How to setup WiFi calling (aka VoWIFI) on mikrotik

DeIM · June 8, 2020, 4:31pm

I’d like to make wifi calling working but everything I tried seem doesn’t work.
Please could someone share his/her settings for that?

Operator states:
Minimal parameters: to successful call must used Wi-Fi router support transfer of internet security IP Sec and have this parameters: IP Protocol Type ESP 50 and/or IP Protocol Type UDP (Port 500), IP Protocol Type UDP (Port 4500), NAT translation time out under 2 minutes. Upload min. 100 kb/s for voice call and 1 Mb/s for video call.

I have hAP ac with RouterOS 6.47 (stable)
Service is enabled on provider. Settings are enabled in settings of my mobile - latest Android 10.
I don’t see any possible transmission regard VoWIFI in Torch

It seems I miss something basic.

mkx · June 8, 2020, 5:50pm

My experience is that home gateway (e.g. Mikrotik) has to be transparent enough for outgoing connections and that’s about it. It’s phone which establishes IPsec tunnel to MNO’s core network and it does that immediately after registering to WiFi-enabled network.
Default ROS setup should be fine.

Ah, yes, also ISP has to allow IPsec (originating from customers), I can imagine some ISPs might block it for some reason.

rasimoes · June 8, 2020, 8:12pm

Hello,

I’ve got a similar problem…look: http://forum.mikrotik.com/t/ipsec-passthrough-issue-wifi-calling/140277/1

Apparently it’s some kind of IPsec passthrough issue on Mikrotik…unfortunately I’ve haven’t found a way to solve this yet. May be the Mikrotik team can help us on that issue…

Regards,
Rodrigo

martinclaro · June 9, 2020, 2:34am

Make sure you are not blocking IPSec traffic (protocols or ports) in the forward table coming from your LAN side.

Also, check your DNS cache to see if the devices are resolving 3gpp FQDN pointing to the telco core network for VoWiFi (you can also setup QoS for that traffic):

 /ip dns cache print where name~"3gpp"
Flags: S - static 
 #   NAME                                            ADDRESS                                                                           TTL         
 0   epdg.epc.mnc341.mcc722.pub.3gppnetwork.org      181.10.205.24                                                                     8h13m6s     
 1   epdg.epc.mnc341.mcc722.pub.3gppnetwork.org      181.10.205.25                                                                     8h13m6s     
 2   h-slp.mnc007.mcc722.pub.3gppnetwork.org         200.81.36.113                                                                     4h36m44s    
 3   epdg.epc.mnc034.mcc722.pub.3gppnetwork.org      181.10.205.25                                                                     14h23m45s   
 4   epdg.epc.mnc034.mcc722.pub.3gppnetwork.org      181.10.205.24                                                                     14h23m45s   
 5   epdg.epc.mnc007.mcc722.pub.3gppnetwork.org      186.143.132.10                                                                    1h22m14s    
 6   epdg.epc.mnc007.mcc722.pub.3gppnetwork.org      186.141.132.10                                                                    1h22m14s    
 7   epdg.epc.mnc310.mcc722.pub.3gppnetwork.org      131.100.108.121                                                                   15m20s      
 8   epdg.epc.mnc310.mcc722.pub.3gppnetwork.org      131.100.108.120                                                                   15m20s

rasimoes · June 9, 2020, 3:00am

Hello Martin,

In my case, the iPhone still connect to IMS core and I can even make and receive calls…but it looses the registry regularly and fallbacks to the cellular network.

I’ve tested on a simple TP-Link mesh router, and this symptom doesn’t occurs.

Very odd… :-/

sindy · June 9, 2020, 10:43pm

I’m afraid only sniffing the traffic on the Tik may give a clue here. The only things to come to my mind are that the iPhone would not send keepalives frequently enough and the Mikrotik firewall would close the UDP pinhole (the default lifetime of a UDP pinhole is 3 minutes), or that the iPhone’s LAN IP would change and so the pinhole would become obsolete. Both seem quite unlikely to me, though. So sniff to file and see what happens before the registration is lost.

martinclaro · June 10, 2020, 1:43am

I agree with @sindy. Many other factors could contribute to the observed issue.

Please tell us more about your deployment (WiFi AP or other details). And don’t forget:

 /export hide-sensitive

DeIM · June 13, 2020, 11:48am

I think in my case it’s the mobile (Xiaomi A2) issue - I don’t see any related traffic in Torch (nor packet sniffer in android). Weird - the VoWiFi is enabled.
I should see some related traffic in torch, right?

mkx · June 13, 2020, 1:50pm

As I wrote: when mobile connects to WLAN, it tries to establish IPsec tunnel to MNOs core network. So torch should show some related activity at that time. If mobile can’t establish the tunnel, I don’t think it retries as long as it’s registered to same LAN. And int that case torch won’t show anything further.
If, OTOH, IPsec tunnel is established, there will be activity (voice calls, text messages, other mobile signalling), but torch will only see encrypted traffic.

Just to be sure: SIM card subscription includes VoWiFi service? It’s not automatic/mandatory service for LTE subscribers …

DeIM · June 13, 2020, 5:14pm

Yes, VoWiFi service is active and verified by provider (I asked their support).
What is enough to tell phone to try initiate VoWiFi connection again? Toggle Flight mode, WiFi or reboot?

mkx · June 13, 2020, 8:16pm

Toggle WiFi (keep WiFi disabled few tens of seconds to allow phone properly resume operations natively using mobile network before changing to WiFi again). Toggling flight mode would probably do it as well.

volkirik · August 15, 2021, 1:37pm

/ip firewall service-port
set h323 ports=1720
set sip ports=5060,5061,500,4500,5222,3478,80,443 sip-direct-media=yes sip-timeout=3m

pe1chl · August 15, 2021, 7:59pm

This is nonsense! VoWIFI is not a SIP service. It uses IPsec.
Phones will make outgoing traffic to UDP port 500 of their service provider, then to UDP port 4500.
They will exchange regular packets to keep the connection alive.

No special configuration is required for this under normal circumstances, unless you have firewalled everything shut.

volkirik · May 9, 2023, 7:10am

set sip-timeout to 3 minutes (default) and exclude service-ports from fasttrack (action=accept before fasttrack rule) so ALGs could do their work..

it works for me..

pe1chl · May 9, 2023, 8:22am

You are probably talking about installation of a SIP app and configuring that to make calls via some SIP server.
That is not what is commonly known as VoWIFI. VoWIFI is a service provided by telecom companies in addition to their VoLTE service (voice over 4G/5G), that does not use SIP directly on the network, but rather sets up an IPsec tunnel over UDP port 500/4500 and does not require an ALG on the local router.

volkirik · October 6, 2023, 3:58pm

okay, thanks for your response..

then here is a feature request

allow to set special connection timeout for VOWIFI ports (UDP/500 and UDP/4500).. instead of generic UDP timeout..

many people cant increase UDP timeout because it is used for Denial of Service attacks..

sindy · October 6, 2023, 4:10pm

On this forum, feature requests can be only raised within a specific topic dedicated to them. You can also issue a support ticket. The official way to open feature requests is via your distributor.

I have a rough idea of an ugly workaround which involves a hairpin tunnel and spoofing of UDP packets that would update the pinhole created for the VoWiFi connection. But your mobile operator must be really specific if their VoWiFi gateway doesn’t send the IPsec keepalives on its own.

volkirik · October 6, 2023, 4:28pm

Unfortunately UGLY mobile operators go UGLY about IPsec keepalives, too.

sindy · October 6, 2023, 4:31pm

OK, are you interested in the UGLY workaround then?

volkirik · October 6, 2023, 4:42pm

sure why not