Hello everyone
I’ve a PBX behind my mikrotik RB4011iGS+. My ISP gave me a private subnet for VOIP traffic and a public IP for my internet traffic. So I set up a 1:1 NAT between my PBX private address and my ISP VOIP subnet address for all the traffic except NTP (which is routed to internet subnet).
The problem is: I can register the PBX to my ISP VOIP server, I can receive and place calls, but the voice of the call come only from external to internal and not from my phone to external (to be honest I hear an echo of my voice from my side). The strange thing is that when I enable torch tool on the outgoing inerface or on the PBX interface, traffic flows right both inward and outward and I don’t hear the echo anymore from my phone. I really don’t know what to think and what to do.
Yesterday I made further improvements in my research (I didn’t post them cause the topic was still under review, sorry)
I made further investigation and found that if I make a routes rule like
add action=lookup-only-in-table comment=PBX_ROUTE_OUT src-address=192.168.1.246/32 table=voip-out
everything works fine. The problem is that I need to route SSL and NTP traffic to the other interface, and this was the reason I used mangle to mark the packets and the routes rules were these:
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“PBX - VOIP OUT” log=yes log-prefix=“MARK PBX VOIP” new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=prerouting comment=“PBX - accesso remoto” log=yes log-prefix=“MARK PBX 443” new-routing-mark=main passthrough=yes protocol=tcp src-address=192.168.1.246 src-port=443
add action=mark-routing chain=prerouting comment=“PBX - NTP” dst-address=193.204.114.232 log=yes log-prefix=“MARK PBX NTP” new-routing-mark=main passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=output comment=“PBX - VOIP OUT” log=yes log-prefix=“MARK PBX VOIP” new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
/ip route rule
add action=lookup-only-in-table comment=“PBX - VOIP OUT” routing-mark= voip-out table=voip-out
but in this way, the packets are marked correctly (as shown in the attached logfile) but the routes based on routing mark don’t work as expected and the packets are not forwarded correctly.
I don’t find fastpath to disable on the phisical interface. And my VOIP uplink interface is a phisical interface (eth2) without VLAN or bridge. In the link you sent me it seems fastpath is available on other types of interfaces but not on phisical interfaces.
Ok I tried to disable fasttrack and things started working as expected. With fasttrack disabled I was able to disable all the routes rules too and everything kept working as expected.
Despite of that I think fasttrack is useful to increase firewall troughput, so I hoper disabling it is not the only way to have the firewall working as expected.
Depending on how exactly your firewall filter rules look like (the config snippet you posted doesn’t seem to be complete) you might be able to fasttrack some traffic. But beware that fasttracked traffic doesn’t get mangled.
Ok. I’ll post the config.
A 100/100Mbps connection ona a RB4011iGS+ with an IPSEC VPN onboard will be bottlenecked without fasttrack or could I leave it disabled?
Is it ok if I keep the routes rule disabled? (I think it’s a double if everything works)
IPsec itself puts a lot of burden on router (OK, some ciphers can be offloaded to hardware). And make sure traffic which is supposed to get into IPsec tunnel doesn’t get fast-tracked. So if most of your firewalled traffic involves IPsec, then it’s probably easiest just to disable fasttrack altogether.
I had the same problem with Mikrotik 4011.
RouterOS: 7.11
We have electricity outage and after that we can’t reach a few device on the network which in the same vlan.
I disabled hardware offload on every port in the bridge settings since then everything works fine.
