This is exactly what I’m using. Chain = srcnat and action is masquerade. Do I need to change anything here?
the expected out interface (one WAN) and the expected src Private IPs pool
Sir, I really appreciate your valuable time. The scenario of my case is, that I've lots of mobile app users with mobile data. So it's impossible for me to define/whitelist known IP addresses. Yes, I can whitelist the office IPs but there's nothing I can do for mobile users. Also, my router thinks all incoming requests coming from "10.10.10.1" (my gateway IP) instead of their actual IP. So, I need to fix that first. Otherwise, fail2ban will not able to differentiate the attacker's IP address.
I'm trying this right away.
Out interface = My ISP's PPoE interface
Src = 10.10.10.0/24
is that correct?
That should be OK. Give it a try.
The SIM are private or from your society?
Because the operators have a range of IP for sure, just put the ASxxxx IPs pools on whitelist and you prevent at least 98% of “attacks”…
I got your point.! I know SIP ALG should be disabled in this case. But the funny thing in my scenario is, that when I disable SIP ALG, remote extensions lost their audio. When I turn on SIP ALG, everything starts working fine.
SO CURRENTLY I’VE SIP ALG TURNED ON!
Thank You so much!!! <3 Now it’s showing their untouched IP. Now my PBX firewall should work. I’ll let you know the results.
[2022-08-06 08:12:16] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:128@10.10.10.111>' failed for '180.149.231.4:58094' (callid: e5f4a810950434e4f7a) - Failed to authenticate
[2022-08-06 08:12:19] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:172@10.10.10.111>' failed for '185.152.64.171:62055' (callid: e5f4a75286924e4f7a) - Failed to authenticate
[2022-08-06 08:12:19] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:172@10.10.10.111>' failed for '185.152.64.171:62055' (callid: e5f4a75286924e4f7a) - Failed to authenticate
[2022-08-06 08:12:22] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:305@10.10.10.111>' failed for '185.242.6.54:59914' (callid: e5f4a586381369e4f7a) - Failed to authenticate
[2022-08-06 08:12:23] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:305@10.10.10.111>' failed for '185.242.6.54:59914' (callid: e5f4a586381369e4f7a) - Failed to authenticate
[2022-08-06 08:12:27] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:209@10.10.10.111>' failed for '195.158.249.37:52793' (callid: e5f4a74383589e4f7a) - Failed to authenticate
The operator's name is GrameenPhone. Their IP pool: https://ipinfo.io/AS24389
There are four mobile operators here. Also, whitelisting all mobile data IPs doesn't look safe to me at all..!
Can I set up any filter to the Mikrotik firewall to restrict/limit requests per IP?
Restricting it down to addresses of one operator will surely reduce the flow of fraudulent registration attempts as compared to keeping it open for the whole internet, and I don’t think the suggestion was to use such a restriction instead of fail2ban.
You can set up a restriction that depends on rate, look at dst-limit at https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter .
The whitelisting on Mikrotik would be only your "first layer" of defence. You still have the SIP-authentication!
That ASN 24389 "only" has 20K IP's so you can problably already have some benefit to whitelist these blocks at Mikrotik-level. You 15 employees with their mobile phones should all be coming from within these ranges I guess.
You can then observe howmuch % is "catched" and decide if you want to keep it.
Exactly, block already everything, except the mobile operator pools,
and after that, use fail2ban
The ban can’t be permanent, because one banned IP can be assigned later to one wanted phone.
But I prefer consider do a VPN, and after use VoIP.
Hi Rextended,
Do you mean user VPN into the Home/Office router and then access the VOIP and if so how is this done.
really ask me??? 
“Just” make a VPN between the mobile phone and the router and then launch the SIP / VoIP program to connect to the internal server.
Or did I miss something that I have not considered ??? 
Well I have limited experience,
For example I have a VOIP modem which I connect via the internet and then a cord to the patch panel.
All the wired phones (landline) that have a connection on the patch panel to the phone block get live phone.
I dont have any sip phones…
So tell me how do I vpn into the router and then use my VOIP connection ???
Which phone allows me to vpn to the router and place a call ???
I have at office a Yeastar device, and I use linkus app/service than use a intermediate server from Yeastar,
but at home I do not have any, too much already the mobile phone 
@tahmidul
I provide a VoIP Blacklist service that has successfully prevented SIP Attacks in 99% of cases … there is a 10 day free trial period available … see my sig.
My current voipTIK blacklist list contains 39K+ IP addresses …
in your case you will need to whitelist all your core servers for all ports, hosted PBX and Interconnection partners to specific required ports before implementing the drop rule for the voipTIK blacklist.