I have set up a freepbx server on my LAN. I am using a Mikrotik RB 2011 iL RM. I want to use Acrobits Groundwire as a softphone for my phones. In the settings of Acrobits Groundwire you must define SIP User, SIP Password and SIP Domain.
For domain, when I enter my public IP and port for the internal FreePBX server, the phone registers correctly but only when I am external to the LAN, e.g. in a different WiFi network or using mobile data.
Also when I try to access my NAS via public IP it works externally but not internally. Typing public IP:5501 externally gets the server, internally it says site not found. The main problem is with the phones though, don’t really care about accessing the NAS via web browser as we can access it with File explorer. Without the phones accessing the FreePBX, we can’t actually use softphones unless we are external to the building.
In your part E of your guide, it states this as an option:
CHANGING SUBNET OF SERVER
In this scenario, there is no requirement for a sourcenat rule addition as our effort is aimed at avoiding hairpin natting! In fact, there is no hairpin required because the server and users are now on a different subnet, HOWEVER, one has to ensure a properly formatted DST-NAT rule for the dynamic WANIP setup.
a. Fixed IP Static… the standard DST-NAT rule will suffice.
add action=dst-nat chain=dstnat dst-address=47.123.12.89 dst-port=12566 protocol=tcp to=addresses=192.168.88.68
Is the part ‘a. Fixed IP Static… the standard DST-NAT rule will suffice.’ the entirety of what you have to do? Or do you have to do something else to change the subnet of the server? I am guessing you have to do something else?
TheLorc, Rather than posting screen captures, doing an export on your configuration is a far better way because among other things, it shows all the details that the screen capture does not. To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Your mixing stuff up. If you change the server subnet so that the users accessing the server via the WANIP, are on a different subnet, you no longer need the additional hairpin source nat rule.
However the requirements for proper port forwarding format remain.
For fixed IP, as you have, the format above you used is correct (assuming dst-port is the same as to-ports)
There is also a requirement to have a firewall rule that allows in general port forwarding
What I can say is that if you do have a static fixed wanip the correct format for the standard required sourcenat rule is
add chain=srcnat action=src-nat to-addresses=47.123.12.89 out-interface=etherX
“What I can say is that if you do have a static fixed wanip the correct format for the standard required sourcenat rule is
add chain=srcnat action=src-nat to-addresses=47.123.12.89 out-interface=etherX”
Is this the only configuration I need in order for the local device to access the server via public IP? Or are there more stuff? Kind of confused to be honest
If you read the article you would also know that you need a firewall rule to ensure such traffic is allowed.
This comes standard as a default rule in the forward chain…add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
This does not suffice for the scenario at hand, instead move to this which provides clearly to the reader what is allowed traffic or not.
Thus replace with: add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward
Why is this better.
a. Instead of dropping all traffic from the WAN which is not natted, now you will be dropping all wan to lan traffic not natted
all lan to wan traffic ****
all lan to lan traffic at layer 3.
hence we add in a rule to allow LAN to WAN traffic, but now you know you are doing it and so does the reader - clear!
b. By allowing dst nat more generally you ensure you allow traffic to the server coming from the LAN side and using the WANIP, vice actually coming in from the WAN side (externally) which the default rule doesnt permit.
For some reason its still not working. I will try and factory reset the device and try from scratch, maybe I messed something up. Here is my code, i know its a lot to look through so if you dont want to thats fine
IN SUMMARY your config bubble is about to be popped!!
(1) What are you doing here?? /interface wireguard peers
add allowed-address=192.168.88.0/24 interface=wireguard1 public-key=
“1Of5xcGq53sXm6h8TKvkn7eGxNHEqom6fhBI8XDPg2I=”
You have identified your own subnet as an allowed IP and on top of that have no entry for the client wireguard IP address or remote subnets if applicable?
Did you not read this… https://forum.mikrotik.com/viewtopic.php?t=182340
(2) You have duplicate IP addresses assigned to the bridge ???
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.10.10.254/8 interface=bridge network=10.0.0.0
(3) Good to see the added forward firewall rules (the last 3 here)… so you need to get rid of this first rule..
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward
(4) You might have some conflicts but not sure between the correctly formatted rule and the default rule the router comes with. add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=
XX.XX.XX.XX
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
Suggest moving the missing bit to the correct rule. so that it looks like this
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=
XX.XX.XX.XX ipsec-policy=out,none
Your first dst-nat rule has the correct format and then you digress to the dynamic IP address format??? add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=2000-65000
in-interface-list=WAN protocol=udp to-addresses=192.168.88.27 to-ports=
2000-65000
add action=dst-nat chain=dstnat comment=“FreePBX WebGUI” dst-port=8080
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.27 to-ports=
8080
Be consistent and use dst-address for all the dst-nat rules. Also if the to-ports is the same as dst-ports, it is not required to list them.
I dont understand the insanity of assigning ports 2-65000 to anything thats ridonkulous, what the heck for?
When you do such things you BREAK port forwarding rules. Specifically that a port cannot be port forwarded more than ONCE on the inbound side.
Or stated otherwise HOW is the Router supposed to know where to send ports if it gets port 8080 for example, how does it know where to send it when 8080 is covered in a different rule.
Finally the other issue with 2-65000 ports is that NONE of your ipsec ports will be seen by the router as they will all be diverted to your dst-nat rules…
Whatever you think your are doing its wrong! Forwarding ports has to be done with the full context of what is going in the rest of the config.
Well as you can see I dont really know what I am doing lol
(1) What are you doing here?? /interface wireguard peers
add allowed-address=192.168.88.0/24 interface=wireguard1 public-key=
“1Of5xcGq53sXm6h8TKvkn7eGxNHEqom6fhBI8XDPg2I=”
You have identified your own subnet as an allowed IP and on top of that have no entry for the client wireguard IP address or remote subnets if applicable?
Did you not read this… https://forum.mikrotik.com/viewtopic.php?t=182340
I will delete this, I am not trying to get wireguard working at the moment, although i will be in future
(2) You have duplicate IP addresses assigned to the bridge ???
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.10.10.254/8 interface=bridge network=10.0.0.0
I may have done this to try get ether7-access working when the bridge was disabled or if i was locked out, not sure
I dont understand the insanity of assigning ports 2-65000 to anything thats ridonkulous, what the heck for?
I was having problems setting up FreePBX, like RTP not working, because it needed a certain port range. So I was not sure what port range it needed, so i just allowed all ports 2000 - 65000 to make sure it covered the required ports.
When you do such things you BREAK port forwarding rules. Specifically that a port cannot be port forwarded more than ONCE on the inbound side.
Or stated otherwise HOW is the Router supposed to know where to send ports if it gets port 8080 for example, how does it know where to send it when 8080 is covered in a different rule.
I have removed the duplicate rules. There are no overlapping rules now, as port 8080 is tcp and there is nothing overlapping tcp port 8080.
Finally the other issue with 2-65000 ports is that NONE of your ipsec ports will be seen by the router as they will all be diverted to your dst-nat rules…
Whatever you think your are doing its wrong! Forwarding ports has to be done with the full context of what is going in the rest of the config.
Changing to 10000 - 20000 instead of 2000 - 65000 stopped outgoing calls from working.
Also, I did the changes you said in this post but still my phone can’t register when im on the private LAN and use the public IP. It works fine when I register using public IP when im external, or when i use the private LAN IP (192.168.88.27) when I am internal. So to register to the PBX, I need to use the internal IP when I am inside, and the external IP when I am outside. This would mean manually changing it each time I leave lol which is not great i guess
Can you see why it would not register from my code? Maybe i should try put it on a different subnet if the hairpin nat is not working
Well the issue IBPX and VOIP phones are not a simple case of port forwarding and you are struggling to get plain port forwarding to work,
but will get there, first a good solid base config is needed and then the IBPX voip experts can focus on any unique requirements to solve your issue…
Will take a look now at the latest config.
This is a good starting point… Also, I did the changes you said in this post but still my phone can’t register when im on the private LAN and use the public IP. It works fine when I register using public IP when im external, or when i use the private LAN IP (192.168.88.27) when I am internal. So to register to the PBX, I need to use the internal IP when I am inside, and the external IP when I am outside. This would mean manually changing it each time I leave lol which is not great i guess
Remove this from your rules… !! Think about it, if you put a condition that the rule has to come from the WAN SIDE and you are trying to reach the server from the LAN via WANIP, it wont work!!! You have the correct dst-address=format except its missing from the last rule.
Just wanted to say that our phone system is working, our phone carrier company has our public IP, and they are successfully sending calls to us. The deskphones are all provisioned and registered on the SIP Server. They all work fine, so the phone system is working, its just this softphone app won’t work.
I have made the changes you suggested but sadly its not working. I think I will try put the server on a different subnet maybe that will work
Actually it seems to be working for my Synology NAS. When I type https://mypublicIP:5501 it goes to the Synology server (although it says it is not secure)
When I type my Synology NAS dynamic DNS hostname into my browser like so: https://myDDNS.net:5501 it goes to the Synology NAS web access site with connection secure in the top left certificate.
So the rule has fixed the hairpin NAT issue as this would not work before. To access the web GUI of my NAS I would have to type the local IP. When external, I could type the DDNS:5501, but internally it would not work, and it now does.
Still not working with the SIP though. To clarify, when I turn off wifi and go on mobile data, it registers and works fine. So the issue does still seem to be the fact I am in my wifi network and connecting to the public IP.
Another strange thing I noticed with mikrotik is that I can’t access my FreePBX web GUI externally. When I had my Cisco meraki device I had port forwarded port 8080 to the freepbx web GUI. Externally I could connect to my public IP:8080 and log into the freepbx web gui. With the mikrotik, even externally I can’t connect to the web GUI. I don’t really mind not being able to do that, but just thinking it could be related to the issue of SIP not registering internally…
Hi, it is now working (although the Push notifications part of acrobits groundwire is not, i think that might not be related to mikrotik) thank you very much Anav!
I think disabling sip in Service ports , in combination with all the hairpin nat rules you stated, got it working. When i had the synology NAS working but not the SIP registration, disabling sip in service ports got the SIP working it seems. Thanks again
Yes I dont see anything that would cause issues here… do you have SIP alg enabled, most recommend not doing so.
You didnt remove this duplicate rule… Dont think it will cause issues but it should be removed.
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=
192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=
pppoe-out1 to-addresses=XX.XX.XX.XX
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
