Mikro + Asterix + One Way Audio

RouterOS Beginner Basics
1

Hi to every body! I need some help. If I call, they hear me, but I can’t hear they (One Way Audio)

First I Configure PPPoE, Then LAN Network (192.168.0.1/24), That Work Fine

/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=192.168.0.0
add address=222.222.222.218/30 comment=defconf interface=ether5 network=222.222.222.216

/ip route
add distance=1 dst-address=199.99.99.10 gateway=222.222.222.217 (199.99.99.10 is the ISP SIP)

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=forward comment=“ALLOW ASTERISK CONNECTIONS/REPLIES TO OUTSIDE (INTERNET)” protocol=udp src-address=192.168.0.100
add action=accept chain=forward comment=“ALLOW FORWARDED CONNECTIONS/REPLIES TO INSIDE (LAN)” dst-address=192.168.0.100 dst-port=5060,10000-20000 protocol=udp
add action=accept chain=forward connection-nat-state=dstnat in-interface=ether5
add action=accept chain=forward comment=SIP in-interface=ether5
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“WAN SIP” ipsec-policy=out,none log=yes out-interface=ether5
add action=dst-nat chain=dstnat comment=“NAT SIP” in-interface=ether5 log=yes to-addresses=192.168.0.100

add action=dst-nat chain=dstnat in-interface=ether5 protocol=udp to-addresses=192.168.0.100
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether5 protocol=udp to-addresses=192.168.0.100 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether5 protocol=udp to-addresses=192.168.0.100 to-ports=5061
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=ether5 protocol=udp to-addresses=192.168.0.100 to-ports=10000-20000

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-direct-media=no
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

If I do a Ping to 199.99.99.10 it’s ok
1 199.99.99.10 56 62 3ms

2

Try with UDP starting at 7000 instead of 10000.

3

If I add this rule
add action=dst-nat chain=dstnat in-interface=ether5 protocol=udp to-addresses=192.168.0.100
Is the best way to cover all the ports?

4

In my experience, you don’t need to forward any port if you have a sip trunk in asterisk that is registered.

If your Nat settings are off in asterisk, then that is your real issue. An asterisk sip trace or a packet trace of the sip and rtp network traffic will help you identify what is being sent. Check the externip setting.

5

I try turn off nat on Mikrotik and then ask to asterisk support (they are another company out side of my hands) that register de sip trunk and work fine.
Thank for all !
I can’t understand why the ping from the asterisk pbx reach to the isp* , and the audio work only in one way. Is some bug of mikrotik nat?

*(this mean that the route are working fine my pbx know how to reach to the isp and the isp know where is my pbx)