Configuring a RB450G

RenegadeScribe · December 12, 2010, 11:41pm

Hi. Finally decided to post after spening a couple of days trying to figure this out. With all the knowledge here I figured someone must’ve already ran into this. Why re-invent the wheel, right?

I have a RB450G and seem to have a problem with my IP phone (a Linksys SAP942) connecting to a remote PBX. I had this working when I was using my old router (a Linksys WRT54g w/DD-WRT) and I can’t figure out how to set it up to work on the 450G.

I looked at my old router’s settings and I did not see any specific rules that needed to be created/opened, but looking though the forums and wiki, I found a variety of approaches (including enabling the sip helper) to getting my ip phone working. But all of them came to naught since the phone could not register with the two remote PBXes they’re supposed to connect to.

Has anyone been able to get this working?

Also, does Skype need similar attention?

Thank you in advance!

RenegadeScribe · December 13, 2010, 4:26pm

Com’on guys, throw me a bone here.

I’m guessing I need to open up ports to allow it to communicate with the remote PBX’es, but from the various forum postings and wiki info I’ve seen out there that opening up SIP should do the trick, but it doesn’t seem to be working. Do I need to add filters on the firewall? or do something in NAT?

Has no one used SIP phones with these routers? Naw, I can’t believe that. Any sorta info or sample configurations would greatly be appreciated since I’ve hit a wall here.

fewi · December 13, 2010, 4:35pm

I use a SIP phone behind an RB750G at home and it ‘just works’. Same for Skype. The SIP helper is enabled by default.

Try adjusting your firewall filter ruleset (if you have one) to accept all established and related traffic (connection-state=) before anything else so that data connections related to the control channel and learned about via the helper aren’t dropped by the firewall. That’s good practice, anyway - anything already OK’d before should be immediately accepted so that you don’t keep processing packets you don’t need to.

RenegadeScribe · December 13, 2010, 6:23pm

Thanks for the reply! I do have rule sets setup, and the default configuration script setup those connection state rules. Here is what I have at the moment:

 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 
     in-interface=ether1-gateway 

 2   ;;; default configuration
     chain=input action=accept connection-state=related in-interface=ether1-gateway 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

Although, it’s good to know that plugging it in just works. Now it’s just a matter of figuring out what’s keeping it from working.

Thanks in advance!

fewi · December 13, 2010, 6:29pm

Try duplicating those rules and using the ‘forward’ chain.

RenegadeScribe · December 13, 2010, 8:27pm

Ok, I’m assuming you mean just rules 1-2, since 3 is a drop rule and the first is just for ICMP.

Also, should these new forward rules go before the drop rule (rule 3)? Since from what I read in your last reply the process in order, correct?

Thanks in advance!

fewi · December 13, 2010, 8:36pm

I may have been a bit hasty before - are the rules you posted ALL the rules that exist in your “/ip firewall filter” section? If yes, adding things to the ‘forward’ chain would be pointless, and I don’t know what’s wrong.

In regards to order - order matters, but within the chain. All rules in the input chain will be interpreted in order, but if you have forward chain rules between those input chain items they do not affect operations.

Refer to http://wiki.mikrotik.com/wiki/Manual:Packet_Flow for packet flow.

RenegadeScribe · December 13, 2010, 9:40pm

I do have some additional rules after those, but I didn’t think they would be causing issues. Also, I am running NAT as well. Here are the firewall rules:

 4   ;;; deny TFTP
     chain=udp action=drop protocol=udp dst-port=69 

 5   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=111 

 6   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=135 

 7   ;;; deny NBT
     chain=udp action=drop protocol=udp dst-port=137-139 

 8   ;;; deny NFS
     chain=udp action=drop protocol=udp dst-port=2049 

 9   ;;; deny BackOriffice
     chain=udp action=drop protocol=udp dst-port=3133 

10   chain=input action=accept src-address=192.168.0.0/24 in-interface=!ether1-gateway 

11   chain=forward action=drop src-address=0.0.0.0/8 

12   chain=forward action=drop dst-address=0.0.0.0/8 

13   chain=forward action=drop src-address=127.0.0.0/8 

14   chain=forward action=drop dst-address=127.0.0.0/8 

15   chain=forward action=drop src-address=224.0.0.0/3 

16   chain=forward action=drop dst-address=224.0.0.0/3 

17   ;;; deny TFTP
     chain=tcp action=drop protocol=tcp dst-port=69 

18   ;;; deny RPC portmapper
     chain=tcp action=drop protocol=tcp dst-port=111 

19   ;;; deny RPC portmapper
     chain=tcp action=drop protocol=tcp dst-port=135 

20   ;;; deny NBT
     chain=tcp action=drop protocol=tcp dst-port=137-139 

21   ;;; deny cifs
     chain=tcp action=drop protocol=tcp dst-port=445 

22   ;;; deny NFS
     chain=tcp action=drop protocol=tcp dst-port=2049 

23   ;;; deny NetBus
     chain=tcp action=drop protocol=tcp dst-port=20034 

24   ;;; deny BackOriffice
     chain=tcp action=drop protocol=tcp dst-port=3133 

25   ;;; deny DHCP
     chain=tcp action=drop protocol=tcp dst-port=67-68

I took most of those rules from the protection article on the MikroTik wiki.

Thanks!

fewi · December 13, 2010, 10:16pm

Those rules indeed wouldn’t interfere since they will never be used. You have to jump into custom chains to make them do anything at all.

Either way - I would suggest you remove all the firewall rules and try the phone again. NAT may also interfere if you’re running it wrong. Please post the output of “/ip firewall nat export”.

RenegadeScribe · December 14, 2010, 3:41am

Ok’ I’ll try that out. Here is what I have in NAT:

add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether1-gateway
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=21000 \
    protocol=tcp to-addresses=192.168.0.160 to-ports=21
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5905 \
    protocol=tcp to-addresses=192.168.0.147 to-ports=5900
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=4000 protocol=\
    tcp to-addresses=192.168.0.25 to-ports=443
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=4001 protocol=tcp \
    to-addresses=192.168.0.126 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=21001 \
    protocol=tcp to-addresses=192.168.0.210 to-ports=21

RenegadeScribe · December 14, 2010, 4:27am

Well, this in an interesting turn of events. Apparently, while begging to try out what you suggested, I plugged in the MikroTik ,and noticed the phone i now connected and I’m able to call out through both PBXes.

It looks like it did just work, but I think it has more to do with more of my power cycling the both the router, but also the cable modem and then after bringing up the modem I then brought online the RB450G.

It looks like I don’t even need to put in rules for them after all. Odd.

Well, thank you for you assistance. I hope that if anyone else runs into a similar issue that when they see this post it can be of help to them.