Is this the way to block unwanted SIP traffic?

RouterOS General
1

Hi everybody

Situation:
I have had a few attacks lately in respect to my Voip/Sip ..originating from Libanon..
They have been dialing in directly to my Sip server/Asterix unit ..surcomventing my Voip provider. No harm done but it is quite anoying when the phone starts ringing in the middle of the night

Basic setup of network:

Network type C:192.168.2.1-192.168.2.254

Mikrotik Router:192.168.2.254
Sip/Asterix unit:192.168.2.159

Voip/Sip Service provider:xxx.xxx.xxx.xxx

Goal:
I would like only to allow sip traffic that comes from my “Voip/Sip Service provider IP: xxx.xxx.xxx.xxx” to get trough the firewall. All other sip trafic should be dropped/blocked ( at least on the standard used ports 5060 etc…)

In short: Any other IP than attemps SIP should be dropped

My proposal:
/ip firewall filter
add chain=forward dst-address=192.168.2.159 action=jump jump-target=SIP Voip Interface comment=“All Sip/Voip traffic is checked”
add chain=SIP-server src-address=Voip/Sip Service provider IP:xxx.xxx.xxx.xxx protocol=udp dst-port=5060 action=“Allow traffic from Voip Provider”
add chain=SIP-server src-address=Voip/Sip Service provider IP:xxx.xxx.xxx.xxx action=drop comment=“Drop ilegal Sip Traffic”

Question:
1.Is this correct?
2.Is there another way?

BR
Jesper

2

Do you have an existing DST NAT rule for port 5060? If you do you can simply limit its operation to a given SRC. Address or use a Src Address List for multiple addresses.

3

Thanks for the reply

Yes i do have a dstnat for the Sip fuction. One for port 5060-5080 and 16382-16482 (Both udp). I opted not to use the predefined function in service ports. I have to admit that it’s a nice simple solution you proposed and i have to admit i did not think of it. Instead i opted for the firewall.

I will try it out:-)

I checked my connections and it seems the Ip’s that were creating the problem are no longer there. The counter for droped trafic for Sip did show some bytes /packets.. so it should work. I reset all the counters so i will have a clear indication.

BR
Jesper