Accept only some IP for RTP and SIP protocol

Cetalfio · February 4, 2015, 3:32pm

Hello how can I limit/accept the SIP and RTP traffic in /ip firewall nat from only some public static IPs of my VoIP provider with exclusion of all others?

Thanks Cetalfio

rextended · February 4, 2015, 10:37pm

Prioritizza (esempio) e Blocca.
Considera ether1 = Internet Gateway
Io solitamente blocco tutto il traffico non VoIP sulle porte VoIP,
perché anche i P2P provano ad usare quella porta pensando di ottenere precedenza… )

Usually I not simply block oter VoIP providers (if one client not ask me to freely enable it)
but also all the P2P traffic on that port, because the P2P thinking to be prioritized when use that ports…

/ip firewall address-list
add address=83.211.0.0/16 comment="VoIP Eutelia" list=lista_ip_VoIP
add address=87.238.28.0/22 comment="VoIP Cheapnet" list=lista_ip_VoIP
add address=62.94.192.0/19 comment="VoIP Clouditalia" list=lista_ip_VoIP

/ip firewall mangle
add action=jump chain=prerouting src-address-list=lista_ip_VoIP jump-target=prerouting_VoIP comment="Prerouting VoIP"
add action=jump chain=prerouting dst-address-list=lista_ip_VoIP jump-target=prerouting_VoIP
add action=mark-connection chain=prerouting_VoIP connection-mark=!conn_VoIP new-connection-mark=conn_VoIP
add action=mark-packet chain=prerouting_VoIP packet-mark=!VoIP new-packet-mark=VoIP
add action=accept chain=prerouting_VoIP

/queue tree
add name=VoIP-global packet-mark=VoIP parent=global priority=2 queue=default

/ip firewall filter
add action=drop chain=forward in-interface=ether1 protocol=tcp src-address-list=!lista_ip_VoIP src-port=5060-5067 comment="Blocco in uscita l'uso delle porte VoIP per scopi differenti"
add action=drop chain=forward in-interface=ether1 protocol=udp src-address-list=!lista_ip_VoIP src-port=5060-5067
add action=drop chain=forward dst-port=5060-5067 in-interface=ether1 protocol=tcp src-address-list=!lista_ip_VoIP
add action=drop chain=forward dst-port=5060-5067 in-interface=ether1 protocol=udp src-address-list=!lista_ip_VoIP
add action=drop chain=forward dst-address-list=!lista_ip_VoIP dst-port=5060-5067 out-interface=ether1 protocol=tcp
add action=drop chain=forward dst-address-list=!lista_ip_VoIP dst-port=5060-5067 out-interface=ether1 protocol=udp

add action=accept chain=forward src-address-list=lista_ip_VoIP comment="Accetto subito tutto il traffico che riguarda il VoIP"
add action=accept chain=forward dst-address-list=lista_ip_VoIP