Firewall - No speech when talking on the phone

RouterOS General
1

Hello,

I have a telephone system with the IP 192.168.155.5 and when I connect to the app externally, I can establish a conversation, but unfortunately I don’t hear any sound. Why?
Do you see the error? Can you improve something on the firewall?

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow Ping from local networks" protocol=icmp src-address-list=local
add action=accept chain=input comment="Allow DNS only from local networks" dst-port=53 protocol=udp src-address-list=local
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH First attempt" connection-state=new dst-port=41311 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment="SSH Second attempt" connection-state=new dst-port=41311 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="SSH Third attempt" connection-state=new dst-port=41311 protocol=tcp
add action=accept chain=input comment="Allow SSH from non-blacklisted sources and only from local networks" dst-port=41311 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m chain=input comment="Winbox First attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m chain=input comment="Winbox Second attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1h chain=input comment="Winbox Third attempt" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow Winbox from non-blacklisted sources and only from local networks" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow HTTPS_ROUTER_Intern" dst-port=2443 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow Wireguard" dst-port=53240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Wireguard" dst-port=55003 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Wireguard" dst-port=55004 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow Wireguard to VLAN_100" dst-address=!10.45.250.0/24 in-interface=wg0 out-interface=VLAN_100
add action=accept chain=forward comment="Allow VLAN_100 to Wireguard" dst-address=!10.45.250.0/24 in-interface=VLAN_100 out-interface=wg0
add action=accept chain=forward comment="Allow IOT to Firma" dst-address-list=Firma src-address-list=IOT
add action=accept chain=forward comment="Allow Firma to IOT" dst-address-list=IOT src-address-list=Firma
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all other input traffic"
add action=accept chain=forward comment="Accept dst-nat connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Allow RTP (VoIP)" dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5060 log=yes log-prefix=5060 protocol=tcp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5060 log=yes log-prefix=5060 protocol=udp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5061 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5222 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment="Allow Camera" connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=4005 protocol=tcp
add action=drop chain=forward comment="Drop all other forward traffic"
/ip firewall nat
add action=dst-nat chain=dstnat comment=Opensense dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.252.253 to-ports=443
add action=dst-nat chain=dstnat comment=Telefon dst-port=5222 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5222
add action=dst-nat chain=dstnat comment=Telefon dst-port=5061 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5061
add action=dst-nat chain=dstnat comment=Telefon dst-port=5060 in-interface=WAN1 protocol=udp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment="Telefon RTP" dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=RTPNAT_ protocol=udp to-addresses=192.168.155.5 to-ports=10000-20000
add action=dst-nat chain=dstnat comment=Camera dst-port=4005 in-interface=WAN1 protocol=tcp to-addresses=172.16.1.10 to-ports=4005
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN2" out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
2

Please provide infos on your telephony system. We don’t have mentalist capabilities to know which ports are needed for proper operation.

3

sorry here, Starface
https://knowledge.starface.de/pages/viewpage.action?pageId=46564693

4

There may be more issues, but one mistake is there for sure: in the NAT rule action=dst-nat chain=dstnat comment=“Telefon RTP” dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=RTPNAT protocol=udp to-addresses=192.168.155.5 to-ports=10000-20000_, remove the to-ports=10000-20000 part. Without to-ports, the rule only changes the destination address of the packets and keeps the original destination port; if to-ports is present, the rule changes the destination port to a “random” one from the interval given, without any relationship to the original one.

5

OK, I removed it. Unfortunately it didn’t help.

But I also discovered that I had to deactivate the drop rules. What am I missing right now?

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow Ping from local networks" protocol=icmp src-address-list=local
add action=accept chain=input comment="Allow DNS only from local networks" dst-port=53 protocol=udp src-address-list=local
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH First attempt" connection-state=new dst-port=13231 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment="SSH Second attempt" connection-state=new dst-port=13231 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="SSH Third attempt" connection-state=new dst-port=13231 protocol=tcp
add action=accept chain=input comment="Allow SSH from non-blacklisted sources and only from local networks" dst-port=13231 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m chain=input comment="Winbox First attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m chain=input comment="Winbox Second attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1h chain=input comment="Winbox Third attempt" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow Winbox from non-blacklisted sources and only from local networks" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow HTTPS_ROUTER_Intern" dst-port=2443 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow Wireguard" dst-port=43240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Wireguard" dst-port=45003 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Wireguard" dst-port=55003 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow Wireguard to VLAN_100" dst-address=!10.45.250.0/24 in-interface=wg0 out-interface=VLAN_100
add action=accept chain=forward comment="Allow VLAN_100 to Wireguard" dst-address=!10.45.250.0/24 in-interface=VLAN_100 out-interface=wg0
add action=accept chain=forward comment="Allow IOT to Firma" dst-address-list=Firma src-address-list=IOT
add action=accept chain=forward comment="Allow Firma to IOT" dst-address-list=IOT src-address-list=Firma
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop all other input traffic" disabled=yes
add action=accept chain=forward comment="Accept dst-nat connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Allow RTP (VoIP)" dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5060 log=yes log-prefix=5060 protocol=tcp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5060 log=yes log-prefix=5060 protocol=udp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5061 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment=Telefon connection-nat-state="" dst-port=5222 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment="Cloud Backup SSH" dst-port=45225 protocol=tcp
add action=accept chain=forward comment="Allow Camera" connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=4005 protocol=tcp
add action=drop chain=forward comment="Drop all other forward traffic" disabled=yes
add action=drop chain=input comment="Drop all other input traffic" disabled=yes
add action=drop chain=forward comment="Drop all other forward traffic" disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Opensense dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.252.253 to-ports=443
add action=dst-nat chain=dstnat comment=Phone dst-port=5222 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5222
add action=dst-nat chain=dstnat comment=Phone dst-port=5061 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5061
add action=dst-nat chain=dstnat comment=Phone dst-port=5060 in-interface=WAN1 protocol=udp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment="Phone RTP" dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=RTPNAT protocol=udp to-addresses=192.168.155.5
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN2" out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
6

People usually allow any connection-nat-state=dstnat traffic in filter because they put the detailed match conditions into the action=dst-nat rule in /ip/firewall/nat. So either follow that path or add a chain=forward dst-address=192.168.155.5 protocol=udp dst-port=10000-20000 action=accept rule before the “drop the rest” one, but there is no benefit in the latter approach if the action=dst-nat rules are selective.

7

I added it, but unfortunately it didn’t make any changes. What else can I do? or how should I activate the log?

8

With the forward rule with 10000-20000 I never have any traffic on it. here is my last attempt

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow Ping from local networks" protocol=icmp src-address-list=local
add action=accept chain=input comment="Allow DNS only from local networks" dst-port=53 protocol=udp src-address-list=local
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH First attempt" connection-state=new dst-port=31133 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment="SSH Second attempt" connection-state=new dst-port=31133 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="SSH Third attempt" connection-state=new dst-port=31133 protocol=tcp
add action=accept chain=input comment="Allow SSH from non-blacklisted sources and only from local networks" dst-port=31133 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m chain=input comment="Winbox First attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m chain=input comment="Winbox Second attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1h chain=input comment="Winbox Third attempt" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow Winbox from non-blacklisted sources and only from local networks" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow HTTPS_ROUTER_Intern" dst-port=2443 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow Wireguard" dst-port=45003 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Wireguard" dst-port=55003 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow Wireguard to VLAN_100" dst-address=!10.45.250.0/24 in-interface=wg0 out-interface=VLAN_100
add action=accept chain=forward comment="Allow VLAN_100 to Wireguard" dst-address=!10.45.250.0/24 in-interface=VLAN_100 out-interface=wg0
add action=accept chain=forward comment="Allow IOT to Firma" dst-address-list=Firma src-address-list=IOT
add action=accept chain=forward comment="Allow Firma to IOT" dst-address-list=IOT src-address-list=Firma
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all other input traffic"
add action=accept chain=forward comment="Accept dst-nat connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Allow RTP (VoIP) traffic" dst-address=192.168.155.5 dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5060 log=yes log-prefix=5060 protocol=tcp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5060 log=yes log-prefix=5060 protocol=udp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5061 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5222 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment="Cloud Backup SSH" dst-port=45225 protocol=tcp
add action=accept chain=forward comment="Allow Camera" connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=4008 protocol=tcp
add action=accept chain=forward comment="Accept other dst-nat connections" connection-nat-state=dstnat
add action=drop chain=input comment="Drop all other input traffic" disabled=yes
add action=drop chain=forward comment="Drop all other forward traffic" disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Opensense dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.252.253 to-ports=443
add action=dst-nat chain=dstnat comment=Starface dst-port=5222 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5222
add action=dst-nat chain=dstnat comment=Starface dst-port=5061 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5061
add action=dst-nat chain=dstnat comment=Starface dst-port=5060 in-interface=WAN1 protocol=udp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment="Starface RTP" dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=RTPNAT protocol=udp to-addresses=192.168.155.5
add action=dst-nat chain=dstnat comment=Camera dst-port=4008 in-interface=WAN1 protocol=tcp to-addresses=172.16.1.10 to-ports=4008
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN2" out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
9

No traffic on which one of these two? For the dst-nated RTP, the first one shadows the second.

action=accept chain=forward comment=“Accept dst-nat connections” connection-nat-state=dstnat
action=accept chain=forward comment=“Allow RTP (VoIP) traffic” dst-address=192.168.155.5 dst-port=10000-20000 protocol=udp

10

Is so better
mikrotik.jpg.jpg

11

You have two identical rules connection-nat-state=dstnat action=accept in forward, one right before the “accept dst-port=10000-20000” one and another one right before the final “Drop all other forward traffic” one. Since the packets match already the first one, none of the other two accept rules mentioned above counts.

Hence it should work now even if you re-enable the “Drop all other forward traffic” rule.

(You also have two “Drop all other forward traffic” rules in input, but that’s unrelated to your issue).

12

I have removed the duplicate entries and adjusted them accordingly. Now there is traffic on the 10000-20000 rule.
But unfortunately I still don’t have any sound

172.16.2.20 is my Fritzbox with Expost Host. So it is only used as a modem.

Here is the log:

13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->172.16.2.20:5061, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->172.16.2.20:5061, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->172.16.2.20:5061, len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->192.168.155.5:5061, NAT 80.187.64.160:28721->(172.16.2.20:5061->192.168.
155.5:5061), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->192.168.155.5:5061, NAT 80.187.64.160:28721->(172.16.2.20:5061->192.168.
155.5:5061), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28721->192.168.155.5:5061, NAT 80.187.64.160:28721->(172.16.2.20:5061->192.168.
155.5:5061), len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->172.16.2.20:5222, len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->192.168.155.5:5222, NAT 80.187.64.160:28741->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->192.168.155.5:5222, NAT 80.187.64.160:28741->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:37 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:28741->192.168.155.5:5222, NAT 80.187.64.160:28741->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:47 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->172.16.2.20:11016, len 48 
13:39:47 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->172.16.2.20:11016, len 48 
13:39:47 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->172.16.2.20:11016, len 48 
13:39:47 firewall,info RTP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->192.168.155.5:11016, NAT 3.124.97.151:32099->(172.16.2.20:11016->192.168.155.5:1
1016), len 48 
13:39:47 firewall,info RTP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->192.168.155.5:11016, NAT 3.124.97.151:32099->(172.16.2.20:11016->192.168.155.5:1
1016), len 48 
13:39:47 firewall,info RTP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto UDP, 3.124.97.151:32099->192.168.155.5:11016, NAT 3.124.97.151:32099->(172.16.2.20:11016->192.168.155.5:1
1016), len 48 
13:39:49 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->172.16.2.20:5222, len 71 
13:39:49 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->172.16.2.20:5222, len 71 
13:39:49 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->172.16.2.20:5222, len 71 
13:39:49 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.
168.155.5:5222), len 71 
13:39:49 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.
168.155.5:5222), len 71 
13:39:49 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (ACK,PSH), 80.187.64.160:28739->192.168.155.5:5222, NAT 80.187.64.160:28739->(172.16.2.20:5222->192.
168.155.5:5222), len 71 
13:39:52 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->172.16.2.20:5222, len 60 
13:39:52 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->172.16.2.20:5222, len 60 
13:39:52 firewall,info VOIP_NAT dstnat: in:WAN1 out:(unknown 0), connection-state:new src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->172.16.2.20:5222, len 60 
13:39:52 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->192.168.155.5:5222, NAT 80.187.64.160:29330->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:52 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->192.168.155.5:5222, NAT 80.187.64.160:29330->(172.16.2.20:5222->192.168.
155.5:5222), len 60 
13:39:52 firewall,info VOIP forward: in:WAN1 out:VLAN_100, connection-state:new,dnat src-mac c8:0e:14:7d:88:b4, proto TCP (SYN), 80.187.64.160:29330->192.168.155.5:5222, NAT 80.187.64.160:29330->(172.16.2.20:5222->192.168.
155.5:5222), len 60




/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow Ping from local networks" protocol=icmp src-address-list=local
add action=accept chain=input comment="Allow DNS only from local networks" dst-port=53 protocol=udp src-address-list=local
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH First attempt" connection-state=new dst-port=31133 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment="SSH Second attempt" connection-state=new dst-port=31133 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="SSH Third attempt" connection-state=new dst-port=31133 protocol=tcp
add action=accept chain=input comment="Allow SSH from non-blacklisted sources and only from local networks" dst-port=31133 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m chain=input comment="Winbox First attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m chain=input comment="Winbox Second attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1h chain=input comment="Winbox Third attempt" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow Winbox from non-blacklisted sources and only from local networks" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow HTTPS_ROUTER_Intern" dst-port=1443 protocol=tcp src-address-list=local
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow Wireguard" dst-port=45003,55003 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow Wireguard to VLAN_100" dst-address=!10.45.250.0/24 in-interface=wg0 out-interface=VLAN_100
add action=accept chain=forward comment="Allow VLAN_100 to Wireguard" dst-address=!10.45.250.0/24 in-interface=VLAN_100 out-interface=wg0
add action=accept chain=forward comment="Allow IOT to Firma" dst-address-list=Firma src-address-list=IOT
add action=accept chain=forward comment="Allow Firma to IOT" dst-address-list=IOT src-address-list=Firma
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all other input traffic"
add action=accept chain=forward comment="Allow RTP (VoIP) traffic" connection-nat-state="" dst-address=192.168.155.5 dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5060 log=yes log-prefix=5060 protocol=tcp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5060 log=yes log-prefix=5060 protocol=udp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5061 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment=Phone connection-nat-state="" dst-address=192.168.155.5 dst-port=5222 log=yes log-prefix=5061 protocol=tcp
add action=accept chain=forward comment="Allow Camera" connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=4311 protocol=tcp
add action=accept chain=forward comment="Accept other dst-nat connections" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop all other forward traffic" disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Opensense dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.252.253 to-ports=443
add action=dst-nat chain=dstnat comment=Starface dst-port=5222 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5222
add action=dst-nat chain=dstnat comment=Starface dst-port=5061 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.5 to-ports=5061
add action=dst-nat chain=dstnat comment=Starface dst-port=5060 in-interface=WAN1 protocol=udp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment="Starface RTP" dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=RTPNAT protocol=udp to-addresses=192.168.155.5
add action=dst-nat chain=dstnat comment="Cloud Backup" dst-port=45225 in-interface=WAN1 protocol=tcp to-addresses=192.168.155.65 to-ports=22
add action=dst-nat chain=dstnat comment=Camera dst-port=4311 in-interface=WAN1 protocol=tcp to-addresses=172.16.1.10 to-ports=4311
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN2" out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
13

If so, your wording was misleading - you wrote that you “had to disable the ‘drop the rest’” rules, which implied that with those rules disabled, the sound is there. So do you indeed have bi-directional sound if the “drop the rest” rule in forward is disabled (which is a bad idea but that’s another thing)?

14

Sorry no, when I activate the rule the whole network is offline and I don’t know why. That had nothing to do with the phone. Sorry for the misunderstanding.

15

Now wait. “Whole network offline” as in “not accessible from the internet” or what? In any case, leaving the network with disabled “drop the rest” rules is a very bad idea - first you have to track down why you need to do this to “keep the network online”, and only then it makes sense to come back to the VoIP issues.

16

Yes, that’s what I meant before :slight_smile:
That’s why I deactivated the rule for now. But do you see why that is?
There is no ping going out and no DNS query either

17

Well, there is no rule in forward that would permit clients in LAN to initiate connections to the internet, but that could have been intentional so I did not care. Plus there seem to be multiple LAN subnets and only you know which of them should be allowed to talk to the internet directly and which not, so you have to bite the way through fixing that on your own.

18

I’m so confused by all the phone and firewall problems that I just can’t see it anymore. I’m online now. But unfortunately the telephony problem still exists

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow Ping from local networks" protocol=icmp src-address-list=local
add action=accept chain=input comment="Allow DNS only from local networks" dst-port=53 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow Wireguard" dst-port=43240,45003,55003 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow L2TP" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="Allow HTTPS_ROUTER_Intern" dst-port=1443 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH First attempt" connection-state=new dst-port=32321 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment="SSH Second attempt" connection-state=new dst-port=32321 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="SSH Third attempt" connection-state=new dst-port=32321 protocol=tcp
add action=accept chain=input comment="Allow SSH from non-blacklisted sources and only from local networks" dst-port=32321 protocol=tcp src-address-list=local
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m chain=input comment="Winbox First attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m chain=input comment="Winbox Second attempt" connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1h chain=input comment="Winbox Third attempt" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow Winbox from non-blacklisted sources and only from local networks" dst-port=8291 protocol=tcp src-address-list=local
add action=log chain=forward connection-state=established,related log=yes log-prefix=VOIP out-interface=VLAN_100
add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
add action=accept chain=forward in-interface=VLAN_99 out-interface=WAN1
add action=accept chain=forward in-interface=VLAN_100 out-interface=WAN1
add action=accept chain=forward in-interface=VLAN_200 out-interface=WAN1
add action=accept chain=forward in-interface=VLAN_300 out-interface=WAN1
add action=accept chain=forward in-interface=VLAN_1000 out-interface=WAN1
add action=accept chain=forward comment="Allow RTP (VoIP) traffic" connection-nat-state=dstnat dst-address=192.168.155.5 dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment="Accept other dst-nat connections" connection-nat-state=dstnat
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid log=yes log-prefix=DROP_INPUT_INVALID
add action=drop chain=input comment="Drop all other input traffic" log=yes log-prefix=DROP_INPUT
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid log=yes log-prefix=DROP_FORWARD_INVALID
add action=drop chain=forward comment="Drop all other forward traffic" log=yes log-prefix=DROP_FORWARD
add action=log chain=output dst-port=5060-5061 log=yes log-prefix=VOIP protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment=Opensense dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.252.253 to-ports=443
add action=dst-nat chain=dstnat comment=Starface dst-port=5222 in-interface=WAN1 log=yes log-prefix=VOIP_NAT protocol=tcp to-addresses=192.168.155.5 to-ports=5222
add action=dst-nat chain=dstnat comment=Starface dst-port=5061 in-interface=WAN1 log=yes log-prefix=VOIP_NAT protocol=tcp to-addresses=192.168.155.5 to-ports=5061
add action=dst-nat chain=dstnat comment=Starface dst-port=5060 in-interface=WAN1 log=yes log-prefix=VOIP_NAT protocol=udp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment=Starface dst-port=5060 in-interface=WAN1 log=yes log-prefix=VOIP_NAT protocol=tcp to-addresses=192.168.155.5 to-ports=5060
add action=dst-nat chain=dstnat comment="Starface RTP" dst-port=10000-20000 in-interface=WAN1 log=yes log-prefix=VOIP_NAT protocol=udp to-addresses=192.168.155.5
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade Outgoing Traffic on WAN2" out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
19

Since the forward rule in filter that permits the dst-nated UDP packets towards ports 10000-20000 did count, I assume the issues are not related to firewall but to some other settings, possibly even on the PBX. So I would say start sniffing to a file, matching only on the public address from which the traffic from the phone in the internet arrives, make a call, stop the sniff, download the file and let Wireshark help you find out what is actually wrong.

20

When I’m on the same WiFi it works. This actually means that the telephone system basically just doesn’t go externally via the router