Hi, I’ve setup an RB750g as a router with mostly the default config. Ether1-gateway is set to static public ip.
The sip phone is set to static dhcp lease of 192.168.88.252, I’ve the ports forwarded but I get sip registration failed, although it did work for a few hours when I first set it up.
The following is my nat filters and rules
[admin@Beano] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; default configuration
chain=input action=accept protocol=icmp
1 X ;;; default configuration
chain=input action=accept connection-state=established
2 X ;;; default configuration
chain=input action=accept connection-state=related
3 X ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
4 ;;; Allow ICMP
chain=input action=accept protocol=icmp
5 ;;; allow winbox
chain=input action=accept protocol=tcp dst-port=8291
6 X ;;; allow ssh
chain=input action=accept protocol=tcp dst-port=22
7 ;;; accept vpn
chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=1723
8 ;;; accept vpn gre
chain=input action=accept protocol=gre in-interface=ether1-gateway
9 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid
10 ;;; Allow Established connections
chain=input action=accept connection-state=established
11 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid
12 ;;; allow already established connections
chain=forward action=accept connection-state=established
13 ;;; allow related connections
chain=forward action=accept connection-state=related
14 ;;; acccept lan
chain=input action=accept src-address=192.168.88.0/24 in-interface=!ether1-gateway
15 ;;; Drop everything else
chain=input action=drop
16 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
17 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
18 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
19 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
20 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
21 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w
22 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
23 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
24 ;;; dropping port scanners
chain=forward action=drop src-address-list=port scanners
25 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
26 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22
27 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
28 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22
29 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
30 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
31 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
32 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m
33 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist
address-list-timeout=3h content=530 Login incorrect
34 ;;; Block Bogon IP addresses
chain=forward action=drop src-address=0.0.0.0/8
35 chain=forward action=drop dst-address=0.0.0.0/8
36 chain=forward action=drop src-address=127.0.0.0/8
37 chain=forward action=drop dst-address=127.0.0.0/8
38 chain=forward action=drop src-address=224.0.0.0/3
39 chain=forward action=drop dst-address=224.0.0.0/3
40 ;;; Make jumps to new chains
chain=forward action=jump jump-target=tcp protocol=tcp
41 chain=forward action=jump jump-target=udp protocol=udp
42 chain=forward action=jump jump-target=icmp protocol=icmp
43 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69
44 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111
45 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135
46 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139
47 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445
48 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049
49 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346
50 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034
51 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133
52 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69
53 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111
54 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135
55 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139
56 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049
57 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133
58 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0
59 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0
60 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1
61 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0
62 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0
63 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0
64 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0
65 ;;; deny all other types
chain=icmp action=drop
[admin@Beano] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
1 X ;;; gege rdp
chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=
protocol=tcp dst-port=3389
2 ;;; blueface
chain=dstnat action=dst-nat to-addresses=192.168.88.252 to-ports=
protocol=udp dst-port=5060-5061
Anything in there that could be causing problems or conflicting?