server.
I will read more about hairpin problem. I just don't know that this is the name.
I attache one picture of the situation just to be exact.
My problem is with the sip phones where the vpn client is. so sip remote phone 1 cant connect when the vpn client is connected to the tunnel. Also when the client close the vpn connection, the sip phone register after few hours - looks like some kind of timeout.
This is my confusion. I don't know where to search.
Meanwhile the remote hardwar phone 2 on another private network somewhere on internet is working perfectly. Of course when I have a vpn client on this network the remote sip phone 2 cant register.
Strange, now the phones connect very fast after disconnecting the vpn client.
You do not have the required permissions to view the files attached to this post.
Re: Sip phone fail to connect
did you enable "use IP firewall" option from bridge settings?
Re: Sip phone fail to connect
I check it now and try again, but it's the same situation.
I will try to make a wireshark dupm file later and try to see what happend in to the lan of the remote sip client and vpn client.
I will try to make a wireshark dupm file later and try to see what happend in to the lan of the remote sip client and vpn client.
Re: Sip phone fail to connect
make sure this option is enabled otherwise all firewall rules will not be applied to bridge ports.
Re: Sip phone fail to connect
Yes it is enabled. But it's the same situation.
I will try to clear all the settings of the remote clients routers, since they don't have something special except nat masking.
Backup plan is to replace the remote routers with small mikrotiks and make a VPN tunnel to the SIP server router.
Now this is inpossible, since the first router is linksys with none or less settings on it. And the second is old SonicWall - which is almost at the end of life.
I will try to clear all the settings of the remote clients routers, since they don't have something special except nat masking.
Backup plan is to replace the remote routers with small mikrotiks and make a VPN tunnel to the SIP server router.
Now this is inpossible, since the first router is linksys with none or less settings on it. And the second is old SonicWall - which is almost at the end of life.
Re: Sip phone fail to connect
I have had problems with the built in sip helper in RouterOS on a couple of occasions.
try disable the sip helper under the ip firewall service-port
try disable the sip helper under the ip firewall service-port
Re: Sip phone fail to connect
you did not mentioned which RouterOS version you are using at the moment?
Re: Sip phone fail to connect
The helper is disabled, since I see this problem in many users.
Software ID:9LHA-SJ05
Board name:RB2011UAS-2HnD
Version: 6.4
Firmware: 3.08
I reflash one of the remote routers with DD-WRT (Linksys - it was capable).
Now I make a pptp connection between the Linksys and Mikrotik.
And will make some test.
Software ID:9LHA-SJ05
Board name:RB2011UAS-2HnD
Version: 6.4
Firmware: 3.08
I reflash one of the remote routers with DD-WRT (Linksys - it was capable).
Now I make a pptp connection between the Linksys and Mikrotik.
And will make some test.
Re: Sip phone fail to connect
I prefer you also update your OS to the latest mikrotik version.
Good luck
Good luck
Re: Sip phone fail to connect
Router - upgraded - to 6.12
Linksys - makes a pptp - so there is no problem with sip client behind and it's not needed some clients behind to use vpn connection to the mikrotik.
SonicWall 2040 Pro - stil hard for me to add/config a pptp client for the router it's self - so there the concurent vpn and sip connections to the mikrotik are made sip to drop down for the non vpn clients.
Linksys - makes a pptp - so there is no problem with sip client behind and it's not needed some clients behind to use vpn connection to the mikrotik.
SonicWall 2040 Pro - stil hard for me to add/config a pptp client for the router it's self - so there the concurent vpn and sip connections to the mikrotik are made sip to drop down for the non vpn clients.
Re: Sip phone fail to connect
In your router, forward SIP packets to the IPof your PBX server
/ip firewall nat
add action=dst-nat chain=dstnat comment="SIP port forward" dst-port=5060-5065 protocol=tcp to-addresses=<IP of PBX Server> to-ports=5060-5065
add action=dst-nat chain=dstnat comment="SIP port forward" dst-port=5060 protocol=udp to-addresses=<IP of PBX Server> to-ports=5060-5065
/ip firewall nat
add action=dst-nat chain=dstnat comment="SIP port forward" dst-port=5060-5065 protocol=tcp to-addresses=<IP of PBX Server> to-ports=5060-5065
add action=dst-nat chain=dstnat comment="SIP port forward" dst-port=5060 protocol=udp to-addresses=<IP of PBX Server> to-ports=5060-5065