Dear all,
I’m currently working on a project, and there is a certain country in Central America, which has a Telecom Monopoly, which has banned the use of VOIP services to bypass their super expensive PSTN International Toll rates to the US.
How can I setup a VPN connection using Mikrotik Server and client to get around this issue.
I don’t want to use OVPN because it’s TCP based, I’ld prefer a UDP based Tunnel between client and server.
Are they blocking all encrypted traffic ?
Ie can you simply encrypt the taffic without a L2TP tunnel ??
I have an idea..
Well the way they are doing it is a bit sneaky. It appears that they go in a sporadically enable and disable access-lists that drop well known tunneling protocols, thus causing customers to get frustrated with the VOIP Connection via the tunnel.
What’s your idea?
it would be nice if l2tp could run on alternate ports other than 1701. I have a few places where i have multiple tunnels behind a border router and since the source and dest ports are both 1701 it gets confused.
That’s exactly what I was hoping for, that I could run l2tp on an alternate port but I don’t believe this can be done with Mikrotik ROS.
Does anyone have any other ideas … I’m at a loss 
, any recommendations would be great
I guess I might just have to install OpenVPN on my two Asterisk servers and run my VPN Connection that way … What do you guys think?
Is that the only option I got?
Hello risipetillo,
Give a go of an EoIP tunnel. It will always redirect traffic to your network before it escapes to the outside world.
Sotiris
Ah by the way you will need to modify the routing so that all the traffic gets redirected to your network.
How do you know what they do? You have not looked at their machines, have you? What kind of coward dumb аss would drop protocols from time to time and not always?
I know some ISPs manage their QoS in a way making tunnels low priority, therefore packets of those will get dropped in rush hour traffic.
So what are the results late at night and early morning?
What connection do you use where you think this is happening? Maybe you are overloading it with traffic, not being able to prioritize tunnels yourself?
Hey, what about NAT? Its in Prerouting and in Postrouting, so you can masq ports etc. It should work. Only you need to do that on both sides, for example both sides port 53, or port 80, 443, or other well known prioritized ports. Client side redirect real port to prioritized port, server side redirect prioritized port to real port.
Excuse me, what the fuсk are you saying, this is not making any sense at all. It will always what? No!
Dear risipetillo Please try all possible tunnel technologies you can think of, or you can afford, etc, even Hamachi but you will need XP boxes on both sides, but After you have tried NAT.
By the way, have you tried to run VoIP connections without a tunnel? Much less overhead 
And probably is prioritized
Another idea: Capture some traffic coming in from the ISP and send it to me at givememorebandwidth AT gmail DOT com I need to check a few bits in the packets for this.
Hahaha.
VOIP is not allowed and is blocked by the ISP, so using straight SIP, IAX2, Skype … etc is explicitly blocked. They actually have a VOIP blocking Firewall which they use to obfuscate the protocols, so I’ve heard. They don’t exactly advertise what they are using unfortunately 
NAT in pre-routing and post-routing seems feasible, my only concern there is that it will probably be a couple of millisecond hits for the packets to go through this translation period.
What do you think?
– I guess if I use a faster box like RB450G to speed up the translation process, I should be good ( 680MHz processor, 1gig interface on server … etc)
“How do you know what they do? You have not looked at their machines, have you? What kind of coward dumb аss would drop protocols from time to time and not always?”
Use RB450G yes, if you are that concerned with 1-2ms.
Whats this country with only one ISP?
They are asking for security offensive activities on their networks, maybe start contacting some creative and capable people for a scan etc, to see what the filtering appliance is, so we know how to get around that piece of shi[
Ive googled a bit, have you tried anything like this:
http://www.speed-voip.com/voiceguard.html ? See - they are disgusing it as DNS and TFTP - those a re UDP - the clever bastards I hope it works.
An ISP that is blocking and degrading anything is asking for a lawsuit at least.
Here’s a proposal that I can make: get together with a few other telecom buddies and invest together in an alternative data links for example mikrotik wireless nstreme links over the border to a ISP that is not blocking VoIP.
look at this as well:
http://skypejournal.com/2008/08/voip-blocking-explained.html
and this http://www.cybertelecom.org/voip/blocking.htm maybe
I think the above is the best way to go about this, that way if they block one port, I change the ports and commence communications until they catch me again; Also I plan on using a DSL connection in the states which has a dynamic IP, so should they block the IP and port, I’ll just reboot my DSL box, which should force it to get another IP.
I’m afraid to say since they might have agents reading these forums as well, and tip off their admins as to my plans and put evasive plans in place to track and block whatever method I plan to use.
I have a couple of people in the country I could contact and commence some more indepth traffic analysis.
Unfortunately, we’d have to conclusively prove that they are doing this with hard scientific evidence, and then translate this information for the legal folks in the country; most of who don’t have a clue about the fundamentals of IP / network communication. It would be expensive also, believe me others have tried, and they have dragged it through the courts for years …
I have buddy, who has gone down this path, but it’s a bit expensive, he had to procure Towers, power, etc. It’s also illegal, and wouldn’t stand a chance in court should I be caught doing it.
How would this NAT Rule actually look, since I would be Nat’ing (L2TP) connections on the same box?
Has anyone done this?