Hello

I have my freepbx device configured on LAN with 192.168.88.100 address.
Now in order for it to work with external devices some forwarding needs to be put in place.
Ports 5060 and 10000-20000 udp need to be forwarded to freepbx.

I have found some articles which I followed but it doesn’t seem to work.

SIP clients from the outside/Internet are not able to log on and register with pbx.

Here is my firewall export, if someone could tell me what I am doing wrong I would really appreciate it.

[dawid@Dave_MikroTik] > ip firewall export

sep/11/2015 13:58:33 by RouterOS 6.31

software id = BZDL-2H4H

/ip firewall filter
add chain=input src-address=77.108.128.0/24
add chain=input connection-state=related
add chain=input in-interface=ether1-gateway
add chain=input dst-port=5060 log=yes protocol=udp
add chain=input dst-port=10000-20000 log=yes protocol=udp
add chain=input connection-state=established
add chain=input protocol=icmp
add chain=input src-address=77.108.150.226
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=input in-interface=pppoe-out1
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1-gateway
protocol=udp to-addresses=192.168.88.100 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=
ether1-gateway protocol=udp to-addresses=192.168.88.100 to-ports=
10000-20000
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall service-port
set sip disabled=yes



Thank you inadvance
Dave

it doesn’t seem to work

This is incredibly vague, we need more info.

marrold

I have updated origial post, what other information would you need to help me resolve this?

voip + nat = problem

Complete bullshit. It can be a problem, but 9 out of 10 times it can be made to work.

Especially with a Mikrotik

personally i prefer avoiding nat on voip implementations using vpns or tunnels

It does work for in another location also behind firewall (Sonicwall) without any problems.
I am sure this can be done with Mikrotik but I ma total newbie when it comes to these devices.

Do you guys need any extra information?

NAT + Asterisk = complete success IF you have patience and know how to set up both. I do it all the time.

The biggest trick is to turn olf any specific SIP helpers in the firewall.

Could someone actually tell me what is wrong with my configuration?

add chain=input dst-port=5060 log=yes protocol=udp
add chain=input dst-port=10000-20000 log=yes protocol=udp

These rules should be in the forward chain.

marrold

Changed to forward and disabled SIP helper and all works now.

Thank you very much
dawidku

I’m glad that’s worked. However if you leave your PBX open to the world, you’re likely to get hacked.

marrold

I only have these 2 rules in place for outside access + I have Faill2Ban configured on freepbx to protect against
authentication attacks.

Fail2Ban won’t catch everything. Be careful

marrold

I had it like that for over 2 years without issue but you right one can’t be too careful.
Is there anything else on a MikroTik you would recommend to make this more secure?

Thank you
dawidku

personally i only allow external access to voip server using vpns to lower the risk

I learned that lesson the hard way. My pbx got abused and I got a huge bill. VPN is the only way to go.

Sent from my Nexus 4 using Tapatalk

Use ACLs to restrict SIP access to only the IP addresses that need access. Use VPN for anything that doesn’t have a static IP address [Snom handsets - for example - support OpenVPN, although I suppose you don’t really want to run voice over TCP - forward the OpenVPN port to the Asterisk server and terminate it there :-p].

If you can’t do the above, then some sort of proper authentication [eg certificates] should be used.